IPsec site-to-site tunnel
IPsec tunneling theory
IPsec is very powerful, but also quite complicated and intricate. When starting on tunneling, you might want to start exploring the site ipsec-howto. It explains both the theory of IPsec, and describes how to create IPsec tunnels. However, after reviewing the theory, you might want to continue here for a more elaborate, Debian-specific, site-to-site only, howto on tunneling.
IPsec site-to-site tunneling
IPsec general preparations
First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):
Debian Server | Data | Example |
---|---|---|
Name(*) | dworkin | |
Internet IP | 212.238.151.172 | |
Private IP | 192.168.0.9 | |
Network(s) | 192.168.0.0/24 | |
Default key exchange encryption | 3DES | |
Default tunnel encryption | 3DES |
(*) This data is not mandatory, but it makes it easier to reference the machine in question.
Next, you'll need to decide if you are going to use the debian-specific tool racoon-tool, or if you're going to configure racoon directly. If you don't know what the difference is, choosing will be quite hard. So here follows a little description of the tools, and what we see as the consequences of your choice.
- racoon is a daemon that can exchange keys with the other end of a prospective IPsec connection in a secure and automated way; it is part of the IPsec-tools package. You are supposed to configure it by means of entering exactly the right data in /etc/racoon/racoon.conf. Using racoon directly is the "standard" way of setting up an IPsec tunnel
- racoon-tool is a Debian-specific Perl script, that can perform your racoon configuration for you. Using this means that you're less likely to make typo's etcetera: it's plain easier. On the other hand, since this is Debian-specific, a lot of information on the Internet might get less usable for you, since that assumes you're using plain racoon. This shortcoming is mitigated somewhat by the realization that racoon-tool generates a racoon.conf file just as you'd expect, but only in a different location (/var/lib/racoon/racoon.conf instead of /etc/racoon/racoon.conf). But then again, you might want to learn how to make IPsec tunnels in a way that can be used on non-Debian servers as well...
We feel there is no compelling general reason to choose one way over the other, so we'll outline both ways here. You'll have to choose, though. Mind you, if you ever change your mind, you can easily switch from direct to racoon-tool or back by running dpkg-reconfigure racoon...
Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under Networking support > Networking options:
- PF_KEY Sockets: This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
- IP: ESP transformation: This option ensures we can create IPsec networking packets in ESP mode.
- IP: IPsec tunnel mode: This option enables the IPsec tunnel mode.
For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to Cryptographic API, and select the algorithms you want. We would suggest the following algorithms:
- Null algorithms: useful for testing
- SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
- Blowfish cipher algorithm: fast and efficient
- AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure
If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.
Verify that your Linux server is not sitting behind a NATting device, like an ADSL modem/router. If it is, you'll need an extra feature (NAT-T, or Nat Traversal), not described in this procedure.
IPsec installation
The amount of software we need to realize an IPsec tunnel is limited, because most of the IPsec capabilities are now integrated in the Linux kernel. The packages we need are:
- ipsec-tools, the package that contains the KAME IPsec tools with which we can control the IPsec implementation that's in the Linux kernel;
- racoon, the Internet Key Exchange daemon;
- vim(*), an improved version of the vi editor.
(*)Well we don't really need vim, but if we install it, not only will we have a very powerful editor, but also will we be able to use the xxd command when generating strong encryption keys.
When using aptitude or apt-get install to install racoon, we'll be asked for the desired "Configuration mode for racoon IKE daemon": direct or racoon-tool. Choose according to your preference.
That's it! No additional software is required. Your system is now ready to set up IPsec tunnels - all it requires is the right configuration (and a correctly configured endpoint for the other end of the tunnel).
IPsec site-to-site tunnel configuration
IPsec tunnel-specific preparations
When we start creating a tunnel, we need the relevant data for the far side of each tunnel we'll be creating, similar to what we've already gathered for our own side of the tunnel. Note that it is not necessary that the other endpoint is also a Linux server; it could just as well be an IPsec capable appliance like a Checkpoint FW1 firewall or a Microsoft Windows server. The main difference between different endpoints is the set of encryption algorithms they'll be able to support. Therefor, the preferred encryption algorithm must be negotiated between you and your counterpart on the other side of the tunnel. In this example, the other side is a Debian server as well, and we've agreed to use SHA1 as algorithm for both the IKE phase and the actual tunnel. Furthermore, we've agreed on a secret key, needed for the initial IKE phase.
Debian Server | Data | Example |
---|---|---|
Name(*) | darktower | |
Internet IP | 82.161.20.13 | |
Private IP | 192.168.1.10 | |
Network(s) | 192.168.1.0/24 | |
Preferred key exchange encryption | SHA1 | |
PreShared Key | 0x383a94619b3d6a8f33a39f68b4d16594 | |
Preferred tunnel encryption | SHA1 |
So how do we generate a strong PSK? A quick way would be to execute this command:
dd if=/dev/random count=16 bs=1 | xxd -ps
This will output a strong key, like 383a94619b3d6a8f33a39f68b4d16594; you'll only have to prepend 0x to signify that it's a hexadecimal key. Note that if you do not prepend 0x, it will mean that the key will be interpreted as a passphrase instead of a key. No harm there, as long as you do this on both sides of the tunnel.
We must put this key in a key file. To this end, we append the file /etc/racoon/psk.txt with the following information:
# key for tunnel to darktower 82.161.20.13 0x383a94619b3d6a8f33a39f68b4d16594
Note: there is already sample information in this file; it is good practice to comment this out. Furthermore, make sure this file is ONLY readable for root (sudo chmod 600). Finally, remember that the other side of the tunnel needs the EXACT same key - transport it there using a very secure method (like going there in person). If your key gets compromised on the way there, your tunnel is not secure!
Now with the data for the tunnel available and the key set up, we can get going on the configuration of the tunnel itself. If you've selected using racoon-tool, read on. If you've chosen direct (or if you're not on a Debian server but another Linux distribution), skip to the next section.
Method 1: using racoon-tool
Method 2: direct racoon configuration
To configure racoon directly, we're going to edit /etc/racoon/racoon.conf. Good practice is to rename the original racoon.conf to racoon.conf.org, and create a fresh one. The basic file looks like this:
# Racoon configuration file path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; # logging level: notify or debug log notify; listen { isakmp 212.238.151.172 [500]; isakmp_natt 212.238.151.172 [4500]; }
This sets some default options for our Racoon daemon.