Introduction: IPSec Using OpenSwan on Zybo

Picture of IPSec Using OpenSwan on Zybo

Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Before starting this tutorial you have to complete first tutorial in which is explained how to install Xillinux on Zybo.

In addition for this tutorial you will need:

  • a router( I used a wireless router) to connect the two hosts: your pc with Linux and your zybo board
  • two LAN cables for connecting to router(one if you connect your PC using wireless)

Step 1: Install Openswan

On both hosts install Openswan by typing the code below in terminal:

sudo su //only on your computer terminal
apt-get update
apt-get install openswan

Step 2: Start Openswan

To start IPSec session you have to type the code below on both hosts terminal

service ipsec start

Step 3: Generate RSA Keys for Both Hosts

In this step you will generate two RSA keys.

Because of the low computing power of ZYBO's processor I chose to create just a 512 bits RSA key.For sure you can create a longer key by changing the 512 value with 1024 or 2048.

For generating the keys, type the code below on both hosts terminal.

 ipsec newhostkey --output /etc/ipsec.secrets --bits 512 

After tthe key generation operation the file ipsec.secrets contains the public and private key for each host.

Step 4: Get Public Keys

On your computer's terminal type the code below to get IPSec public key

ipsec showhostkey --left

Something like this should be printed on your display:

# rsakey AQOAVXOSP
leftrsasigkey=0sAQOAVXOSPSOpgZeb4xT1M/ATlP7e7zkqUA0pOctoGZTF/udKc3LXfBUYW9Vf6FN5BjH1WDiiejbULhq03gJIwLoT

Repeat the same steps to get IPSec public key on Zybo's terminal, but by replacing left with right

ipsec showhostkey --right

Now you have both keys extracted and you can go to the next step where i will show you how to setup the configuration file

Step 5:

Navigate to /etc and find ipsec.conf file.

I've uploaded my configuration file as example.All you have to do is to modify if with your values for IP and RSA keys.

If you don't want the tunnel to start when the machine starts change the last line with the code below:

auto=add

Step 6:

Ensure ipsec is started:

ipsec setup start

Ensure the connection is loaded

ipsec auto --add mytunnel

Try to bring up the tunnel

ipsec auto --up mytunnel

On zybo I've got this error: "We cannot identify ouselves with either end of this connection"

I've solved this by restarting IPSec service

etc/init.d/ipsec restart

If everything runs good you should see something like this

117 "mytunnel" #46: STATE_QUICK_I1: initiate
004 "mytunnel" #46: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x95ca29eb <0x52662e45 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Step 7: Testing Your Tunnel Functionality

Picture of Testing Your Tunnel Functionality

To test everything configured successfully run the code below on your computer terminal

tcpdump -ni wlan0 -X -v host [your computer IP]

if you are connected to the router using wi-fi

or

tcpdump -ni eth0 -X -v host [your computer IP]

if you are connected to the router using a LAN cable

In another terminal on your computer ping Zybo.

In the first terminal you should see that ESP(Encapsulating Security Payload) are sent to ZYBO.If ESP packets are sent everything is ok.

Comments