Knowledge Base ZPE Systems, Inc. IPSec

            How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

            Version 0.1 (02 May 2018)

            Overview

            Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses are defined with leftsourceip, rightsourceip and leftsubnets and rightsubnets.


            Site to Site with Pre-shared Key

            Required tasks:

            1. Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec)
            2. 2. On one of the nodes create a Pre-Shared Key (see: How to create Pre-shared Keys for IPSec)
            3. Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
            4. Fields
              Values
              Comments

              Connection name

              <String>

               

              leftid

              @West

              Identifier for the west/left site.
              Values can be:
              %left  - uses left as value
              @<STRING> - uses the string

              The leftid values is used to identify the PSK

              left

              <IP or FQDN> of the West/Left host

              Additional to an actual IP address can the following values be used. These are resolved when the service starts.
              %defaultgateway
              %eth0

              leftsourceip

              <INTERNAL IP TO BE USED>

              IP address if the west node which should be used for the tunnel communication. This IP should belong the leftsubnet.

              leftsubnet

              <SUBNET>

              One subnet can be defined

              leftsubnets

              <LIST OF SUBNETS>

              One or multiple subnet can be defined, for each subnet an individual tunnel will be created

              rightid

              @East

              Identifier for the East/right site.
              Values can be:
              %right  - uses left as value
              @<STRING> - uses the string

              The rightid values is used to identify the PSK

              right

              <IP or FQDN> of the East/Right host

              Additional to an actual IP address can the following values be used. These are resolved when the service starts.
              %defaultgateway
              %eth0

              rightsourceip

              <INTERNAL IP TO BE USED>

              IP address if the east node which should be used for the tunnel communication. This IP should belong the rightsubnet.

              rightsubnet

              < SUBNET>

              One subnet can be defined.

              rightsubnets

              <LIST OF SUBNETS>

              One or multiple subnet can be defined, for each subnet a individual tunnel will be created

              authby

              secret

               

              auto

              start

              The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used)

              connaddrfamily

              ipv4

              Possible values are ipv4 or ipv6

              Format:

              conn 
                   connaddrfamily=ipv4
                    auto=
                    authby=secret
              
                    leftid=
                    left=FQDN>
                    leftsourceip=
                    leftsubnet=MASK>
                    rightid=
                    right=FQDN>
                    rightsourceip=
                    rightsubnets={MASK> MASK>}

              Example /etc/ipsec/ipsec.d/site-to-site-psk.conf

              conn site-to-site-psk
                   connaddrfamily=ipv4
                    auto=start
                    authby=secret
              
                    leftid=@West
                    left=192.168.50.4
                    leftsourceip=192.168.59.4
                    leftsubnet=192.168.59.0/24
                    rightid=@East
                    right=192.168.58.4
                    rightsourceip=192.168.60.4
                    rightsubnets={192.168.60.0/24 192.168.61.0/24}
            5. Create a secrets file in /etc/ipsec/ipsec.d/site-to-site-psk.secrets
            6. Fields
              Values
              Comments
              leftid
              has to match leftid in the connection configuration file
              -
              rightid
              has to match rightid in the connection configuration file
              -
              PSK
              Pre-Shared Key
              -

              Format:

                : PSK “”

              Example for /etc/ipsec/ipsec.d/host-to-host-psk.secrets

              @West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="
            7. Copy the configuration file and the secret file to the other node.
            8. Restart IPSec service on both nodes
            9. root@ng-west:~# ipsec restart
              Redirecting to: /etc/init.d/ipsec stop
              Shutting down pluto IKE daemon
              002 shutting down
              
              Redirecting to: /etc/init.d/ipsec start
              Starting pluto IKE daemon for IPsec: .
              root@ng-west:~#
            10. Confirm that the tunnel was established
              1. Short Information
              2. root@ng-west:~# ipsec whack --trafficstatus
                006 #2: "site-to-site-psk", type=ESP, add_time=1524092870, inBytes=0, outBytes=0, id='@East'
              3. More Detailed Information
              4. root@ng-west:~# ipsec whack --status |grep site-to-site-psk
                ……………. 
                000 #2: "site-to-site-psk":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27867s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
                000 #2: "site-to-site-psk" esp.f0f258e4@192.168.58.4 esp.6d38b7cc@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
                000 #1: "site-to-site-psk":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2426s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

            Helpful?  
            Help us to make this article better
            0 0