IPsec site-to-site tunnel: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
m (Page started)
 
(→‎IPsec preparations: from ODT doc)
Line 8: Line 8:


==IPsec preparations==
==IPsec preparations==
First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):
{| class="wikitable" style="text-align:center" border="1" cellspacing="0" cellpadding="5"
!width="150" style="background:#ffdead;"|Debian Server
!width="150" style="background:#ffdead;"|Data
!width="150" style="background:#ffdead;"|Example
|-
|Name(*)
|
|dworkin
|-
|Internet IP
|
|212.238.151.172
|-
|Private IP
|
|192.168.0.9
|-
|Network(s)
|
|192.168.0.0/24
|-
|Default key exchange encryption
|
|3DES
|-
|Default tunnel encryption
|
|3DES
|-
|}
(*) This data is not mandatory, but it makes it easier to reference the machine in question.
Next up, we need the same data for the far side of every tunnel you'll be creating:
{| class="wikitable" style="text-align:center" border="1" cellspacing="0" cellpadding="5"
!width="150" style="background:#ffdead;"|Debian Server
!width="150" style="background:#ffdead;"|Data
!width="150" style="background:#ffdead;"|Example
|-
|Name(*)
|
|darktower
|-
|Internet IP
|
|82.161.20.13
|-
|Private IP
|
|192.168.1.10
|-
|Network(s)
|
|192.168.1.0/24
|-
|Preferred key exchange encryption
|
|SHA1
|-
|Preferred tunnel encryption
|
|SHA1
|-
|}
Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under ''Networking support > Networking options'':
* '''PF_KEY Sockets''': This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
* '''IP: ESP transformation''': This option ensures we can create IPsec networking packets in ESP mode.
* '''IP: IPsec tunnel mode''': This option enables the IPsec tunnel mode.
For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to ''Cryptographic API'', and select the algorithms you want. We would suggest the following algorithms:
* Null algorithms: useful for testing
* SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
* Blowfish cipher algorithm: fast and efficient
* AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure
If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.


==IPsec installation==
==IPsec installation==

Revision as of 10:48, 14 December 2008

IPsec tunneling theory

IPsec is very powerful, but also quite complicated and intricate. When starting on tunneling, you might want to start exploring the site ipsec-howto. It explains both the theory of IPsec, and describes how to create IPsec tunnels. However, after reviewing the theory, you might want to continue here for a more elaborate, Debian-specific, site-to-site only, howto on tunneling.

IPsec site-to-site tunneling

Starting point: two sites

IPsec preparations

First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):

Debian Server Data Example
Name(*) dworkin
Internet IP 212.238.151.172
Private IP 192.168.0.9
Network(s) 192.168.0.0/24
Default key exchange encryption 3DES
Default tunnel encryption 3DES

(*) This data is not mandatory, but it makes it easier to reference the machine in question.

Next up, we need the same data for the far side of every tunnel you'll be creating:

Debian Server Data Example
Name(*) darktower
Internet IP 82.161.20.13
Private IP 192.168.1.10
Network(s) 192.168.1.0/24
Preferred key exchange encryption SHA1
Preferred tunnel encryption SHA1

Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under Networking support > Networking options:

  • PF_KEY Sockets: This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
  • IP: ESP transformation: This option ensures we can create IPsec networking packets in ESP mode.
  • IP: IPsec tunnel mode: This option enables the IPsec tunnel mode.

For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to Cryptographic API, and select the algorithms you want. We would suggest the following algorithms:

  • Null algorithms: useful for testing
  • SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
  • Blowfish cipher algorithm: fast and efficient
  • AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure

If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.

IPsec installation

IPsec site-to-site tunnel configuration

Method 1: using racoon-tool

Method 2: direct racoon configuration

Extra configuration issues

setting the right routes

adapting your firewall configuration

DNS and WINS issues

IPsec diagnostics