site to site vpn using ipsec?

Home Page Forums Network Management VPN site to site vpn using ipsec?

This topic contains 5 replies, has 0 voices, and was last updated by  apatheticsheep 8 years, 5 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #42324

    Is there aa way to use ipsec for a site-to-site vpn in preference to the ssl implementation. I would love to use the ssl stuff but I have a significant investment in Linsys RV042 routers at a number of home offices.

    I would like to connect these home offices to my Zeroshell box at the main office so that the voip extensions can connect to the PBX but i cannot do this with the ssl implementation afaik.

    #49988

    bradj
    Member

    I’m not aware of a way of doing this, did you get a solution?

    #49989

    i have not figured out a way to do this although I have not worked on it since posting this question.

    I see how the ssl implementation is a a better solution but in some cases it is just not feasible to replace a large amount of existing equipment.

    If anyone knows more about this topic any info would be greatly appreciated.

    If you would like to know more about this please bump.

    #49990

    ppalias
    Member

    1) No need to answer back to bots (bradj) 😀
    2) How about the Host-to-LAN (L2TP/IPSec)? Isn’t that working for you?

    #49991

    to my knowledge the “host to lan” implementation does not work with PSKs. although i do not currently have a box up to confirm this on. if it does that I suppose I could just use that section to build a lan-to-lan vpn

    #49992

    ppalias
    Member

    No it doesn’t, at least on the web interface. I suppose that you could give it a try in the CLI.

    #49993

    sergej
    Participant

    My configuration of site-to-site IPsec with PSKs:

    Assume network parameters:
    My IP (zeroshell site): 120.120.120.120
    Remote IP: 100.100.100.100
    My LAN (behind zeroshell): 10.0.0.0/16
    Remote LAN: 192.168.47.0/24

    Config preparation:
    mkdir -p /Database/custom/ipsec

    Here I made 3 files

    psk.txt (with PSKs – preshared keys):


    100.100.100.100 Preshared key 1

    ipsec.conf (with IPsec policies):

    #!/usr/sbin/setkey -f
    #
    # Flush SAD and SPD
    flush;
    spdflush;

    # Create policies for racoon
    spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
    esp/tunnel/120.120.120.120-100.100.100.100/require;

    spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
    esp/tunnel/100.100.100.100-120.120.120.120/require;

    racoon.conf:

    path pre_shared_key "/Database/custom/ipsec/psk.txt";

    listen { isakmp 120.120.120.120; }

    remote 100.100.100.100 {
    exchange_mode main;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp1024;
    }
    }

    sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
    pfs_group modp1024;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    }

    Start IPsec in zeroshell’s post boot script:

    # Start IPsec
    iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
    setkey -f /Database/custom/ipsec/ipsec.conf
    racoon -f /Database/custom/ipsec/racoon.conf

    You should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic).

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.