(無償) logo
世界中で使われるISO標準オフィスソフト(MSオフィス互換)

★LibreOfficeの導入事例★
詳細について

2014年6月13日金曜日

【Linux CentOS 6.5 64bit】Libreswan(netkey利用)をYUMでインストールしシステム基本設定を行った【Libreswan 3.7】

ファイアウォールの導入などセキュリティーについては考慮していない。
そのため、プライベートネットワークを利用して動作テストを行っている。


■ カーネルのバージョンを表示させた

[root@vm ~]# uname -a
Linux vm.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux


■LibreswanはEPELリポジトリにあるので、EPELリポジトリが利用できるようにした

[root@vm ~]# yum localinstall http://ftp.riken.jp/Linux/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
Setting up Local Package Process

Examining /var/tmp/yum-root-W9Hlf2/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch
Marking /var/tmp/yum-root-W9Hlf2/epel-release-6-8.noarch.rpm to be installed

Installed:
  epel-release.noarch 0:6-8

Complete!


■Libreswanの情報を表示させた

[root@vm ~]# yum info libreswan
Available Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.7
Release     : 1.el6
Size        : 1.1 M
Repo        : epel
Summary     : IPsec implementation with IKEv1 and IKEv2 keying protocols
URL         : https://www.libreswan.org/
License     : GPLv2
Description : Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
            : the Internet Protocol Security and uses strong cryptography to provide
            : both authentication and encryption services.  These services allow you
            : to build secure tunnels through untrusted networks.  Everything passing
            : through the untrusted net is encrypted by the ipsec gateway machine and
            : decrypted by the gateway at the other end of the tunnel.  The resulting
            : tunnel is a virtual private network or VPN.
            :
            : This package contains the daemons and userland tools for setting up
            : Libreswan. To build KLIPS, see the kmod-libreswan.spec file.
            :
            : Libreswan also supports IKEv2 (RFC4309) and Secure Labeling
            :
            : Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04



■Libreswanをインストールした

[root@vm ~]# yum install libreswan
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package libreswan.x86_64 0:3.7-1.el6 will be installed
--> Processing Dependency: libunbound.so.2()(64bit) for package: libreswan-3.7-1.el6.x86_64
--> Running transaction check
---> Package unbound-libs.x86_64 0:1.4.21-1.el6 will be installed
--> Processing Dependency: libldns.so.1()(64bit) for package: unbound-libs-1.4.21-1.el6.x86_64
--> Running transaction check
---> Package ldns.x86_64 0:1.6.16-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
 Package                                    Arch                                 Version                                       Repository                          Size
========================================================================================================================================================================
Installing:
 libreswan                                  x86_64                               3.7-1.el6                                     epel                               1.1 M
Installing for dependencies:
 ldns                                       x86_64                               1.6.16-2.el6                                  epel                               439 k
 unbound-libs                               x86_64                               1.4.21-1.el6                                  epel                               299 k

Transaction Summary
========================================================================================================================================================================
Install       3 Package(s)

Total download size: 1.9 M
Installed size: 5.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): ldns-1.6.16-2.el6.x86_64.rpm                                                                                                              | 439 kB     00:00
(2/3): libreswan-3.7-1.el6.x86_64.rpm                                                                                                            | 1.1 MB     00:00
(3/3): unbound-libs-1.4.21-1.el6.x86_64.rpm                                                                                                      | 299 kB     00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                   2.8 MB/s | 1.9 MB     00:00

Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ldns-1.6.16-2.el6.x86_64                                                                                                                             1/3
  Installing : unbound-libs-1.4.21-1.el6.x86_64                                                                                                                     2/3
Non-fatal POSTIN scriptlet failure in rpm package unbound-libs-1.4.21-1.el6.x86_64
warning: %post(unbound-libs-1.4.21-1.el6.x86_64) scriptlet failed, exit status 1

  Installing : libreswan-3.7-1.el6.x86_64                                                                                                                           3/3
  Verifying  : unbound-libs-1.4.21-1.el6.x86_64                                                                                                                     1/3
  Verifying  : ldns-1.6.16-2.el6.x86_64                                                                                                                             2/3
  Verifying  : libreswan-3.7-1.el6.x86_64                                                                                                                           3/3

Installed:
  libreswan.x86_64 0:3.7-1.el6

Dependency Installed:
  ldns.x86_64 0:1.6.16-2.el6                                                     unbound-libs.x86_64 0:1.4.21-1.el6

Complete!


■Libreswanのサービス(ipsec)を起動した

[root@vm ~]# service ipsec start
Starting pluto IKE daemon for IPsec:                       [  OK  ]


■LibreswanによるIPsecトンネル構築のために満たすべき条件を確認した

下記コマンドの結果表示される対策(アンダーライン部分)を後で行う。

<下記結果から抜粋した>
1、Disable /proc/sys/net/ipv4/conf/*/send_redirects
2、Disable /proc/sys/net/ipv4/conf/*/accept_redirects
3、rp_filter is not fully aware of IPsec and should be disabled


[root@vm ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.7 (netkey) on 2.6.32-431.el6.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/lo/rp_filter                   [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options                [OK]
Opportunistic Encryption                                [DISABLED]

ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help


■念のため、対策すべき各項目の値を確認した

結果から、send_redirects、accept_redirects、rp_filter が有効(=1)になっていることがわかった。

[root@vm ~]# for i in  /proc/sys/net/ipv4/conf/*/send_redirects ; do ls $i ; cat $i ; done
/proc/sys/net/ipv4/conf/all/send_redirects
1
/proc/sys/net/ipv4/conf/default/send_redirects
1
/proc/sys/net/ipv4/conf/eth0/send_redirects
1
/proc/sys/net/ipv4/conf/lo/send_redirects
1
[root@vm ~]# for i in  /proc/sys/net/ipv4/conf/*/accept_redirects ; do ls $i ; cat $i ; done
/proc/sys/net/ipv4/conf/all/accept_redirects
1
/proc/sys/net/ipv4/conf/default/accept_redirects
1
/proc/sys/net/ipv4/conf/eth0/accept_redirects
1
/proc/sys/net/ipv4/conf/lo/accept_redirects
1
[root@vm ~]# for i in  /proc/sys/net/ipv4/conf/*/rp_filter ; do ls $i ; cat $i ; done
/proc/sys/net/ipv4/conf/all/rp_filter
0
/proc/sys/net/ipv4/conf/default/rp_filter
1
/proc/sys/net/ipv4/conf/eth0/rp_filter
1
/proc/sys/net/ipv4/conf/lo/rp_filter
1


■対策すべき各項目の値を変更するために設定を行った

既存の設定に、太字部分を追加し、保存した。

[root@vm ~]# vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Setting for IPsec(LibreSWAN)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0


# Controls IP packet forwarding(複数NICがあってFORWARDを有効=1にするための設定項目)
net.ipv4.ip_forward = 0

# Controls source route verification
# Overriden by Setting for IPsec(LibreSWAN)
#net.ipv4.conf.default.rp_filter = 1
(以下省略)


■設定を有効化した

[root@vm ~]# sysctl -p
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296


■LibreswanによるIPsecトンネル構築のために満たすべき条件を再び確認した

「警告」が解消されていることが確認された。

[root@vm ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.7 (netkey) on 2.6.32-431.el6.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options                [OK]
Opportunistic Encryption                                [DISABLED]



以上で、LibreSWANのインストールと、IPsecトンネル構築のためのシステム設定が完了した。

さらに、IPsecトンネルのための個別設定を行う必要がある。これについては、OpenSWANの記事から設定ファイルの作成部分を参照。
http://akira-arets.blogspot.jp/2013/10/centos-64-minimal-linux-openswanwith.html

LibreswanのIPsecトンネル設定ファイルは、リンク記事中のOpenswanの設定を流用できた。



(参考)
【Linux CentOS6.4 64bit版 minimal】 OpenSWAN( with NETKEY )同士で、IPsecトンネルの構築を行った【openswan.x86_64 0:2.6.32-21.el6_4】
< http://akira-arets.blogspot.jp/2013/10/centos-64-minimal-linux-openswanwith.html > 2014年6月13日