Native IPsec tunnel

From SaruWiki
Jump to navigation Jump to search

First off: what subject are we going to cover? Well, this page will cover how to set up a tunnel between two (Debian) Linux servers that both are connected to the Internet, so as to form a VPN tunnel between the two (private) networks that these two servers are also connected to. The tunnel will be set up using a Pre-Shared Key (PSK) and will transport all traffic. This scenario is not uncommon, in fact it's the scenario for which most material on the Internet can be found. And a very complete explanation of the basics of IPsec tunneling can be found here. Still, here's our view of this material.


To set up a site-to-site tunnel using IPsec, we start with a Debian Etch base server. Use aptitude to update all packages on the server to the latest version. Then check that your kernel is at least version 2.6, and is compiled with the right options for IPsec. These options can be found under networking > networking options and include at least (but may not be limited to):

(*) PF_KEY sockets (NET_KEY)
(*) IP: ESP transformation (INET_ESP)
(*) IP: IPsec tunnel mode (INET_XFRM_MODE_TUNNEL)

Of course, in newer versions of the kernel than the 2.6.25 from which we lifted these terms, these options could be named differently. Furthermore, your kernel must have all the cryptographic options enabled for the compression/encryprion that your tunnels are supposed to use, e.g. AES, Blowfish et cetera.

Next off, it's time to install the necessary Debian packages. The two packages needed are:

  • racoon: this is a tool for handling IKE (Internet Key Exchange)
  • ipsec-tools: this is a set of IPsec utilities.

Now, since we run Debian, things are slightly different from any other distribution. The Debian maintainer for racoon has created a little "macro preprocessor" named racoon-tool which can make configuring racoon a little easier. However, since we a) like to have full control of a configuration, and b) don't like to veer too much off the well-trodden paths that collegue sysadmins might have taken and documented, we currentle do NOT use racoon-tool as the configuration means for racoon. So, when the APT package installation will ask, we will respond that we do NOT want to use racoon-tool.

So, use aptitude to install both packages racoon and ipsec-tools; in Etch both at version 0.6.6. Then, when aptitude starts installing racoon, it'll ask you if you want to configure racoon using "racoon-tool" or "direct"; choose "direct".

If installation of the software has succeeded correctly, you can run the following commands:

setkey -help
racoon -help

Configuring the software

Now it's time to create a PSK, a Pre-shared key. This is a string of characters, preferably long and strong, e.g. an MD5 hash, something like 84f1c066b584dc5871c930f73c5029c9. Such a PSK can be generated with

dd if=/dev/random count=16 bs=1 | xxd -ps

(If you don't have the xxd package, install vim; we consider that part of our essential software, and xxd comes with it.) This PSK must be stored somewhere on your system, as well as on the system on the other side of the tunnel (that's what the shared part of PSK stands for, anyway). To this end, create a file named psk.txt in directory /etc/racoon. Into this file, write the PSK like

# key for route to odeon.lan      0x84f1c066b584dc5871c930f73c5029c9

And, on the other side,

# key for route to amber.lan   0x84f1c066b584dc5871c930f73c5029c9

Note that we precede the generated hex string with 0x to signify to racoon that it's a hexadecimal key. If we don't do that, racoon will treat the string as a passphrase. Not a problem either, but at any rate, both sides must do the same.