Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved.
Figure 11: Host to Host Configuration Example Details
Required tasks:
Fields | Values | Comments |
---|---|---|
Connection name | <String> | |
leftid | @West | Identifier for the west/left site. Values can be: %left - uses left as value @<STRING> - uses the string The leftid values is used to identify the PSK |
left | <IP or FQDN> of the West/Left host | Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0 |
rightid | @East | Identifier for the East/right site. Values can be: %right - uses left as value @<STRING> - uses the string
The rightid values is used to identify the PSK |
right | <IP or FQDN> of the East/Right host | Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0 |
authby | secret | |
auto | start | The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used) |
connaddrfamily | ipv4 | Possible values are ipv4 or ipv6 |
Format:
conn connaddrfamily=ipv4 auto= authby=secret leftid= left=FQDN> rightid= right=FQDN>
Example /etc/ipsec/ipsec.d/host-to-host-psk.conf
conn host-to-host-psk connaddrfamily=ipv4 auto=start authby=secret leftid=@West left=192.168.50.4 rightid=@East right=192.168.58.4
Fields | Values | Comments |
---|---|---|
leftid | has to match leftid in the connection configuration file | |
rightid | has to match rightid in the connection configuration file | |
PSK | Pre-Shared Key | |
Format:
: PSK “”
Example for /etc/ipsec/ipsec.d/host-to-host-psk.secrets
@West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="
root@ng-west:~# ipsec restart Redirecting to: /etc/init.d/ipsec stop Shutting down pluto IKE daemon 002 shutting down Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: . root@ng-west:~#
root@ng-west:~# ipsec whack --trafficstatus 006 #2: "host-to-host-psk", type=ESP, add_time=1524092870, inBytes=0, outBytes=0, id='@East'
root@ng-west:~# ipsec whack --status |grep host-to-host-psk ……………. 000 #2: "host-to-host-psk":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27867s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "host-to-host-psk" esp.f0f258e4@192.168.58.4 esp.6d38b7cc@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #1: "host-to-host-psk":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2426s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate