My configuration of site-to-site IPsec with PSKs:
Assume network parameters:
My IP (zeroshell site): 120.120.120.120
Remote IP: 100.100.100.100
My LAN (behind zeroshell): 10.0.0.0/16
Remote LAN: 192.168.47.0/24
Config preparation:
mkdir -p /Database/custom/ipsec
Here I made 3 files
psk.txt (with PSKs – preshared keys):
100.100.100.100 Preshared key 1
ipsec.conf (with IPsec policies):
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
esp/tunnel/120.120.120.120-100.100.100.100/require;
spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
esp/tunnel/100.100.100.100-120.120.120.120/require;
racoon.conf:
path pre_shared_key "/Database/custom/ipsec/psk.txt";
listen { isakmp 120.120.120.120; }
remote 100.100.100.100 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Start IPsec in zeroshell’s post boot script:
# Start IPsec
iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
setkey -f /Database/custom/ipsec/ipsec.conf
racoon -f /Database/custom/ipsec/racoon.confYou should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic).