そのため、プライベートネットワークを利用して動作テストを行っている。
■ カーネルのバージョンを表示させた
[root@vm ~]# uname -a
Linux vm.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
■LibreswanはEPELリポジトリにあるので、EPELリポジトリが利用できるようにした
[root@vm ~]# yum localinstall http://ftp.riken.jp/Linux/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
Setting up Local Package Process
Examining /var/tmp/yum-root-W9Hlf2/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch
Marking /var/tmp/yum-root-W9Hlf2/epel-release-6-8.noarch.rpm to be installed
Installed:
epel-release.noarch 0:6-8
Complete!
■Libreswanの情報を表示させた
[root@vm ~]# yum info libreswan
Available Packages
Name : libreswan
Arch : x86_64
Version : 3.7
Release : 1.el6
Size : 1.1 M
Repo : epel
Summary : IPsec implementation with IKEv1 and IKEv2 keying protocols
URL : https://www.libreswan.org/
License : GPLv2
Description : Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
: the Internet Protocol Security and uses strong cryptography to provide
: both authentication and encryption services. These services allow you
: to build secure tunnels through untrusted networks. Everything passing
: through the untrusted net is encrypted by the ipsec gateway machine and
: decrypted by the gateway at the other end of the tunnel. The resulting
: tunnel is a virtual private network or VPN.
:
: This package contains the daemons and userland tools for setting up
: Libreswan. To build KLIPS, see the kmod-libreswan.spec file.
:
: Libreswan also supports IKEv2 (RFC4309) and Secure Labeling
:
: Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
■Libreswanをインストールした
[root@vm ~]# yum install libreswan
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package libreswan.x86_64 0:3.7-1.el6 will be installed
--> Processing Dependency: libunbound.so.2()(64bit) for package: libreswan-3.7-1.el6.x86_64
--> Running transaction check
---> Package unbound-libs.x86_64 0:1.4.21-1.el6 will be installed
--> Processing Dependency: libldns.so.1()(64bit) for package: unbound-libs-1.4.21-1.el6.x86_64
--> Running transaction check
---> Package ldns.x86_64 0:1.6.16-2.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
libreswan x86_64 3.7-1.el6 epel 1.1 M
Installing for dependencies:
ldns x86_64 1.6.16-2.el6 epel 439 k
unbound-libs x86_64 1.4.21-1.el6 epel 299 k
Transaction Summary
========================================================================================================================================================================
Install 3 Package(s)
Total download size: 1.9 M
Installed size: 5.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): ldns-1.6.16-2.el6.x86_64.rpm | 439 kB 00:00
(2/3): libreswan-3.7-1.el6.x86_64.rpm | 1.1 MB 00:00
(3/3): unbound-libs-1.4.21-1.el6.x86_64.rpm | 299 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.8 MB/s | 1.9 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : ldns-1.6.16-2.el6.x86_64 1/3
Installing : unbound-libs-1.4.21-1.el6.x86_64 2/3
Non-fatal POSTIN scriptlet failure in rpm package unbound-libs-1.4.21-1.el6.x86_64
warning: %post(unbound-libs-1.4.21-1.el6.x86_64) scriptlet failed, exit status 1
Installing : libreswan-3.7-1.el6.x86_64 3/3
Verifying : unbound-libs-1.4.21-1.el6.x86_64 1/3
Verifying : ldns-1.6.16-2.el6.x86_64 2/3
Verifying : libreswan-3.7-1.el6.x86_64 3/3
Installed:
libreswan.x86_64 0:3.7-1.el6
Dependency Installed:
ldns.x86_64 0:1.6.16-2.el6 unbound-libs.x86_64 0:1.4.21-1.el6
Complete!
■Libreswanのサービス(ipsec)を起動した
[root@vm ~]# service ipsec start
Starting pluto IKE daemon for IPsec: [ OK ]
■LibreswanによるIPsecトンネル構築のために満たすべき条件を確認した
下記コマンドの結果表示される対策(アンダーライン部分)を後で行う。
<下記結果から抜粋した>
1、Disable /proc/sys/net/ipv4/conf/*/send_redirects
2、Disable /proc/sys/net/ipv4/conf/*/accept_redirects
3、rp_filter is not fully aware of IPsec and should be disabled
[root@vm ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.7 (netkey) on 2.6.32-431.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
■念のため、対策すべき各項目の値を確認した
結果から、send_redirects、accept_redirects、rp_filter が有効(=1)になっていることがわかった。
[root@vm ~]# for i in /proc/sys/net/ipv4/conf/*/send_redirects ; do ls $i ; cat $i ; done
/proc/sys/net/ipv4/conf/all/send_redirects[root@vm ~]# for i in /proc/sys/net/ipv4/conf/*/accept_redirects ; do ls $i ; cat $i ; done
1
/proc/sys/net/ipv4/conf/default/send_redirects
1
/proc/sys/net/ipv4/conf/eth0/send_redirects
1
/proc/sys/net/ipv4/conf/lo/send_redirects
1
/proc/sys/net/ipv4/conf/all/accept_redirects[root@vm ~]# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do ls $i ; cat $i ; done
1
/proc/sys/net/ipv4/conf/default/accept_redirects
1
/proc/sys/net/ipv4/conf/eth0/accept_redirects
1
/proc/sys/net/ipv4/conf/lo/accept_redirects
1
/proc/sys/net/ipv4/conf/all/rp_filter
0
/proc/sys/net/ipv4/conf/default/rp_filter
1
/proc/sys/net/ipv4/conf/eth0/rp_filter
1
/proc/sys/net/ipv4/conf/lo/rp_filter
1
■対策すべき各項目の値を変更するために設定を行った
既存の設定に、太字部分を追加し、保存した。
[root@vm ~]# vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Setting for IPsec(LibreSWAN)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
# Controls IP packet forwarding(複数NICがあってFORWARDを有効=1にするための設定項目)
net.ipv4.ip_forward = 0
# Controls source route verification
# Overriden by Setting for IPsec(LibreSWAN)
#net.ipv4.conf.default.rp_filter = 1
(以下省略)
■設定を有効化した
[root@vm ~]# sysctl -p
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
■LibreswanによるIPsecトンネル構築のために満たすべき条件を再び確認した
「警告」が解消されていることが確認された。
[root@vm ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.7 (netkey) on 2.6.32-431.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
以上で、LibreSWANのインストールと、IPsecトンネル構築のためのシステム設定が完了した。
さらに、IPsecトンネルのための個別設定を行う必要がある。これについては、OpenSWANの記事から設定ファイルの作成部分を参照。
http://akira-arets.blogspot.jp/2013/10/centos-64-minimal-linux-openswanwith.html
LibreswanのIPsecトンネル設定ファイルは、リンク記事中のOpenswanの設定を流用できた。
(参考)
【Linux CentOS6.4 64bit版 minimal】 OpenSWAN( with NETKEY )同士で、IPsecトンネルの構築を行った【openswan.x86_64 0:2.6.32-21.el6_4】
< http://akira-arets.blogspot.jp/2013/10/centos-64-minimal-linux-openswanwith.html > 2014年6月13日
