Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ipsec client with PSK - need some help
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
E-Razor
n00b
n00b


Joined: 11 Jul 2004
Posts: 69

PostPosted: Fri Jan 11, 2013 4:43 pm    Post subject: ipsec client with PSK - need some help Reply with quote

Hi all,

I'm getting grey hairs right now cos of ipsec :-(

I tried to setup an ipsec-client with PSK and these data:
Server-IP: <server_ip>
my-IP: <my_ip>
Phase 1
Encryption Algorithm: 3 DES
Hash Algorithm: MD5
Authentication Method: Pre-shared
Diffie-Hellman group: D-H group 2
Security Association's lifetime: 86400 seconds
Phase 2
ESP Encryption Transform: ESP-3DES
ESP Authentication Transform: ESP-MD5-HMAC

My net: <my_net> = 0.0.0.0/0
server net: <server_net> = 192.168.1.0/24


I found some howtos but somehow I wasn't able to get any of them to work.

Some are using racoon some are using openswan.

I tried the one mentioned at the gentoo wiki with racoon. I think I've configured everything correctly, the only part which was strange for me are the random keys in /etc/ipsec.conf .
Do I need these?

After starting racoon (/etc/init.d/racoon start) I tried to ping a host from <server_net> which does not work.


I'd be very grateful if someone could give me some hints or points me to another good HowTo.

Thanks!
Back to top
View user's profile Send private message
E-Razor
n00b
n00b


Joined: 11 Jul 2004
Posts: 69

PostPosted: Tue Jan 15, 2013 5:02 pm    Post subject: ...solved Reply with quote

Took me a while but now I got it.

The howto at http://www.ipsec-howto.org/x304.html helped me a lot.

For the client part I'm using racoon which manages most of the ipsec stuff.

The setup is pretty easy:
Code:

#/etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

remote <server_ip> {
   exchange_mode main,aggressive;
   proposal {
      encryption_algorithm 3des;
      hash_algorithm md5;
      authentication_method pre_shared_key;
      dh_group 2;
   }
}

sainfo address <my_net> any address <server_net> any {
   pfs_group 2;
   encryption_algorithm 3des;
   authentication_algorithm hmac_md5;
   compression_algorithm deflate;
}



The first issue was that I permuted <my_net> and <server_net> .

You need to set up the psk:
Code:

#/etc/racoon/psk.txt
<server_ip> <psk>


Then you need to configure the /etc/ipsec.conf like this:
Code:

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd <my_net> <server_net> any -P out ipsec
           esp/tunnel/<my_ip>-<server_ip>/require;

spdadd <server_net> <my_net> any -P in ipsec
           esp/tunnel/<server_ip>-<my_ip>/require;



Restart racoon:
# /etc/init.d/racoon restart

Connect:
# racoonctl vpn-connect <server_ip>

Then you can simply ping anyone from <server_net>.

There is no additional network interface or route, the kernel does everything on it's own - pretty confusing for me.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum