Index of /log/Interweb/ipsec-1

I've set up an IPsec tunnel between my network at home and my colocated server. This makes a few things easier: I can now connect to all my machines at home from my server without having to set up port forwarding first (using SSH, of course), and it'll always be encrypted, so if I wanted to, I could even use "unsafe" protocols over the internet. It also exercises the Padlock bits of my VIA C3 CPUs, which means there's almost no slowdown.

First, you have to determine a few things (the values I'll assume in this post are between parentheses):

• The server's (public) IP address (172.16.0.1)
• The client's (public) IP address (172.17.0.1)
• The network you want to use on the server side (10.0.1.0/24)
• The network you want to use on the client side (10.0.2.0/24; this should be a different network from the one on the server)

When you've figured those bits out, install Racoon (it's in the 'racoon' package). Racoon is an IKE daemon. It will listen on port 500 (UDP) for incoming requests and negotiate the keys and encryption methods to use on the IPsec (encrypted) link.

Then it's time to configure racoon. I chose the "old-fashioned" way (not using racoon-tool), because racoon-tool in 6.06LTS is too buggy for me. If you do it like this, you have to edit two files: /etc/racoon/racoon.conf and /etc/ipsec-tools.conf

On the server, you will need a configuration like these racoon.conf and ipsec-tools.conf files. You can read the racoon.conf and setkey manual pages to understand what they're doing.

The configuration files on the client are almost the same, but in the IPs and subnets are in reverse (racoon.conf, ipsec-tools.conf). There's one other difference: the client configuration contains passive off; while the server config contains passive on;. This means that the server will never initiate the connection, so the client will always have to do this first (sending one packet through the tunnel should be enough). If you want the server to be able to initiate the connection as well, you need to set passive to off there too.

After this, all you need to do is set up the shared key, and restart some services. After that, everything should work. Shared keys are configured in /etc/racoon/psk.txt, in the format identifier key. In our case, the identifier is the IP address (of the host we're connecting to), so on the server you put 172.17.0.1 yourkeyhere in there, and on the client you use 172.16.0.1 yourkeyhere.

Make sure both keys are identical, then execute the following commands, and everything should start working the moment you try to send the first packet over the network: /etc/init.d/racoon stop; /etc/init.d/setkey restart; /etc/init.d/racoon start

Please note that you shouldn't use simple words or sentences as a key. The pre-shared key is (afaik) the weakest part in the security of this setup. I'll explain how to use X.509 certificates instead of pre-shared keys in a later post.

If you're also doing firewalling or some kind of NAT on one of the IPsec endpoints, make sure you allow traffic with protocol 'esp' to the remote endpoint.

In the coming weeks I'll extend this with X.509 certificates and a "Roadwarrior" setup, which will allow clients without a known IP address (like travelers with a laptops) to connect.