Reply To: site to site vpn using ipsec?

Home Page Forums Network Management VPN site to site vpn using ipsec? Reply To: site to site vpn using ipsec?

#49993

sergej
Participant

My configuration of site-to-site IPsec with PSKs:

Assume network parameters:
My IP (zeroshell site): 120.120.120.120
Remote IP: 100.100.100.100
My LAN (behind zeroshell): 10.0.0.0/16
Remote LAN: 192.168.47.0/24

Config preparation:
mkdir -p /Database/custom/ipsec

Here I made 3 files

psk.txt (with PSKs – preshared keys):


100.100.100.100 Preshared key 1

ipsec.conf (with IPsec policies):

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
esp/tunnel/120.120.120.120-100.100.100.100/require;

spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
esp/tunnel/100.100.100.100-120.120.120.120/require;

racoon.conf:

path pre_shared_key "/Database/custom/ipsec/psk.txt";

listen { isakmp 120.120.120.120; }

remote 100.100.100.100 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

Start IPsec in zeroshell’s post boot script:

# Start IPsec
iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
setkey -f /Database/custom/ipsec/ipsec.conf
racoon -f /Database/custom/ipsec/racoon.conf

You should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic).