From OCAU Wiki
This tutorial will show you how to link two networks using an IPsec vpn /w racoon, isakpmd & racoon-tool, authenticating with pre-shared keys.
Lines starting with # require root privs.
- Two seperate networks with seperate network ip ranges. (10.0.1.0/24 and 10.0.2.0/24 in this example)
- Two internet connections with static ip's. (22.214.171.124 and 126.96.36.199 in this example)
- Two debian/ubuntu linux boxes installed and connected to said internet connections, acting as default route for respective networks. (10.0.1.254 & 10.0.2.254).
So when were done our network will look like this:
lan A linux-box A 10.0.1.0/24 <> 10.0.1.254-188.8.131.52 | # | ipsec vpn --------|--># |<-- internet. | # | 10.0.2.0/24 <> 10.0.2.254-184.108.40.206 lan B linux-box B
So now we know what were heading towards, lets get started.
First up we want to do the initial installs:
# apt-get install ipsec-tools racoon pwgen
It will download the two packages and the display an ncurses dialog asking which configuration method you wish to use, for now select racoon-tool, this is the easiest method to configure racoon with, the other method allows more flexibility in configuration but is substantially harder to use.
Next we need to comeup with a preshared key, if you want to use one of your own you can do that but for added security i usually generate one, you can use the diceware method for an ascii key or generate one using pwgen:
# pwgen 64 1
This will generate a 64 char ascii key, copy this and paste into a temporary text file somewhere.
Now on both of the boxes open /etc/racoon/psk.txt in a text editor and empty it, then enter the external ip address of the other linux box then a tab or some other whitespace then the key you saved earlier.
For example, /etc/racoon/psk.txt on 10.0.1.254:
Once this is done on both machines we can begin building /etc/racoon/racoon-tool.conf for each of the machines, as a template i've created a racoon-tool.conf for linux-box A, it's pretty complicated, so lets do a line-by-line break down: The first line is a comment ignore it.
# racoon-tool.conf(5) for details. global: # section tag for global options that affect all vpn connections. path_pre_shared_key: /etc/racoon/psk.txt # specifies location of pre-shared key file. log: debug # log-level, set to debug while diagnosing issues, then set to warn or info racoon_command: /usr/sbin/racoon -l /var/log/racoon.log # specifies location of racoon binary and optional parameters. connection(lanABvpn): # section tag for connection with connection name in brackets src_range: 10.0.1.0/24 # source network range in cidr notation. dst_range: 10.0.2.0/24 # destination network range in cidr notation. src_ip: 220.127.116.11 # source external ip address dst_ip: 18.104.22.168 # destination external ip address admin_status: enabled # specifies whether the connection is enabled for use. compression: no # compress traffic over vpn lifetime: time 120 min # how long connection is maintained for, (the connection is established automatically by traffic) peer(22.214.171.124): # peer section tag, dst_ip in brackets verify_cert: on # verify cert/psk passive: off # specifies only to passively accept connection request, not actively make them. verify_identifier: off # verify identifier, (destination ip in this case). lifetime: time 120 min # same as connection section hash_algorithm: sha1 # authentication algorithm, can be md5, sha1, sha256, sha384, sha512 encryption_algorithm: aes # encryption algorithm, can be des, 3des, blowfish, cast128 or aes
So taking this configuration file and using it as a template create a racoon-tool.conf file for each of your linux boxs and save them in /etc/racoon on the appropriate machine.
Next we need to establish the appropriate routes to enable communication between the networks.
You should already have ip_forward enabled but we will make sure.
# echo 1 > /proc/sys/net/ipv4/ip_forward
At this point if we were to bring up the vpn connection, the clients on lan a/b would be able to communicate, firewall rules permitting, the two linux boxes how ever would not be able to communicate, we can fix this using source routing, to tell the linux box that traffic destines for the other network must originate from our internal ip address, so on linux-box A we execute this, replacing ppp0 with whatever your external interface device is.
# ip route add 10.0.2.0/24 dev ppp0 src 10.0.1.254
Then doing the same on the other end changing ips and ranges as appropriate.
If you have a firewall set up now is the time to set it up to allow inbound/outbound packets on udp port 500, aswell as protocol 50 & 51, if you don't have a firewall configured, now is the time to set one up, if you're new to linux or iptables you may want to try Shorewall
Now the moment of truth, for this part what i tend to do is bring up 2 ssh terminals on box A, and one on box B, on the first box A terminal execute
# tail -fn25 /var/log/daemon.log
On the other box A term, and the box B term execute
# racoon-tool vup all
Then ping from a client machine one network to a client machine on the other network.
c:\> ping 10.0.2.15
This may fail for the first 2-3 pings, while the vpn is established.
Once that is done and the ping is running you should switch back to the running tail on box A, and look for a line telling you that the security association has been established:
racoon: INFO: IPsec-SA established: ESP/Tunnel 126.96.36.199->188.8.131.52 spi=...