-
Notifications
You must be signed in to change notification settings - Fork 213
Interoperability configuration between openswan and hpux
Following examples show Host-to-Host interoperability configurations between Openswan 2.6.33 and HPUX 11.31 IPSec A.03.01.01 release.
NOTE: Installing IPSec A.03.01.01 would require OpenSSL 0.98q or later as a prerequisite.
Below is an example for IKEV1 configuration.
On RHEL system
ipsec.conf
conn hpux
type=transport
authby=secret
left=192.168.1.171
right=192.168.1.62
pfs=no
ike=3des-md5;dh24
phase2=esp
phase2alg=3des-md5
keyingtries=0
keylife=1800s
ikelifetime=1800s
disablearrivalcheck=no
rekeymargin=4m
compress=no
ipsec.secrets
192.168.1.171 192.168.1.62: PSK “welcome123”
On HPUX system
1. Add an authentication entry for linux system with auth name “linux” and with a secret key “welcome123”
# ipsec_config add auth linux -remote 192.168.1.171/32 -kmp ikev1 -psk welcome123
2. Add an ikev1 entry if the default ikev1 options are not meeting your transform requirements.
The following command adds an ikev1 entry with name “linux”. The transforms chosen for ikev1 configuration here is DH group 24, md5 and 3des.
# ipsec_config add ikev1 linux -remote 192.168.1.171/32 -group 24 -hash md5 -encryption 3des
3. Add an host policy with transforms for phase2 and protocol/port information. Specifying /0 means include all protocols and ports.
#ipsec_config add host linux -src 192.168.1.62/32/0 -dst 192.168.1.171/32/0 -action ESP_3DES_HMAC_MD5
4. Ensure that you have the following configuration after executing steps 1 to 3 by using below command.
#ipsec_config show all
startup
-autoboot OFF
-auditlvl ERROR
-auditdir /var/adm/ipsec
-maxsize 100
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50
-icmp_error_process OFF
auth linux
-remote 192.168.1.171/32
-priority 30
-rtype IPV4
-rid 192.168.1.171/32
-kmp ikev1
-local_method PSK
-remote_method PSK
-preshared welcome123
ikev1 default
-group 2
-hash MD5
-encryption 3DES
-life 28800
-pfs OFF
ikev1 linux
-remote 192.168.1.171/32
-priority 30
-group 24
-hash MD5
-encryption 3DES
-life 28800
-pfs OFF
ikev2 default
-group 2
-hash HMAC-SHA1
-encryption 3DES
-prf HMAC-SHA1
-life 28800
-pfs ON
host linux
-source 192.168.1.62/32/0
-destination 192.168.1.171/32/0
-protocol 0
-priority 90
-action ESP_3DES_HMAC_MD5/28800/0
-flags NONE
host default
-action PASS
Testing:
On RHEL system
# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.18-194.el5...
# ipsec auto --add hpux
# ipsec auto --up hpux
104 "hpux" #1: STATE_MAIN_I1: initiate
106 "hpux" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "hpux" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "hpux" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp2048}
117 "hpux" #2: STATE_QUICK_I1: initiate
004 "hpux" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x000a2f01 <0x7ee06e87 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
#
Check IPSec SAs on both the systems.
On RHEL
# setkey -D
192.168.1.62 192.168.1.171
esp mode=transport spi=2128637575(0x7ee06e87) reqid=16385(0x00004001)
E: 3des-cbc 6c70bc00 e7e0b0e2 0c699520 9d0c3134 9cec27d5 63c53c57
A: hmac-md5 b6d4db53 00e569eb 8d6e0d98 b5e1b454
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Mar 15 15:55:17 2012 current: Mar 15 15:57:48 2012
diff: 151(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=11844 refcnt=0
192.168.1.171 192.168.1.62
esp mode=transport spi=667393(0x000a2f01) reqid=16385(0x00004001)
E: 3des-cbc b4076e33 d3f63fd8 e90178c3 95fc7831 b91a37d5 eeb8a750
A: hmac-md5 36cf5725 cc883328 2a4a0584 576e5419
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Mar 15 15:55:17 2012 current: Mar 15 15:57:48 2012
diff: 151(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=11844 refcnt=0
#
On HPUX
#ipsec_report -sa
------------------------ IPSec SA ------------------------
Sequence number: 1
SPI (hex): 7EE06E87 State: MATURE
SA Type: ESP with 3DES-CBC encryption and HMAC-MD5 authentication
Src IP Addr: 192.168.1.62 Dst IP Addr: 192.168.1.171
--- Current Lifetimes ---
bytes processed: 0
addtime (seconds): 231
usetime (seconds): 0
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 1800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 1597
usetime (seconds): 0
------------------------ IPSec SA ------------------------
Sequence number: 2
SPI (hex): A2F01 State: MATURE
SA Type: ESP with 3DES-CBC encryption and HMAC-MD5 authentication
Src IP Addr: 192.168.1.171 Dst IP Addr: 192.168.1.62
--- Current Lifetimes ---
bytes processed: 0
addtime (seconds): 231
usetime (seconds): 0
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 1800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 1484
usetime (seconds): 0
--------------------- IKEv1 SA ---------------------
Index: 496cdfe2b030ea13:498cd281557d73ba
Local IP Addr: 192.168.1.62/500
Remote IP Addr: 192.168.1.171/500
Role: Responder State: Established
Auth Record: linux
Policy Name: linux
Auth Method: PSK
ENCR: 3DES
HASH: MD5
DH Group: 24
PFS: off
No records found for IKEv2 Security Association report.
You can also configure the same policies with PFS ON. Both Openswan and HPUX support PFS option.
On Linux system you need to specify “pfs=yes”.
conn hpux
type=transport
authby=secret
left=192.168.1.171
right=192.168.1.62
pfs=yes
ike=3des-md5;dh24
phase2=esp
phase2alg=3des-md5
keyingtries=0
keylife=1800s
ikelifetime=1800s
disablearrivalcheck=no
rekeymargin=4m
compress=no
On HP-UX please specify "-pfs ON " while configuring ikev1 policy.
# ipsec_config add ikev1 linux -remote 192.168.1.171/32 -group 24 -hash md5 -encryption 3des -pfs ON
Below configuration is an example to establish IPSec communication with HPUX using IKEV2.
IKEV2 uses pseudo-random_function (PRF) while generating keying material.
HPUX IPSec A.03.xx.xx supports below transform as PRF.
> # HMAC-SHA1 (96-bit HMAC value using Secure Hash Algorithm-1, HMAC-SHA1)
> # AES-XCBC (128-bit value using Advanced Encryption Standard Extended Cipher Block Chaining mode Message Authentication Code, AES128-XCBC)
HMAC-SHA1 is configured as PRF default on HPUX. You can change the default parameter in /var/adm/ipsec/.ipsec_profile if needed.
On the other hand, Openswan picks up the PRF function from ike= setting in ipsec.conf. Hence, phase1 negotiation may not succeed.
Therefore, as of today, to inter-operate with HPUX IPSec we should use HMAC-SHA1 or AES128-XCBC as the transform in "ike= " in ipsec.conf.
Similarly while configuring IKEV2 transforms on HPUX IPSec system, please remember to configure HMAC-SHA1 or AES128-XCBC as IKEV2 transform.
NOTE: Use HMAC-SHA1 as ike= setting in ipsec.conf on linux and also while configuring ikev2 transform on HPUX.
ON RHEL
Its important to specify ikev2=yes to initiate ikev2 handshake. Also please cross check your pfs settings.
The IKE transforms we are configuring now is 3DES, HMAC-SHA1 and DH group 24. For Phase 2 we are configuring 3DES, HMAC-MD5.
ipsec.conf
conn hpux
type=transport
authby=secret
left=192.168.1.171
right=192.168.1.62
ikev2=yes
pfs=no
ike=3des-sha1;dh24
phase2=esp
phase2alg=3des-md5
keyingtries=0
keylife=1800s
ikelifetime=1800s
disablearrivalcheck=no
rekeymargin=4m
compress=no
On HPUX
1. Change the Auth record from ikev1 to ikev2 using -kmp option. (Deleting the existing auth record and Adding new auth record works better)
#ipsec_config add auth linux -remote 192.168.1.171/32 -kmp ikev2 -psk welcome123
2. Add a ikev2 policy
# ipsec_config add ikev2 linux -remote 192.168.1.171/32 -group 24 -hash hmac-sha1 -encryption 3DES -pfs OFF
3. Double check the configuration using ipsec_config
#ipsec_config show all
startup
-autoboot OFF
-auditlvl ERROR
-auditdir /var/adm/ipsec
-maxsize 100
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50
-icmp_error_process OFF
auth linux
-remote 192.168.1.171/32
-priority 30
-rtype IPV4
-rid 192.168.1.171/32
-kmp ikev2
-local_method PSK
-remote_method PSK
-preshared welcome123
ikev1 default
-group 2
-hash MD5
-encryption 3DES
-life 28800
-pfs OFF
ikev2 default
-group 2
-hash HMAC-SHA1
-encryption 3DES
-prf HMAC-SHA1
-life 28800
-pfs ON
ikev2 linux
-remote 192.168.1.171/32
-priority 30
-group 24
-hash HMAC-SHA1
-encryption 3DES
-prf HMAC-SHA1
-life 28800
-pfs OFF
host linux
-source 192.168.1.62/32/0
-destination 192.168.1.171/32/0
-protocol 0
-priority 90
-action ESP_3DES_HMAC_MD5/28800/0
-flags NONE
host default
-action PASS
*_+*Testing:+_
# service ipsec start
# ipsec auto --add hpux
# ipsec auto --up hpux
133 "hpux" #1: STATE_PARENT_I1: initiate
133 "hpux" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "hpux" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha group=modp2048}
004 "hpux" #2: STATE_PARENT_I3: PARENT SA established transport mode {ESP=>0x001af8fe <0x86410925 xfrm=3DES_192-HMAC_MD5 NATOA=none NATD=none DPD=none}
# setkey -D
192.168.1.62 192.168.1.171
esp mode=transport spi=2252409125(0x86410925) reqid=16385(0x00004001)
E: 3des-cbc 4f58200d b1016f2e 8091d237 9faa91f8 65642c81 9c7b562f
A: hmac-md5 712e6f20 28eac3ce 616e27cd 0472fc22
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Mar 15 16:39:00 2012 current: Mar 15 16:41:40 2012
diff: 160(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=9823 refcnt=0
192.168.1.171 192.168.1.62
esp mode=transport spi=1767678(0x001af8fe) reqid=16385(0x00004001)
E: 3des-cbc c02d6cce c58fd7da 1d52e5f9 82cad01e 5e883534 3a922a78
A: hmac-md5 5aa69614 0ef6dacc 261714ff 77056411
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Mar 15 16:39:00 2012 current: Mar 15 16:41:40 2012
diff: 160(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=9823 refcnt=0
On HPUX
#ipsec_report -sa
------------------------ IPSec SA ------------------------
Sequence number: 1
SPI (hex): 86410925 State: MATURE
SA Type: ESP with 3DES-CBC encryption and HMAC-MD5 authentication
Src IP Addr: 192.168.1.62 Dst IP Addr: 192.168.1.171
--- Current Lifetimes ---
bytes processed: 0
addtime (seconds): 215
usetime (seconds): 0
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 25223
usetime (seconds): 0
------------------------ IPSec SA ------------------------
Sequence number: 2
SPI (hex): 1AF8FE State: MATURE
SA Type: ESP with 3DES-CBC encryption and HMAC-MD5 authentication
Src IP Addr: 192.168.1.171 Dst IP Addr: 192.168.1.62
--- Current Lifetimes ---
bytes processed: 0
addtime (seconds): 215
usetime (seconds): 0
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 24905
usetime (seconds): 0
No records found for IKEv1 Security Association report.
--------------------- IKEv2 SA ---------------------
Index: 347f9f90f84b9a07:11d3ef72f53c03d7
Local IP Addr: 192.168.1.62/500
Remote IP Addr: 192.168.1.171/500
Role: Responder State: ESTABLISHED
Auth Record: linux
Policy Name: linux
ENCR: 3DES-CBC
HASH: HMAC-SHA1
PRF: HMAC-SHA1
DH Group: 24
PFS: off
You can also configure the same policies with PFS ON. Both Openswan and HPUX support PFS option.
On Linux system you need to specify “pfs=yes”.
conn hpux
type=transport
authby=secret
left=192.168.1.171
right=192.168.1.62
pfs=yes
ikev2=yes
ike=3des-sha1;dh24
phase2=esp
phase2alg=3des-md5
keyingtries=0
keylife=1800s
ikelifetime=1800s
disablearrivalcheck=no
rekeymargin=4m
compress=no
On HP-UX please specify "-pfs ON " while configuring ikev2 policy.
# ipsec_config add ikev2 linux -remote 192.168.1.171/32 -group 24 -hash hmac-sha1 -encryption 3DES -pfs ON
Contributed by Murali Mohan Chakravarthy (murali-mohan.chakravarthy@hp.com)