Skip to content


Serveur VPN ISAKMP IPsec Linux compatible Client GreenBow sous Windows

Introduction :

J'ai eu à configurer un poste Windows pour une connexion ISAKMP GreenBow IPsec, mais la problématique qui se posait à moi était d'avoir un serveur VPN ISAKMP IPsec en face...
J'ai donc installé et configuré une Debian Linux en serveur VPN ISAKMP IPsec... Et vérifier que les deux machines se connectaient bien l'une à l'autre.

vpn_03.png

Pré-requis :

Il faut installer : isakmpd, openssl,....

Configuration du serveur VPN ISAKMP IPsec :

Lorsque vous installez ISAKMP celui-ci met son fichier de configuration dans /etc/isalmpd/isakmpd.conf

Nous allons sauvegarder celui d'origine et créer le nôtre !

[General]
Retransmits=5
Exchange-max-time=120
Listen-on=10.1.1.254 # Adresse du serveur VPN ISAKMPD
Shared-SADB=Defined
log_level=All
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
Default=ISAKMP_peer_GNU_aggressive
0.0.0.0=ISAKMP_peer_GNU_aggressive
10.1.1.251=ISAKMP_peer_GNU_aggressive
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them.  This means we can do on-demand keying.
[Phase 2]
#Passive-Connections=IPsec_OBSD_GNU
Connections=IPsec_OBSD_GNU
# The peers
[ISAKMP_peer_GNU_aggressive]
Phase=1
Transport=udp
Local-address=10.1.1.254
Address=10.1.1.251
Configuration=Default-aggressive-mode
Authentication=presharedsecretkey
# The different connections
[IPsec_OBSD_GNU]
Phase=2
ISAKMP-peer=ISAKMP_peer_GNU_aggressive
Configuration=Default-perso-quick-mode
Local-ID=Net-GNU
Remote-ID=Net-OBSD
# Our Networks
[Net-GNU]
ID-type=IPV4_ADDR_SUBNET
Network=10.1.1.254
Netmask=255.255.255.255
[Net-OBSD]
ID-type=IPV4_ADDR_SUBNET
Network=10.1.1.254
Netmask=255.255.255.255
# Phase 1 descriptions
[Default-aggressive-mode]
DOI=IPSEC
EXCHANGE_TYPE=AGGRESSIVE
Transforms=3DES-SHA
# Main mode transforms
########################
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM=3DES_CBC
HASH_ALGORITHM=SHA
AUTHENTICATION_METHOD=PRE_SHARED
GROUP_DESCRIPTION=MODP_1024
#Life=LIFE_180_SECS
Life=LIFE_8_HOURS
# Quick mode description
########################
[Default-perso-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-3DES-SHA-PFS-SUITE-PERSO
# Quick mode protection suites
##############################
# 3DES
[QM-ESP-3DES-SHA-PFS-SUITE-PERSO]
Protocols=QM-ESP-3DES-SHA-PFS-PERSO
# Quick mode protocols
#############################
# 3DES
[QM-ESP-3DES-SHA-PFS-PERSO]
PROTOCOL_ID=IPSEC_ESP
Transforms=QM-ESP-3DES-SHA-PFS-XF-PERSO
# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-SHA-PFS-XF-PERSO]
TRANSFORM_ID=3DES
ENCAPSULATION_MODE=TRANSPORT
AUTHENTICATION_ALGORITHM=HMAC_SHA
GROUP_DESCRIPTION=MODP_1024
Life=LIFE_8_HOURS
[LIFE_8_HOURS]
LIFE_TYPE=SECONDS
LIFE_DURATION=28800,25200:32400
[LIFE_1_DAY]
LIFE_TYPE=SECONDS
LIFE_DURATION=86400,79200:93600
[LIFE_180_SECS]
LIFE_TYPE=SECONDS
LIFE_DURATION=180,120:240
[LIFE_3600_SECS]
LIFE_TYPE=SECONDS

LIFE_DURATION=3600,1800:7200

Pour visualiser le schéma logique du fichier :

Linux-IPsec-GreenBow-03.png

Schéma Logique

Vous aurez à modifier le script démarrant ISAKMPD et aussi le port d'écoute (port 500) si vous avez déjà installé Freeswan, Openswan ou Racoon...

Mais tout d'abord voyons le fichier : /etc/isakmpd/isakmpd.policy

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
         $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
         $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase: presharedsecretkey"
Conditions: app_domain == "IPsec policy" &&
         esp_present == "yes" &&
         esp_enc_alg == "aes" &&
         esp_auth_alg == "hmac-sha" -> "true";

Modifiez le script de démarrage : /etc/init.d/isakmpd

D'une pour que le processus écoute sur un port autre que 500

#!/bin/sh

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/isakmpd
PIDFILE=/var/run/isakmpd.pid
PORT=510

test -f $DAEMON || exit 0

case "$1" in

start)
 /usr/sbin/isakmpd -v -i $PIDFILE -p $PORT
 ;;

stop)
 echo -n "Stopping OpenBSD isakmpd: "
 killall isakmpd
 echo "done"
 ;;

restart)
 killall isakmpd
 /usr/sbin/isakmpd -v -i $PIDFILE -p $PORT
 ;;

*)
 echo "Usage: /etc/init.d/isakmpd {start|stop|restart}"
 exit 1
;;
esac
exit 0

Configuration du client Windows GreenBow :

Linux-IPsec-GreenBow-04.png
Linux-IPsec-GreenBow-05.png
Linux-IPsec-GreenBow-06.png
Linux-IPsec-GreenBow-07.png
Linux-IPsec-GreenBow-08.png
Linux-IPsec-GreenBow-09.png

Vous pouvez retrouver la configuration de mon client GreenBow sous forme d'un fichier texte : vpn-ph1-ph2.ok.tgb

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2010-11-06 at 14:50:35
# Written by VpnConf 4
# 
[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15
[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800
# ==================== PHASES 1 ====================
[Phase 1]
10.1.1.254 = ISAKMP_peer_GNU_aggressive-P1
[ISAKMP_peer_GNU_aggressive-aggressive-mode]
DOI = IPSEC
EXCHANGE_TYPE = AGGRESSIVE
Transforms = 3DES-SHA-GRP2
[ISAKMP_peer_GNU_aggressive-P1]
Phase = 1
Address = 10.1.1.254
Transport = udp
Configuration = ISAKMP_peer_GNU_aggressive-aggressive-mode
Authentication = "presharedsecretkey"
NATT_ENABLED = 0
# ==================== PHASES 2 ====================
[Phase 2]
Manual-connections = ISAKMP_peer_GNU_aggressive-IPsec_OBSD_GNU-P2
[ISAKMP_peer_GNU_aggressive-IPsec_OBSD_GNU-P2]
Phase = 2
ISAKMP-peer = ISAKMP_peer_GNU_aggressive-P1
Local-ID = IPsec_OBSD_GNU-local-addr
Remote-ID = IPsec_OBSD_GNU-remote-addr
Configuration = IPsec_OBSD_GNU-quick-mode
AutoStart = 0
USBStart = 0
# ==================== Ipsec ID ====================
[IPsec_OBSD_GNU-local-addr]
ID-type = IPV4_ADDR
Address = 10.1.1.251
[IPsec_OBSD_GNU-remote-addr]
ID-type = IPV4_RANGE
Network = 10.10.1.2
Netmask = 10.10.1.10
# ==================== TRANSFORMS ====================
[IPsec_OBSD_GNU-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = IPsec_OBSD_GNU-quick-mode-suite
[IPsec_OBSD_GNU-quick-mode-suite]
Protocols = TGBQM-ESP-3DES-SHA-PFSGRP2-TRP
[TGBQM-ESP-3DES-SHA-PFSGRP2-TRP]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-3DES-SHA-PFSGRP2-TRP-XF
[TGBQM-ESP-3DES-SHA-PFSGRP2-TRP-XF]
TRANSFORM_ID = 3DES
AUTHENTICATION_ALGORITHM = HMAC_SHA
GROUP_DESCRIPTION = MODP_1024
ENCAPSULATION_MODE = TRANSPORT
Life = Default-phase-2-lifetime
# ==================== CERTIFICATES ====================

A adapter en fonction de vos besoins !

Références :

Soucis rencontrés :

Voilà

-- FIN --

Print Friendly, PDF & Email

Posted in Debian, Important, Linux, Technique, Toutes, Windows. Tagged with , , , .

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. hi!This was a really exceptional website!
    I come from itlay, I was luck to search your Topics in google
    Also I obtain much in your Topics really thank your very much i will come every day

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.

Time limit is exhausted. Please reload CAPTCHA.


/* */
Creative Commons License
Cette création par Laurent Besson est mise à disposition selon les termes de la licence Creative Commons Paternité-Partage des Conditions Initiales à l'Identique 2.0 France.