L2L Tunnel on Linux

From cwhite's wiki
Revision as of 20:44, 25 May 2017 by Cwhite (Talk | contribs) (NAT-T on Local and Remote side)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Environment

I am running a couple of bridges on this server; one bridge for public IP addresses and the other is for internal private networking. I set this up so that the servers on the internal bridge can reach the servers on the other end of the site-to-site VPN. The internal bridge has PAT out to the internet so I do have to setup some additional iptables rules which I do cover in this article. This should work on all distributions, the only difference being the way you install the packages and / or the location of the configuration files.

All of these instructions are performed under the root user.

Distro: Ubuntu 15.10 (Wily)

Local endpoint: 230.1.1.1
Remote endpoint: 240.1.1.1

Local subnet: 172.20.1.0/24
Remote subnet: 192.168.1.0/24

Packages: racoon and ipsec-tools
 

Setting up the server

1. Install the required packages

apt-get install racoon ipsec-tools
 

Configuration mode for racoon IKE daemon: direct

2. Configuring Racoon
Added the remote IP and the tunnel's pre-shared key to /etc/racoon/psk.txt.

240.1.1.1 strong_password

chmod 400 /etc/racoon/psk.txt
chown root:root /etc/racoon/psk.txt
 

Edit the racoon.conf file located at /etc/racoon/racoon.conf and add the following. Tweak to match your environment.

#Tunnel pre-shared key
path pre_shared_key "/etc/racoon/psk.txt";

#log debug;

remote 240.1.1.1 {
        exchange_mode main,aggressive;
#       nat_traversal on;
        my_identifier address 230.1.1.1;
        peers_identifier address 240.1.1.1;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 86400 seconds;
        }
}

sainfo address 172.20.1.0/24 any address 192.168.1.0/24 any {
        lifetime time 3600 seconds ;
        encryption_algorithm aes, 3des, blowfish 448, twofish, rijndael ;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;
}
 

If you are behind a NAT device, you would need to uncomment the "nat_traversal" line. There is quite a bit that you can tweak once you get this configured. I would suggest that you at least get the tunnel up and then start tweaking with timers and other variables. Visit the man page to see the list of supported algorithms and variables.

3. Configuring setkey
Edit /etc/ipsec-tools.conf and add the following (obviously modify to match your environment):

# Flush the SPD and the SAD
flush;
spdflush;

# Security policies
spdadd 172.20.1.0/24 192.168.1.0/24 any -P out ipsec
           esp/tunnel/230.1.1.1-240.1.1.1/require;

spdadd 192.168.1.0/24 172.20.1.0/24 any -P in ipsec
           esp/tunnel/240.1.1.1-230.1.1.1/require;
 

4. Configuring iptables
I am using the following iptable rules. This allows the devices on the internal bridge to connect to the internet via PAT but still allows communication over the site-to-site tunnel. Ensure you have setup IPv4 forwarding in the kernel.

iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -d 172.20.1.0/24 -j RETURN
iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -d 192.168.1.0/24 -j RETURN
iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -j MASQUERADE
 

5. Enable and start services
With systemd, all you need to do is run the following:

systemctl enable racoon.service
systemctl enable setkey.service

systemctl restart racoon.service
systemctl restart setkey.service
 

Troubleshooting

Other resources

Really good guide with examples, explanations and troubleshooting tips.
http://www.mad-hacking.net/documentation/linux/networking/ipsec/index.xml

Another really decent guide
http://www.kame.net/newsletter/20001119/

racoon.conf man page
http://www.kame.net/racoon/racoon.conf.5

NAT-T on Local and Remote side

In some cases, you may have both of your endpoints behind a NAT device. I was able to find an article where there was one side behind a NAT device but wasn't able to find an article that had both endpoints behind NAT devices so here I am! In this example, I am using the following packages: