# Cybersecurity advanced
## Lab 09: IPsec


Links to Syllabus

- [Theoretical](https://hogenttin.github.io/cybersecurity-advanced/lesson-9/theory/)
- [Practical](https://hogenttin.github.io/cybersecurity-advanced/lesson-9/lab/)

Create static routes on routers:
- companyrouter
```bash
sudo ip route add 172.10.10.0/24 via 192.168.62.42 dev eth1
sudo sysctl -w net.ipv4.ip_forward=1
```
- homerouter
```bash
sudo ip route add 172.30.0.0/16 via 192.168.62.253 dev enp0s8
sudo sysctl -w net.ipv4.ip_forward=1
```
- isprouter
```bash
sudo ip route add 172.10.0.0/24 via 192.168.62.254 dev eth1
```

Create the scripts needed:
for each script do the following:
```bash
touch <script>
sudo chmod +x <script>
sudo vi <script>
```

- companyrouter
  - IPsecComp2Home.sh

```bash
#!/usr/bin/env sh
 
# Manual IPSec
 
## Clean all previous IPsec stuff
 
#ip xfrm policy flush
#ip xfrm state flush
 
## The first SA vars for the tunnel from homerouter to companyrouter 
 
SPI7=0x009
ENCKEY7=0xFEDCBA9876543210FEDCBA9876543211 
 
## Activate the tunnel from homerouter to companyrouter
 
### Define the SA (Security Association) 
 
ip xfrm state add \ 
    src 192.168.62.253 \ 
    dst 192.168.62.42 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel \ 
    enc aes ${ENCKEY7} 
 
### Set up the SP using this SA 
 
ip xfrm policy add \ 
    src 172.30.0.0/16 \ 
    dst 172.10.10.0/24 \ 
    dir out \ 
    tmpl \ 
    src 192.168.62.253 \ 
    dst 192.168.62.42 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel
```

  - IPsecHome2Comp.sh

```bash
#!/usr/bin/env sh
 
# Manual IPSec
 
## Clean all previous IPsec stuff 
 
ip xfrm policy flush 
ip xfrm state flush 
 
## The first SA vars for the tunnel from homerouter to companyrouter 
 
SPI7=0x007 
ENCKEY7=0xFEDCBA9876543210FEDCBA9876543210 
 
## Activate the tunnel from homerouter to companyrouter

### Define the SA (Security Association) 
 
ip xfrm state add \ 
    src 192.168.62.42 \ 
    dst 192.168.62.253 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel \ 
    enc aes ${ENCKEY7} 
 
### Set up the SP using this SA 
 
ip xfrm policy add \ 
    src 172.10.10.0/24 \ 
    dst 172.30.0.0/16 \ 
    dir fwd \ 
    tmpl \ 
    src 192.168.62.42 \ 
    dst 192.168.62.253 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel
```

- homerouter
  - IPsecComp2Home.sh

```bash
#!/usr/bin/env sh
 
# Manual IPSec
 
## Clean all previous IPsec stuff
 
#ip xfrm policy flush
#ip xfrm state flush
 
## The first SA vars for the tunnel from homerouter to companyrouter 
 
SPI7=0x009 
ENCKEY7=0xFEDCBA9876543210FEDCBA9876543211 
 
## Activate the tunnel from homerouter to companyrouter
 
### Define the SA (Security Association) 
 
ip xfrm state add \ 
    src 192.168.62.253 \ 
    dst 192.168.62.42 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel \ 
    enc aes ${ENCKEY7} 
 
### Set up the SP using this SA 
 
ip xfrm policy add \ 
    src 172.30.0.0/16 \ 
    dst 172.10.10.0/24 \ 
    dir fwd \ 
    tmpl \ 
    src 192.168.62.253 \ 
    dst 192.168.62.42 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel
```

  - IPsecHome2Comp.sh

```bash
#!/usr/bin/env sh
 
# Manual IPSec
 
## Clean all previous IPsec stuff 
 
ip xfrm policy flush 
ip xfrm state flush 
 
## The first SA vars for the tunnel from homerouter to 
companyrouter 
 
SPI7=0x007 
ENCKEY7=0xFEDCBA9876543210FEDCBA9876543210 
 
## Activate the tunnel from homerouter to companyrouter
 
### Define the SA (Security Association) 
 
ip xfrm state add \
    src 192.168.62.42 \ 
    dst 192.168.62.253 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel \ 
    enc aes ${ENCKEY7} 
 
### Set up the SP using this SA 
 
ip xfrm policy add \ 
    src 172.10.10.0/24 \ 
    dst 172.30.0.0/16 \ 
    dir out \ 
    tmpl \ 
    src 192.168.62.42 \ 
    dst 192.168.62.253 \ 
    proto esp \ 
    spi ${SPI7} \ 
    mode tunnel
```

Start tunnel:
- companyrouter

```bash 
sudo ./IPsecHome2Comp.sh
sudo ./IPsecComp2Home.sh
```

- homerouter

```bash 
sudo ./IPsecHome2Comp.sh
sudo ./IPsecComp2Home.sh
```


# Demo

Start tunnel:
- companyrouter

```bash 
sudo ./IPsecHome2Comp.sh
sudo ./IPsecComp2Home.sh
```

- homerouter

```bash 
sudo ./IPsecHome2Comp.sh
sudo ./IPsecComp2Home.sh
```


Checkup:

- companyrouter

`sudo ip xfrm policy show`

- homerouter

`sudo ip xfrm policy show`