L2L Tunnel on Linux

From cwhite's wiki
Jump to: navigation, search


I am running a couple of bridges on this server; one bridge for public IP addresses and the other is for internal private networking. I set this up so that the servers on the internal bridge can reach the servers on the other end of the site-to-site VPN. The internal bridge has PAT out to the internet so I do have to setup some additional iptables rules which I do cover in this article. This should work on all distributions, the only difference being the way you install the packages and / or the location of the configuration files.

All of these instructions are performed under the root user.

Distro: Ubuntu 15.10 (Wily)

Local endpoint:
Remote endpoint:

Local subnet:
Remote subnet:

Packages: racoon and ipsec-tools

Setting up the server

1. Install the required packages

apt-get install racoon ipsec-tools

Configuration mode for racoon IKE daemon: direct

2. Configuring Racoon
Added the remote IP and the tunnel's pre-shared key to /etc/racoon/psk.txt. strong_password

chmod 400 /etc/racoon/psk.txt
chown root:root /etc/racoon/psk.txt

Edit the racoon.conf file located at /etc/racoon/racoon.conf and add the following. Tweak to match your environment.

#Tunnel pre-shared key
path pre_shared_key "/etc/racoon/psk.txt";

#log debug;

remote {
        exchange_mode main,aggressive;
#       nat_traversal on;
        my_identifier address;
        peers_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 86400 seconds;

sainfo address any address any {
        lifetime time 3600 seconds ;
        encryption_algorithm aes, 3des, blowfish 448, twofish, rijndael ;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;

If you are behind a NAT device, you would need to uncomment the "nat_traversal" line. There is quite a bit that you can tweak once you get this configured. I would suggest that you at least get the tunnel up and then start tweaking with timers and other variables. Visit the man page to see the list of supported algorithms and variables.

3. Configuring setkey
Edit /etc/ipsec-tools.conf and add the following (obviously modify to match your environment):

# Flush the SPD and the SAD

# Security policies
spdadd any -P out ipsec

spdadd any -P in ipsec

4. Configuring iptables
I am using the following iptable rules. This allows the devices on the internal bridge to connect to the internet via PAT but still allows communication over the site-to-site tunnel. Ensure you have setup IPv4 forwarding in the kernel.

iptables -t nat -A POSTROUTING -s -d -j RETURN
iptables -t nat -A POSTROUTING -s -d -j RETURN
iptables -t nat -A POSTROUTING -s -j MASQUERADE

5. Enable and start services
With systemd, all you need to do is run the following:

systemctl enable racoon.service
systemctl enable setkey.service

systemctl restart racoon.service
systemctl restart setkey.service


Other resources

Really good guide with examples, explanations and troubleshooting tips.

Another really decent guide

racoon.conf man page

NAT-T on Local and Remote side

In some cases, you may have both of your endpoints behind a NAT device. I was able to find an article where there was one side behind a NAT device but wasn't able to find an article that had both endpoints behind NAT devices so here I am! In this example, I am using the following packages: