Overview

Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. These values will expose the listed subnets to the IPSec tunnel and will allows clients in these subnets to communicate with the host (west) node and will allow the west node to allow to communicate with clients in the listed subnets.

In case rightsourceip is used the communication between the 2 nodes will not be encrypted only communication between the west node and the subnet would be encrypted. If a value is defined, then all communication between the East and the west host will use the defined IP Address.

Figure 12: Host to Site Configuration Example Details

Host to Site with RSA Key

1. Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec )
   
2. On both nodes create an RSA Key (see: Prepare RSA keys )
   
3. Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
   

Fields	Values	Comments
Connection name	<String>
leftid	@West	Identifier for the west/left site. Values can be: %left  - uses left as value @<STRING> - uses the string The leftid values is used to identify the PSK
left	<IP or FQDN> of the West/Left host	Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0
leftrsasigkey	Public RSA Key
rightid	@East	Identifier for the East/right site. Values can be: %right - uses left as value @<STRING> - uses the string The rightid values is used to identify the PSK
right	<IP or FQDN> of the East/Right host	Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0
rightsourceip	<INTERNAL IP TO BE USED>	IP address if the east node which should be used for the tunnel communication. This IP should belong the rightsubnet.
rightsubnets	<LIST OF SUBNETS>	One or multiple subnet can be defined, for each subnet a individual tunnel will be created
rightrsasigkey	Public RSA Key
authby	rsasig
auto	start	The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used)
connaddrfamily	ipv4	Possiable values are ipv4 or ipv6

Format:


conn 
connaddrfamily=ipv4
auto=
authby=secret
leftid=
left=FQDN>
leftrsasigkey=
rightid=
right=FQDN>
rightsourceip=
rightsubnet={MASK> MASK>}
rightrsasigkey=
      

Example /etc/ipsec/ipsec.d/host-to-site-rsa.conf


conn host-to-site-rsa
connaddrfamily=ipv4
auto=start
authby=rsasig
leftid=@West
left=192.168.50.4
leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w==
rightid=@East
right=192.168.58.4
rightsourceip=192.168.60.4
rightsubnets={192.168.60.0/24 192.168.61.0/24}
rightrsasigkey=0Vaixy810IkQzUU+SmxA6O………..WORl0i3K43tZx9aakmMyvanRg7Bwz4R+ssDe4+MwsGP0= 
         
      

4. Copy the configuration file only to the other node. The Secret File does not need to be copied in this case
   
5. Restart IPSec service on both nodes
   

root@ng-west:~# ipsec restart
Redirecting to: /etc/init.d/ipsec stop
Shutting down pluto IKE daemon
002 shutting down
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: .
root@ng-west:~#
         
      

6. Confirm that the tunnel was established
   
1. Short Information
   
2. More Detailed Information
   

root@ng-west:~# ipsec whack --status |grep host-to-site-rsa
……………. 
000 #4: "host-to-site-rsa":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28035s; isakmp#3; idle; import:not set
000 #4: "host-to- site -rsa" esp.51e306d2@192.168.58.4 esp.7bdcb6d9@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000 #3: "host-to- site -rsa":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2835s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #5: "host-to- site -rsa":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27555s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
000 #5: "host-to- site -rsa" esp.acd469a4@192.168.58.4 esp.6b948bad@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000 #2: "host-to- site -rsa":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2114s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate