IPsec site-to-site tunnel
IPsec tunneling theory
IPsec is very powerful, but also quite complicated and intricate. When starting on tunneling, you might want to start exploring the site ipsec-howto. It explains both the theory of IPsec, and describes how to create IPsec tunnels. However, after reviewing the theory, you might want to continue here for a more elaborate, Debian-specific, site-to-site only, howto on tunneling.
IPsec site-to-site tunneling
Starting point: two sites
IPsec preparations
First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):
| Debian Server | Data | Example |
|---|---|---|
| Name(*) | dworkin | |
| Internet IP | 212.238.151.172 | |
| Private IP | 192.168.0.9 | |
| Network(s) | 192.168.0.0/24 | |
| Default key exchange encryption | 3DES | |
| Default tunnel encryption | 3DES |
(*) This data is not mandatory, but it makes it easier to reference the machine in question.
Next up, we need the same data for the far side of every tunnel you'll be creating:
| Debian Server | Data | Example |
|---|---|---|
| Name(*) | darktower | |
| Internet IP | 82.161.20.13 | |
| Private IP | 192.168.1.10 | |
| Network(s) | 192.168.1.0/24 | |
| Preferred key exchange encryption | SHA1 | |
| Preferred tunnel encryption | SHA1 |
Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under Networking support > Networking options:
- PF_KEY Sockets: This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
- IP: ESP transformation: This option ensures we can create IPsec networking packets in ESP mode.
- IP: IPsec tunnel mode: This option enables the IPsec tunnel mode.
For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to Cryptographic API, and select the algorithms you want. We would suggest the following algorithms:
- Null algorithms: useful for testing
- SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
- Blowfish cipher algorithm: fast and efficient
- AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure
If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.