DebIPsec
This tutorial will show you how to link two networks using an IPsec vpn /w racoon, isakpmd & racoon-tool, authenticating with pre-shared keys.
Lines starting with # require root privs.
Prerequisites:
- Two seperate networks with seperate network ip ranges. (10.0.1.0/24 and 10.0.2.0/24 in this example)
- Two internet connections with static ip's. (203.1.1.146 and 203.1.1.153 in this example)
- Two debian/ubuntu linux boxes installed and connected to said internet connections, acting as default route for respective networks. (10.0.1.254 & 10.0.2.254).
So when were done our network will look like this:
lan A linux-box A
10.0.1.0/24 <> 10.0.1.254-203.1.1.146
| # |
ipsec vpn --------|--># |<-- internet.
| # |
10.0.2.0/24 <> 10.0.2.254-203.1.1.153
lan B linux-box B
So now we know what were heading towards, lets get started.
First up we want to do the initial installs:
# apt-get install ipsec-tools racoon pwgen
It will download the two packages and the display an ncurses dialog asking which configuration method you wish to use, for now select racoon-tool, this is the easiest method to configure racoon with, the other method allows more flexibility in configuration but is substantially harder to use.
Next we need to comeup with a preshared key, if you want to use one of your own you can do that but for added security i usually generate one, you can use the diceware method for an ascii key or generate one using pwgen:
# pwgen 64 1
This will generate a 64 char ascii key, copy this and paste into a temporary text file somewhere.
Now on both of the boxes open /etc/racoon/psk.txt in a text editor and empty it, then enter the external ip address of the other linux box then a tab or some other whitespace then the key you saved earlier.
For example, /etc/racoon/psk.txt on 10.0.1.254:
203.1.1.153 aiL7yi2upohbeQuei7oog0ep3Ighohze0Aen9fie1Iexor0ael1Aim1eu6ohjo2n
Once this is done on both machines we can begin building /etc/racoon/racoon-tool.conf for each of the machines, as a template i've created a racoon-tool.conf for linux-box A, it's pretty complicated, so lets do a line-by-line break down: The first line is a comment ignore it.
# racoon-tool.conf(5) for details.
global: # section tag for global options that affect all vpn connections.
path_pre_shared_key: /etc/racoon/psk.txt # specifies location of pre-shared key file.
log: debug # log-level, set to debug while diagnosing issues,
then set to warn or info
racoon_command: /usr/sbin/racoon -l /var/log/racoon.log # specifies location of racoon binary and optional parameters.
connection(lanABvpn): # section tag for connection with connection name in brackets
src_range: 10.0.1.0/24 # source network range in cidr notation.
dst_range: 10.0.2.0/24 # destination network range in cidr notation.
src_ip: 203.1.1.146 # source external ip address
dst_ip: 203.1.1.153 # destination external ip address
admin_status: enabled # specifies whether the connection is enabled for use.
compression: no # compress traffic over vpn
lifetime: time 120 min # how long connection is maintained for, (the connection is
established automatically by traffic)
authentication_algorithm: hmac_sha256 # authentication algorithm, can be md5, sha1, sha256, sha384, sha512
encryption_algorithm: aes # encryption algorithm, can be des, 3des, blowfish, cast128 or aes
peer(203.1.1.153): # peer section tag, dst_ip in brackets
verify_cert: on # verify cert/psk
passive: off # specifies only to passively accept connection request, not
actively make them.
verify_identifier: off # verify identifier, (destination ip in this case).
lifetime: time 120 min # same as connection section
hash_algorithm[0]: sha256 # same as connection section
encryption_algorithm[0]: aes # same as connection section
![[Main Page]](http://www.overclockers.com.au/wiki/skins/common/images/wiki.png)