IPSec Using OpenSwan on Zybo
![WP_20150201_003[1].jpg](/proxy/?url=https://content.instructables.com/FQE/IRS9/I8MVYOK0/FQEIRS9I8MVYOK0.jpg&filename=WP_20150201_003[1].jpg)
Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Before starting this tutorial you have to complete first tutorial in which is explained how to install Xillinux on Zybo.
In addition for this tutorial you will need:
- a router( I used a wireless router) to connect the two hosts: your pc with Linux and your zybo board
- two LAN cables for connecting to router(one if you connect your PC using wireless)
Install Openswan
On both hosts install Openswan by typing the code below in terminal:
sudo su //only on your computer terminal apt-get update apt-get install openswan
Start Openswan
To start IPSec session you have to type the code below on both hosts terminal
service ipsec start
Generate RSA Keys for Both Hosts
In this step you will generate two RSA keys.
Because of the low computing power of ZYBO's processor I chose to create just a 512 bits RSA key.For sure you can create a longer key by changing the 512 value with 1024 or 2048.
For generating the keys, type the code below on both hosts terminal.
ipsec newhostkey --output /etc/ipsec.secrets --bits 512
After tthe key generation operation the file ipsec.secrets contains the public and private key for each host.
Get Public Keys
On your computer's terminal type the code below to get IPSec public key
ipsec showhostkey --left
Something like this should be printed on your display:
# rsakey AQOAVXOSP
leftrsasigkey=0sAQOAVXOSPSOpgZeb4xT1M/ATlP7e7zkqUA0pOctoGZTF/udKc3LXfBUYW9Vf6FN5BjH1WDiiejbULhq03gJIwLoT
Repeat the same steps to get IPSec public key on Zybo's terminal, but by replacing left with right
ipsec showhostkey --right
Now you have both keys extracted and you can go to the next step where i will show you how to setup the configuration file
Navigate to /etc and find ipsec.conf file.
I've uploaded my configuration file as example.All you have to do is to modify if with your values for IP and RSA keys.
If you don't want the tunnel to start when the machine starts change the last line with the code below:
auto=add
Downloads
Ensure ipsec is started:
ipsec setup start
Ensure the connection is loaded
ipsec auto --add mytunnel
Try to bring up the tunnel
ipsec auto --up mytunnel
On zybo I've got this error: "We cannot identify ouselves with either end of this connection"
I've solved this by restarting IPSec service
etc/init.d/ipsec restart
If everything runs good you should see something like this
117 "mytunnel" #46: STATE_QUICK_I1: initiate
004 "mytunnel" #46: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x95ca29eb <0x52662e45 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Testing Your Tunnel Functionality
To test everything configured successfully run the code below on your computer terminal
tcpdump -ni wlan0 -X -v host [your computer IP]
if you are connected to the router using wi-fi
or
tcpdump -ni eth0 -X -v host [your computer IP]
if you are connected to the router using a LAN cable
In another terminal on your computer ping Zybo.
In the first terminal you should see that ESP(Encapsulating Security Payload) are sent to ZYBO.If ESP packets are sent everything is ok.