How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

Version 0.1 (02 May 2018)

Overview

Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses are defined with leftsourceip, rightsourceip and leftsubnets and rightsubnets.


Site to Site with Pre-shared Key

Required tasks:

  1. Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec)
  2. 2. On one of the nodes create a Pre-Shared Key (see: How to create Pre-shared Keys for IPSec)
  3. Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
  4. Fields
    Values
    Comments

    Connection name

    <String>

     

    leftid

    @West

    Identifier for the west/left site.
    Values can be:
    %left  - uses left as value
    @<STRING> - uses the string

    The leftid values is used to identify the PSK

    left

    <IP or FQDN> of the West/Left host

    Additional to an actual IP address can the following values be used. These are resolved when the service starts.
    %defaultgateway
    %eth0

    leftsourceip

    <INTERNAL IP TO BE USED>

    IP address if the west node which should be used for the tunnel communication. This IP should belong the leftsubnet.

    leftsubnet

    <SUBNET>

    One subnet can be defined

    leftsubnets

    <LIST OF SUBNETS>

    One or multiple subnet can be defined, for each subnet an individual tunnel will be created

    rightid

    @East

    Identifier for the East/right site.
    Values can be:
    %right  - uses left as value
    @<STRING> - uses the string

    The rightid values is used to identify the PSK

    right

    <IP or FQDN> of the East/Right host

    Additional to an actual IP address can the following values be used. These are resolved when the service starts.
    %defaultgateway
    %eth0

    rightsourceip

    <INTERNAL IP TO BE USED>

    IP address if the east node which should be used for the tunnel communication. This IP should belong the rightsubnet.

    rightsubnet

    < SUBNET>

    One subnet can be defined.

    rightsubnets

    <LIST OF SUBNETS>

    One or multiple subnet can be defined, for each subnet a individual tunnel will be created

    authby

    secret

     

    auto

    start

    The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used)

    connaddrfamily

    ipv4

    Possible values are ipv4 or ipv6

    Format:

    conn 
         connaddrfamily=ipv4
          auto=
          authby=secret
    
          leftid=
          left=FQDN>
          leftsourceip=
          leftsubnet=MASK>
          rightid=
          right=FQDN>
          rightsourceip=
          rightsubnets={MASK> MASK>}

    Example /etc/ipsec/ipsec.d/site-to-site-psk.conf

    conn site-to-site-psk
         connaddrfamily=ipv4
          auto=start
          authby=secret
    
          leftid=@West
          left=192.168.50.4
          leftsourceip=192.168.59.4
          leftsubnet=192.168.59.0/24
          rightid=@East
          right=192.168.58.4
          rightsourceip=192.168.60.4
          rightsubnets={192.168.60.0/24 192.168.61.0/24}
  5. Create a secrets file in /etc/ipsec/ipsec.d/site-to-site-psk.secrets
  6. Fields
    Values
    Comments
    leftid
    has to match leftid in the connection configuration file
    -
    rightid
    has to match rightid in the connection configuration file
    -
    PSK
    Pre-Shared Key
    -

    Format:

      : PSK “”

    Example for /etc/ipsec/ipsec.d/host-to-host-psk.secrets

    @West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="
  7. Copy the configuration file and the secret file to the other node.
  8. Restart IPSec service on both nodes
  9. root@ng-west:~# ipsec restart
    Redirecting to: /etc/init.d/ipsec stop
    Shutting down pluto IKE daemon
    002 shutting down
    
    Redirecting to: /etc/init.d/ipsec start
    Starting pluto IKE daemon for IPsec: .
    root@ng-west:~#
  10. Confirm that the tunnel was established
    1. Short Information
    2. root@ng-west:~# ipsec whack --trafficstatus
      006 #2: "site-to-site-psk", type=ESP, add_time=1524092870, inBytes=0, outBytes=0, id='@East'
    3. More Detailed Information
    4. root@ng-west:~# ipsec whack --status |grep site-to-site-psk
      ……………. 
      000 #2: "site-to-site-psk":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27867s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
      000 #2: "site-to-site-psk" esp.f0f258e4@192.168.58.4 esp.6d38b7cc@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
      000 #1: "site-to-site-psk":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2426s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

    • Related Articles

    • How to configure IPSec Host to Site tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...
    • How to Configure IPSec Host to Host Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details Host ...
    • How to create Pre-shared Keys for IPSec

      Version 0.1 (02 May 2018) Prepare Pre-shared Keys In case Pre-shared Key will be used to authenticate IPSec tunnels, they need to be created on a Nodegrid system before they can be used. To create a Pre-Shared key on a Nodegrid use the below steps. ...
    • How to Configure IPSec Site to Site Tunnel with RSA Keys

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • How to Configure IPSec Host to Site tunnel with RSA Keys

      Version 0.1 (02 May 2018)  Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and ...