Host to host VPN: Difference between revisions
Paul Wouters (talk | contribs) No edit summary |
Paul Wouters (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
This example sets up an IPsec connection between two hosts called "east" and "west". | This example sets up an IPsec connection between two hosts called "east" and "west". | ||
Generate a raw RSA host key on each end and show the key for use in our configuration file. | 192.0.2.254/24 eth0 WEST eth1 192.1.2.23 --[internet]-- 192.1.2.45 eth1 EAST eth0 192.0.1.254/24 | ||
Libreswan uses the terms "left" and "right" to describe endpoints. We will use left for west and east for right. We will be using raw RSA keys, and not pre shared keys (PSK) because it is safer (and easier!) | |||
Generate a raw RSA host key on each end and show the key for use in our configuration file. Note that the raw key blobs span several lines. We reduced them here for readability. Ensure they appear on a single line in your ipsec.conf. | |||
<pre> | <pre> | ||
| Line 8: | Line 12: | ||
[root@west ~]# ipsec showhostkey --left | [root@west ~]# ipsec showhostkey --left | ||
# rsakey AQOrlo+hO | # rsakey AQOrlo+hO | ||
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/ | leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ== | ||
[root@west ~]# | [root@west ~]# | ||
</pre> | </pre> | ||
| Line 19: | Line 23: | ||
[root@east ~]# ipsec showhostkey --right | [root@east ~]# ipsec showhostkey --right | ||
# rsakey AQO3fwC6n | # rsakey AQO3fwC6n | ||
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 | rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ== | ||
</pre> | |||
You should now have a file called /etc/ipsec.secrets on both sides, which contain the public component of the RSA key. The secret part is stored in /etc/ipsec.d/*.db files, also called the "NSS database". You can protect this database with a passphrase if you want, but it will prevent the machine from bringing up the tunnel on boot, as a human would need to enter the passphrase. Note that on older openswan versions compiled without HAVE_NSS, the /etc/ipsec.secret file actually contains the secret part of the rsa keypair as well. | |||
Now we are ready to make a simple /etc/ipsec.conf file for our host to host tunnel: | |||
<pre> | |||
# The version is only required for openswan | |||
version 2 | |||
config setup | |||
nat_traversal=yes | |||
protostack=netkey | |||
conn mytunnel | |||
left=192.1.2.23 | |||
right=192.1.2.45 | |||
authby=rsasig | |||
auto=start | |||
Revision as of 01:54, 23 June 2013
This example sets up an IPsec connection between two hosts called "east" and "west".
192.0.2.254/24 eth0 WEST eth1 192.1.2.23 --[internet]-- 192.1.2.45 eth1 EAST eth0 192.0.1.254/24
Libreswan uses the terms "left" and "right" to describe endpoints. We will use left for west and east for right. We will be using raw RSA keys, and not pre shared keys (PSK) because it is safer (and easier!)
Generate a raw RSA host key on each end and show the key for use in our configuration file. Note that the raw key blobs span several lines. We reduced them here for readability. Ensure they appear on a single line in your ipsec.conf.
[root@west ~]# ipsec newhostkey --output /etc/ipsec.secrets --bits 4096 --configdir /etc/ipsec.d Generated RSA key pair using the NSS database [root@west ~]# ipsec showhostkey --left # rsakey AQOrlo+hO leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ== [root@west ~]#
Repeat for east using right:
[root@east ~]# ipsec newhostkey --output /etc/ipsec.secrets --bits 4096 --configdir /etc/ipsec.d Generated RSA key pair using the NSS database [root@east ~]# ipsec showhostkey --right # rsakey AQO3fwC6n rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
You should now have a file called /etc/ipsec.secrets on both sides, which contain the public component of the RSA key. The secret part is stored in /etc/ipsec.d/*.db files, also called the "NSS database". You can protect this database with a passphrase if you want, but it will prevent the machine from bringing up the tunnel on boot, as a human would need to enter the passphrase. Note that on older openswan versions compiled without HAVE_NSS, the /etc/ipsec.secret file actually contains the secret part of the rsa keypair as well.
Now we are ready to make a simple /etc/ipsec.conf file for our host to host tunnel:
# The version is only required for openswan
version 2
config setup
nat_traversal=yes
protostack=netkey
conn mytunnel
left=192.1.2.23
right=192.1.2.45
authby=rsasig
auto=start