IPsec tunneling theory

IPsec is very powerful, but also quite complicated and intricate. When starting on tunneling, you might want to start exploring the site ipsec-howto. It explains both the theory of IPsec, and describes how to create IPsec tunnels. However, after reviewing the theory, you might want to continue here for a more elaborate, Debian-specific, site-to-site only, howto on tunneling.

IPsec site-to-site tunneling

Starting point: two sites

IPsec preparations

First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):

(*) This data is not mandatory, but it makes it easier to reference the machine in question.

Furthermore, you'll need to decide if you are going to use the debian-specific tool racoon-tool, or if you're going to configure racoon directly. If you don't know what the difference is, choosing will be quite hard. So here follows a little description of the tools, and what we see as the consequences of your choice.

• racoon is a daemon that can exchange keys with the other end of a prospective IPsec connection in a secure and automated way; it is part of the IPsec-tools package. You are supposed to configure it by means of entering exactly the right data in /etc/racoon/racoon.conf. Using racoon directly is the "standard" way of setting up an IPsec tunnel
• racoon-tool is a Debian-specific Perl script, that can perform your racoon configuration for you. Using this means that you're less likely to make typo's etcetera: it's plain easier. On the other hand, since this is Debian-specific, a lot of information on the Internet might get less usable for you, since that assumes you're using plain racoon. This shortcoming is mitigated somewhat by the realization that racoon-tool generates a racoon.conf file just as you'd expect, but only in a different location (/var/lib/racoon/racoon.conf instead of /etc/racoon/racoon.conf). But then again, you might want to learn how to make IPsec tunnels in a way that can be used on non-Debian servers as well...

We feel there is no compelling general reason to choose one way over the other, so we'll outline both ways here. You'll have to choose, though. Mind you, if you ever change your mind, you can easily switch from direct to racoon-tool or back by running dpkg-reconfigure racoon...

Next up, we need the same data for the far side of every tunnel you'll be creating:

Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under Networking support > Networking options:

• PF_KEY Sockets: This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
• IP: ESP transformation: This option ensures we can create IPsec networking packets in ESP mode.
• IP: IPsec tunnel mode: This option enables the IPsec tunnel mode.

For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to Cryptographic API, and select the algorithms you want. We would suggest the following algorithms:

• Null algorithms: useful for testing
• SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
• Blowfish cipher algorithm: fast and efficient
• AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure

If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.

IPsec installation

IPsec site-to-site tunnel configuration

Method 1: using racoon-tool

Method 2: direct racoon configuration

Extra configuration issues

setting the right routes

adapting your firewall configuration

DNS and WINS issues

IPsec diagnostics