Setting up IPSec VPN?

miscreant · 12-24-2004, 10:47 AM

Hey everyone,

OK, I've been looking around for a good tutorial on this and although the pages at ipsec-howto.org do go through it a little, it's not in enough detail for me to get what I want working.

I'm running Gentoo with kernel 2.6.8, and have compiled with the required parameters and installed the ipsec-tools. But I'm finding the man pages and tutorials for setkey and racoon confusing.

Correct me if I'm wrong, but from what I understand, setkey creates the IPSec routing entries and the racoon daemon does this dynamically for you when you try to access a site requiring IPSec?

Anyway, here's what I want to do, I'm hoping someone can offer some pointers.

My work has 2 networks that I need to connect to over the VPN. 192.168.50.xxx and 170.20.75.xxx. These both have the same gateway server we'll call a.b.c.d.

The connection is established using a pre-shared key, encrypted with 3des, and hashed with sha-1.

My computer at home is on a cable modem router (NAT) with a dynamic IP.

So what I want is for the IPSec to kick in ONLY when I try to access an address within the 2 networks above (192.168.50.xxx/172.20.75.xxx), preferably without me having to run a script or anything to start it (but it's not a big deal if I have to).

So, now some questions:
First of all, do I need to be using racoon? Or can setkey do all this at startup or via a script?
What would the structure of the setkey commands be?
If setkey can be used alone, how do I generate the keys from the pre-shared key phrase?
If I have to use racoon, how should the racoon.conf file look? I think one of the most confusing things in that file is when you need to use the gateway address (a.b.c.d) and when you have to use your own IP address (which I would prefer not to hard code since it's dynamic)

This is my first time playing around with the IPSec stuff, so go easy on me!

thanks,
miscreant

miscreant · 12-24-2004, 04:40 PM

OK, because I hate it when I find these questions on the internet with no answers, I will now answer my own question.

So a little more research and this is what I came up with. First of all, it turns out racoon is required. You can set up IPSec using just setkey, but then the keys never change. I hadn't realized that the "pre-shared key" is not the same as the "key" in the setkey commands.

Anyway, so the first part of this turned out to be creating the ipsec.conf file and filling it with the correct policy. Setkey was confusing because it has the SAD and SPD items. The add commands enters SADs and the spdadd command enters the SPDs. Turns out I don't need any SADs because racoon is going to generate those on the fly using my pre-shared key.

So, my ipsec.conf file looks like this:

Code:

#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.1.89 192.168.50.0/24 any
    -P out ipsec esp/tunnel/192.168.1.89-a.b.c.d/require;

spdadd 192.168.50.0/24 192.168.1.89 any
    -P in ipsec esp/tunnel/a.b.c.d-192.168.1.89/require;

spdadd 192.168.1.89 172.20.75.0/24 any
    -P out ipsec esp/tunnel/192.168.1.89-a.b.c.d/require;

spdadd 172.20.75.0/24 192.168.1.89 any
    -P in ipsec esp/tunnel/a.b.c.d-192.168.1.89/require;

This basically just tells the IPSec that it should encode/decode and tunnel anything going to or coming from 192.168.50.* or 172.20.75.*

You might notice the hardcoded ip address (192.168.1.89) from my local network. I haven't quite found a way around that, but since I can use the hardcoded IP address of my computer on my local network, not having to worry about my router's dynamic IP, it became less of a problem. If I find a solution for it, I'll put it here. I tried using 0.0.0.0, which would connect and create the key, but would not decrypt any data returned.

I then ran that file with:

Code:

setkey -f ipsec.conf

Now for the racoon.conf:

Code:

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt";

# if no listen directive is specified, racoon will listen to all
# available interface addresses.

remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        generate_policy on;
        proposal_check obey;

        my_identifier user_fqdn "myemail@mycompany.com";

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

The exchange mode must be agressive, and I think proposal_check has to be obey. generate_policy is set to on so that racoon will generate the SADs required when you attempt to connect to the networks.

My psk.txt file is simply one line:

Code:

a.b.c.d       My_Pre_Shared_Key

So now I'll set up the setkey script and racoon daemon to run at startup and all should be well.

One point to mention is that the first time I attempt to do something that requires a connection, it fails. So for example if I try:

Code:

ping 192.168.50.15

I'll get an error saying the connection is temporarily unavailable. racoon is actually generating the keys and SADs the first connection attempt. After that it seems to work fine.

Hope this helps somebody.

miscreant

danmartinj · 06-14-2010, 09:49 PM

I know it's a little late but this is good information!