Internet Protocol Security
(IPSEC) is a protocol suite developed to encapsulate security using encryption, integrity, and authentication for Internet Protocol. It operates at the Internet layer of the IP protocol and is currently supported by all major operating systems. IPSEC implementation is suitable from small to large enterprise networks and can be used as an alternative to Oracle Advanced Security encryption. In this recipe we will show how to establish an IPSEC connection between nodeorcl5
and a Windows client. On Red Hat
we will use freeswan IPSEC implementation and will configure a test-like setup using prehashed keys.
As a prerequisite, create a new virtual machine and install Windows 7 and Oracle Client 11.2.0.3 on it.
We will start this recipe with the Linux IPSEC freeswan configuration.
/etc/ipsec.conf
and add the following parameters:/etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf Ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification config setup # if eth0 is connected to lan klipsdebug=none plutodebug=none protostack=netkey conn oraclient-oraserver authby=secret auto=add type=tunnel left=10.241.132.218 right=10.241.132.2 keyingtries=0 keyexchange=ike keylife=8h pfs=yes ike=3des-sha1;modp1024
Where left represents nodeorcl1 IP address and right the Windows client IP address, keyexchange will use ike type using prehashed keys; ike represents the encryption algorithm and hash function plus the exchange mode.
[root@nodeorcl1 ~]# ipsec ranbits --continuous 128 0x5af24b5a16cfcb5a8b5ae8b3d1373434 [root@nodeorcl1 ~]#
/etc/ipsec.secrets
file as follows:10.241.132.218 10.241.132.2: PSK "0x5af24b5a16cfcb5a8b5ae8b3d1373434"
ipsec service
as follows:[root@nodeorcl1 etc]# service ipsec start
oraipsec
and click on Next.oraipsec
and click on Properties. In the IP Filtering Rules click on the Add button and name it oraipfilterrules
and click on OK. oraipsec
policy and click on Assign.HACKDB
database.19:30:38.912592 IP 10.241.132.2 > nodeorcl1: ESP(spi=0xc006149b,seq=0x1d), length 68 19:30:38.912699 IP nodeorcl1 > 10.241.132.2: ESP(spi=0x5dc407c7,seq=0x1f), length 68 19:30:38.913346 IP 10.241.132.2 > nodeorcl1: ESP(spi=0xc006149b,seq=0x1e), length 52
The inner functionality of IPSEC and specification is presented in RFC2401 (http://www.ietf.org/rfc/rfc2401.txt)
For more information about IPSEC Openswan implementation for small and large networks I recommend a detailed book entitled Openswan: Building and Integrating Virtual Private Networks (http://www.packtpub.com/openswan/book).
3.15.235.188