wiki:IPsec_GRE_Overlay

IPsec/GRE Overlay Netkit Lab

The attached Netkit Lab consists of a simple network topology as show in figure

This configuration allows a simple study of IPsec/GRE Overlay network. This typology of network is made up by a security layer, guaranteed by the various IPsec SAs, and an overlay virtual network generated by the tunnels GRE that create new virtual address domains.

Starting Netkit Lab

The first operation to start the netkit lab is to untar the file https://minerva.netgroup.uniroma2.it/svn/discreet/tfcproject/trunk/Ipsec_GRE/Ipsecgreoverlaynetkitlab.tar.gz

tar –xzf Ipsecgreoverlaynetkitlab.tar.gz 

In the root directory of the lab are present 5 subdirectories, 5 startup files and the lab.conf file. Each directory in the lab represents a virtual machine named as the directory itself and the relative configuration files are placed inside these. In particular are present the configuration files for the daemons quagga and racoon2 (/etc/quagga/daemons, /etc/quagga/ripd.conf and /etc/racoon2/racoon2.conf). The file lab.conf contains the description of the topology of the lab in terms of collision domains; instead the startup files contain the physical IP addresses for network interfaces and the commands to start network services.

To start the netkit lab simply digit

lstart

Install Racoon2

To create the IPsec SAs is useful to install racoon2 that allows the use and simple configuration of IKEv2.

Uninstall the racoon package that is present in the vm for default

dpkg -P racoon

Or in alternative stopping the daemon raccoon

/etc/init.d/racoon stop

Install racoon2 package (ftp://ftp.racoon2.wide.ad.jp/pub/racoon2/racoon2_20070720a-1_i386.deb)

dpkg –i racoon2_20070720a-1_i386.deb

Configure SA

To create IPsec SAs we must configure the parameters that we want negotiate through IKEv2. The file /etc/racoon2/racoon2.conf contains these parameters (in the netkit lab are already present the configuration files for the two SAs and the preshared keys). On the two vm interested by SA, we must specify the IP Addresses (i.e. for the first SA the IP are 192.168.5.1 and 192.168.5.18), the mode that must be transport and the transported protocol that in this case is GRE. The last option allows to apply only at the GRE traffic the IPsec services while the other traffic is in clear. Inside the same racoon2.conf file is possible to specify the parameters for multiple SA (i.e. in the racoon2.conf file of router3 vm).

Create Preshared Key

For simplicity we use in this study preshared keys for starting up the SAs. We must create the directory /etc/racoon2/psk that will contain the various preshared keys for the SAs

mkdir /etc/racoon2/psk
cd /etc/racoon2/psk

And generate the preshared key

pskgen –r –o filename

This key must be copied in the directory /etc/racoon2/psk of the other vm interested by SA and must be specified into the racoon2.conf file in the suitable field (see the attached racoon2.conf file)

Starting Racoon2 Daemon

To start the racoon2 daemon

/etc/init.d/racoon2 start


Create Tunnel GRE

After the creation of SAs, we must generate the GRE tunnel to create new virtual network interface (netx) that we will us as network interface for overlay network domain. For example to create the tunnel GRE between router1 and router3, we must added a tunnel device, and called it neta. Furthermore we told it to use the GRE protocol, that the remote address is 192.168.5.18, that our tunneling packets should originate from 192.168.5.1

ip tunnel add neta mode gre remote 192.168.5.18 local 192.168.5.1

We must enable the device to receive and transmit multicast traffic

ip link set neta up multicast on

We give the newly interface neta the address 10.0.0.1/28

ip addr add 10.0.0.1/28 dev neta

On the other vm (router3) interested by the GRE tunnel

ip tunnel add netb mode gre remote 192.168.5.1 local 192.168.5.18
ip link set netb up multicast on
ip addr add 10.0.0.2/28 dev netb

Now we disposal of a new overlay IP domain by means of GRE network interfaces, where the security services are guaranteed by the below IPsec SAs.


Appendix

Configuration of Quagga daemons

Is useful configure the quagga daemons to use the different routing protocol. We must modify the file /etc/quagga/daemons, writing yes at the daemons that we want active, i.e.:

zebra=yes
ripd=yes

Start quagga daemon

/etc/init.d/quagga start

Configure Ripd

Configure the ripd daemons with a telnet connection

telnet localhost 2602

password: zebra

enable 			# to active privileged mode
router rip
version 2		# to select RIPv2
network 10.0.0.0/28	# to send RIP multicast messages on the network 10.0.0.0/28
neighbor 10.0.0.2	# to send RIP messages only at 10.0.0.2 router
write			# to write the upon commands in the file ripd.conf

For more commands and configuration options http://www.telematica.polito.it/mellia/corsi/Laboratorio/doc/zebra_tutorial.pdf


Last modified 11 years ago Last modified on Feb 8, 2008, 11:51:10 AM

Attachments (2)

Download all attachments as: .zip