Three steps to a basic IPsec tunnel

Sometimes, the solution is so simple that you miss the wood for the trees.

1. Install StrongSWAN on both sides.

2. Edit /etc/ipsec.conf on each side:

conn foo
        left=fd00::31:1
        right=fd00::32:2
        auto=start
        authby=psk

3. Edit the ipsec.secrets on each side.

fd00::31:1 fd00::32:2: PSK "our happy shared key"

Certificate-based

Generate a certificate plus key for both left and right side (give them appropriate names, left/right is just a filler here):

openssl req -x509 -nodes -key /etc/ipsec.d/certs/leftside.pem -keyout /etc/ipsec.d/private/leftside.pem.key

This is just a self-signed certificate, but should fit the bill for "simple". Each side needs to have their own certificate and key, plus the right side's certificate. (The left side needs to have leftside.pem, leftside.pem.key, and rightside.pem, the right side needs to have rightside.pem, rightside.pem.key and leftside.pem.)

/etc/ipsec.conf for the left side:

conn foo
        left=1.1.1.1
        right=2.2.2.2
        auto=start
        keyexchange=ikev2
        leftcert="/etc/ipsec.d/certs/leftside.pem"
        rightcert="/etc/ipsec.d/certs/rightside.pem"

/etc/ipsec.secrets for the left side:

1.1.1.1 2.2.2.2 : RSA "leftside.pem.key"

Right side should be obviously mirrored. You can also use the %any variant in ipsec.secrets, if needed.

Posted 2008-02-24 07:02 / Tags: Ipsec, Linux. / link