Native IPsec tunnel

From SaruWiki
Revision as of 22:13, 18 May 2008 by Saruman! (talk | contribs) (Preparations added)
Jump to navigation Jump to search

First off: what subject are we going to cover? Well, this page will cover how to set up a tunnel between two (Debian) Linux servers that both are connected to the Internet, so as to form a VPN tunnel between the two (private) networks that these two servers are also connected to. The tunnel will be set up using a Pre-Shared Key (PSK) and will transport all traffic. This scenario is not uncommon, in fact it's the scenario for which most material on the Internet can be found. And a very complete explanation of the basics of IPsec tunneling can be found here. Still, here's our view of this material.

Preparations

To set up a site-to-site tunnel using IPsec, we start with a Debian Etch base server. Use aptitude to update all packages on the server to the latest version. Then check that your kernel is compiled with the right options for IPsec. These options can be found under networking > networking options and include at least (but may not be limited to): 

(*) PF_KEY sockets (NET_KEY)
(*) IP: ESP transformation (INET_ESP)
(*) IP: IPsec tunnel mode (INET_XFRM_MODE_TUNNEL)

Of course, in newer versions of the kernel than the 2.6.25 from which we lifted these terms, these options could be named differently.

Next off, it's time to install the necessary Debian packages. The two packages needed are:

  • racoon: this is a
  • ipsec-tools:

Now, we have to decide whether we want

Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=Native_IPsec_tunnel&oldid=1461"