Use of IPSEC in Linux when configuring network-to-network and point-to-point VPN connections

Quick Howto on configuring an ipsec tunnel

How to Connect to L2TP/IPsec VPN on Linux
In this case, the presence of the ESP will mean that encryption is working. I am using below configuration but tunnel is not coming up I have ipv4 for forwarding on in my setup [ root ip ipsec. Listing 4 shows the typical racoon. A detailed description of these implementations in relation to the two connection schemes, node-to-node and network-to-network, was provided alongside real examples. Any idea what it could be? Windows Server might also support PFS. Three sites in total.

You are here

How to Set Up an L2TP/IPsec VPN Server on Linux

There are encryption technologies that are involved in protecting your communication that travels through the wire. Different technologies can be used to encrypt your communication. For understanding IPSec and its working, you can refer the below link. There are other technologies as well that protect data communication over wire, some of them are mentioned below.

However we cannot reliably use them for our purpose of interconnecting two branch offices which are geographically isolated through internet. VPN is a very useful technology that is widely deployed in organizations that require secure remote access to remote network. Some noteworthy points about Virtual Private Networks are mentioned below.

In other words an entire IP packet is encrypted for security. IPSec is used for authentication as well as encryption of the complete communication that happens between two hosts on the internet. As IPSec works in network layer, traffic generated by all applications are by default encrypted and sent, hence there is no modification required to be done on the existing application to make it compatible with IPSec. We will be using one such IPSec implementation in Linux for creating a tunnel between two private networks through the internet.

There was a project called as Free-Swan, which was the first implementation of IPSec on Linux, but due to some reason, the project did not last long the last version of free-swan was released at In the above shown figure i have tried to depict, the VPN setup that we will be configuring now.

There are two networks showin in the above diagram. These two networks are geographically isolated from each other and of course they are private network addresses and cannot be routed through internet to communicate with each other. We will be interconnecting these two networks together, so that the hosts on network A can communicate with hosts on network B just like they communicate to any local network.

For making this work we will be having two VPN servers. This kind of a setup is called as gateway to gateway or sometimes site to site VPN. Both of them will need a public internet IP address, to communicate with each other through the internet.

This configuration is very much necessary for clients on both the networks to reach the other network, as well as proper working of routing. The first step is to configure IP forwarding. The name itself suggests that it is used to forward packets destined for other hosts. It is basically done when you need to make a linux machine act as a router. In our case of establishing a VPN tunnel between two networks, both the VPN servers will be acting as a router to reach the network on the other side.

Hence we need to enable it. IP forwarding can be enabled in Linux by the below command on the fly. Hence we need to make our ip forwarding permanent. This can be done by modifying sysctl. To make that change in sysctl effective, you can run the below command. Please do not forget to enable ip forwarding on both the VPN server's. Let's add some Iptables rule that will modify the source IP address of a packet before that packet is send out. This is very much useful because this helps in modifying the source ip of the packet.

On network A VPN server enter the below command. The above command on network A VPN server will modify the source address of a packet originating from On the VPN server on the other side, apply the same above command with the source address of Now we are set to install and configure openswan ipsec server on both the VPN servers.

Openswan ipsec tunnels allows you to authenticate the traffic going through the tunnel in two methods. The two methods are mentioned below. We will see both the configuration one by one. Lets see shared secret for encryption in openswan ipsec first. Creating a tunnel between two seperate networks using openswan shared secret is the easiest and fast method. For this to work properly we will begin with installing openswan on the linux machine the package is available for almost all linux distributions.

You can use the system package manage for installing openswan. Yum tutorial in Linux. The below yum command can be used to install openswan in linux.

However you can achieve the same result in any distribution without much modification. Now the second step is configure our ipsec. KLIPS is currently the more stable one, the one which is easier to use.

IPSec works by encrypting packets at the network level, in other words an entire IP packet is encrypted along with its headers, and sometimes a new header is attached if you are masquerading IP packets.

Inorder to enable IPSec packet to go through NAT devices, we need to enable this option by setting it to the value of " yes ". This can cause problems if the server you are connecting to is using the same IP range internally. Say that IPSec server connects you to The client side or the server side?.

The best method is to add all private subnet except those ranges used by the server. This is the first argument that mentions the name of the connection. You can give any name as you wish, this is simply for identifying the tunnels. The ip address of the local IPsec server. Can be an IP address or a fully-qualified domain name. What are the subnet that will be reachable through this tunnel, on this side of the tunnel. Simply adding routes on both the sides without adding the subnet will not make the hosts reachable.

Let's take an example. Or if you want to further simply the process of ipsec. But remember only one fact that for tunnel to work with preshared key passwords should be same on both vpn servers. Now we need to have the exact same configuration on the other side VPN server with the required changes in left, right, leftsubnet, rightsubnet, leftid, rightid. To make the concept clear the value of right on the other vpn server must be the value of left on this VPN server. Now once the configuration is perfect, restart the ipsec service on both the sides.

Your tunnel must work flawlessly if you did not make any configuration mistake. You can check the tunnel by pinging any ip on the remote subnet. Now as discussed before, lets see the second method that can be used for authentication of our IPSec.

We will create rsa keys on both the vpn servers first then we will see the ipsec. You can create an rsa key for your vpn server by the following command.

The above command should create a key for your VPN server inside ipsec. Run the same command on the other side VPN server. So now you have two rsa keys of bit size on both the servers. The other method is the newer KAME methodology. This is integrated directly into the 2.

There is a different Shorewall setup for this type of method. The KAME packages are called ipsec-tools source package and command-line utilities and racoon key exchange daemon. Howtos Tutorial of Linux 2. Also, see IPsec with Linux 2. To test for policy match. Debian Sarge has "policy match" in iptables but not in the 2. Step-by-step guide of patching kernel with netfilter policy match for Shorewall.

Micro-Howto of using racoon and ipsec-tools in Woody: Here are a few points of interest, however:. If you are using a different form of authentication, you may wish to read man 5 ipsec.

You should see some output telling you that a connection has been successfully negotiated. For now, we will stop Openswan again and continue with our setup. You can check that the tunnel has started by running ip address show: This is usually named something like ppp0 , and will have an IP address assigned from the range that the remote network is using. All we need to do now is tell Linux to route traffic to this subnet over the VPN connection.

For the purposes of this tutorial, we will assume that the remote subnet is You can confirm that this has worked by running ip route show. If you make a mistake, you can easily delete any route by running ip route delete with the same syntax. For example, to undo this last step the command would be ip route delete If you have other machines attached over the remote VLAN, you should now be able to ping them.

The commands used in this section can be easily combined into a file and run as a script, to avoid repeating this process every time you want to connect. Otherwise, carry on to:.

strongSwan