Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-24-2004, 10:47 AM   #1
LQ Newbie
Registered: Dec 2004
Location: Oh my god! Where am I?!
Distribution: Gentoo, Kubuntu
Posts: 10

Rep: Reputation: 0
Question Setting up IPSec VPN?

Hey everyone,

OK, I've been looking around for a good tutorial on this and although the pages at do go through it a little, it's not in enough detail for me to get what I want working.

I'm running Gentoo with kernel 2.6.8, and have compiled with the required parameters and installed the ipsec-tools. But I'm finding the man pages and tutorials for setkey and racoon confusing.

Correct me if I'm wrong, but from what I understand, setkey creates the IPSec routing entries and the racoon daemon does this dynamically for you when you try to access a site requiring IPSec?

Anyway, here's what I want to do, I'm hoping someone can offer some pointers.

My work has 2 networks that I need to connect to over the VPN. and These both have the same gateway server we'll call a.b.c.d.

The connection is established using a pre-shared key, encrypted with 3des, and hashed with sha-1.

My computer at home is on a cable modem router (NAT) with a dynamic IP.

So what I want is for the IPSec to kick in ONLY when I try to access an address within the 2 networks above (, preferably without me having to run a script or anything to start it (but it's not a big deal if I have to).

So, now some questions:
First of all, do I need to be using racoon? Or can setkey do all this at startup or via a script?
What would the structure of the setkey commands be?
If setkey can be used alone, how do I generate the keys from the pre-shared key phrase?
If I have to use racoon, how should the racoon.conf file look? I think one of the most confusing things in that file is when you need to use the gateway address (a.b.c.d) and when you have to use your own IP address (which I would prefer not to hard code since it's dynamic)

This is my first time playing around with the IPSec stuff, so go easy on me!

Old 12-24-2004, 04:40 PM   #2
LQ Newbie
Registered: Dec 2004
Location: Oh my god! Where am I?!
Distribution: Gentoo, Kubuntu
Posts: 10

Original Poster
Rep: Reputation: 0
Mostly solved

OK, because I hate it when I find these questions on the internet with no answers, I will now answer my own question.

So a little more research and this is what I came up with. First of all, it turns out racoon is required. You can set up IPSec using just setkey, but then the keys never change. I hadn't realized that the "pre-shared key" is not the same as the "key" in the setkey commands.

Anyway, so the first part of this turned out to be creating the ipsec.conf file and filling it with the correct policy. Setkey was confusing because it has the SAD and SPD items. The add commands enters SADs and the spdadd command enters the SPDs. Turns out I don't need any SADs because racoon is going to generate those on the fly using my pre-shared key.

So, my ipsec.conf file looks like this:
#!/usr/sbin/setkey -f


spdadd any
    -P out ipsec esp/tunnel/;

spdadd any
    -P in ipsec esp/tunnel/a.b.c.d-;

spdadd any
    -P out ipsec esp/tunnel/;

spdadd any
    -P in ipsec esp/tunnel/a.b.c.d-;
This basically just tells the IPSec that it should encode/decode and tunnel anything going to or coming from 192.168.50.* or 172.20.75.*

You might notice the hardcoded ip address ( from my local network. I haven't quite found a way around that, but since I can use the hardcoded IP address of my computer on my local network, not having to worry about my router's dynamic IP, it became less of a problem. If I find a solution for it, I'll put it here. I tried using, which would connect and create the key, but would not decrypt any data returned.

I then ran that file with:
setkey -f ipsec.conf
Now for the racoon.conf:

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt";

# if no listen directive is specified, racoon will listen to all
# available interface addresses.

remote anonymous
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        generate_policy on;
        proposal_check obey;

        my_identifier user_fqdn "";

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;

sainfo anonymous
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
The exchange mode must be agressive, and I think proposal_check has to be obey. generate_policy is set to on so that racoon will generate the SADs required when you attempt to connect to the networks.

My psk.txt file is simply one line:
a.b.c.d       My_Pre_Shared_Key
So now I'll set up the setkey script and racoon daemon to run at startup and all should be well.

One point to mention is that the first time I attempt to do something that requires a connection, it fails. So for example if I try:
I'll get an error saying the connection is temporarily unavailable. racoon is actually generating the keys and SADs the first connection attempt. After that it seems to work fine.

Hope this helps somebody.
Old 06-14-2010, 09:49 PM   #3
Registered: Oct 2009
Posts: 117

Rep: Reputation: 1
Good Tutorial

I know it's a little late but this is good information!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec vpn Snake007uk Linux - Security 6 10-30-2010 03:43 PM
IPSEC To implement VPN UltraSoul Solaris / OpenSolaris 7 08-22-2005 02:47 AM
ipsec vpn software watts3000 Linux - Networking 0 06-09-2005 06:21 PM
Help configuring ipsec VPN twsnnva Linux - Networking 4 03-05-2005 05:09 AM
Need help with IPSec VPN securespeed Linux - Networking 3 07-19-2004 12:25 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:42 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration