Home › Set up IPSec vpn server on Linux with PSK

Set up IPSec vpn server on Linux with PSK 

magnum
Joined:
04/19/2010
Posts:
94

September 27, 2011 11:57:49    Last update: October 05, 2011 12:20:00
This procedure sets up an IPSec vpn server on Linux with Preshared Key (PSK) using Openswan.

  1. Install Openswan: 
    # yum install openswan

  2. Edit /etc/ipsec.conf. This is about the minimum needed to run IPSec server. Instead of running L2TP on port 1701, I'm running TCP on port 8080 so that I can test the setup with nc later. 
    # /etc/ipsec.conf - Openswan IPsec configuration file
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=klips
	# Add connections here
conn TCP8080-PSK
        #   
        authby=secret
        pfs=no      
        rekey=no   
        keyingtries=3
        #           
        # The VPN server.
        # Allow incoming connections on the external interface.
	# For testing, nc will listen on port 8080
        left=192.168.0.1
        leftprotoport=tcp/8080
        #
        # The remote users
        # Allow incoming connections from any IP address and port
        right=%any
        rightprotoport=tcp/%any
        #
        # Enable this configuration
        auto=add

  3. Edit /etc/ipsec.secrets. 
    #
# Preshared key for clients connecting from any IP address
# The Openswan server has IP address of 192.168.0.1
192.168.0.1 %any: PSK "ipsecsecret1"

  4. Start IPSec: 
    # /etc/init.d/ipsec start

  5. Check status: 
    # ipsec auto --status

  6. Monitor IPSec log: 
    # less /var/log/secure

  7. If IPSec is running KLIPS, you should see a new nic (ipsec0). There's no ipsec0 if IPSec is running NETKEY. 
    # ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:F1:0D:6B  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2700 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:245599 (239.8 KiB)  TX bytes:493548 (481.9 KiB)

ipsec0    Link encap:Ethernet  HWaddr 08:00:27:F1:0D:6B  
          inet addr:192.168.0.1  Mask:255.255.255.0
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120 errors:0 dropped:160 overruns:0 carrier:0
          collisions:0 txqueuelen:10 
          RX bytes:0 (0.0 B)  TX bytes:21964 (21.4 KiB)

Share |
| Comment  | Tags