{"id":13,"date":"2017-01-25T08:51:07","date_gmt":"2017-01-25T08:51:07","guid":{"rendered":"http:\/\/owncloud.gonscak.sk\/?p=13"},"modified":"2024-06-28T13:56:49","modified_gmt":"2024-06-28T11:56:49","slug":"how-to-create-a-site-to-site-ipsec-vpn-connection","status":"publish","type":"post","link":"https:\/\/www.gonscak.sk\/?p=13","title":{"rendered":"How to create a site-to-site ipsec vpn connection"},"content":{"rendered":"<h3><strong>Install and enable the EPEL using Yum, with some useful software:<\/strong><\/h3>\n<blockquote>\n<pre><code>yum install epel-release.noarch\nyum install htop dstat tcpdump\n<\/code><\/pre>\n<\/blockquote>\n<p>On Red Hat based Systems (CentOS, Fedora or RHEL):<\/p>\n<pre>yum install libreswan<\/pre>\n<p>Now we disable VPN redirects, if any, in the server using these commands:<\/p>\n<pre>for vpn in \/proc\/sys\/net\/ipv4\/conf\/*;\ndo echo 0 &gt; $vpn\/accept_redirects;\necho 0 &gt; $vpn\/send_redirects;\necho 0 &gt; $vpn\/rp_filter;\ndone<\/pre>\n<p>Edit \/etc\/ipsec.conf to debug in pluto.log<\/p>\n<pre>    plutostderrlog=\/var\/log\/pluto.log\n    protostack=netkey\n#if using NAT, use variable below\n#    nat_traversal=yes\n    virtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12<\/pre>\n<p>Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:<\/p>\n<pre> vim \/etc\/sysctl.conf\n    net.ipv4.ip_forward = 1\n    net.ipv4.conf.all.accept_redirects = 0\n    net.ipv4.conf.all.send_redirects = 0<\/pre>\n<p>Reload \/etc\/sysctl.conf:<\/p>\n<pre> sysctl -p<\/pre>\n<p>Now, we customize firewall to allow ports for ipsec<\/p>\n<pre>firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value=\"esp\" accept'\nfirewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value=\"ah\" accept'\nfirewall-cmd --zone=public --permanent --add-port=500\/udp\nfirewall-cmd --zone=public --permanent --add-port=4500\/udp\nfirewall-cmd --permanent --add-service=\"ipsec\"\nfirewall-cmd --zone=public --permanent --add-port=4500\/tcp\nfirewall-cmd --zone=public --add-port=50\/udp --permanent\nfirewall-cmd --zone=public --add-port=51\/udp --permanent<\/pre>\n<p>We don&#8217;t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If\u00a0 not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides<\/p>\n<pre>#In some posts in world I found this code, but explanation above cancel this\n#code and in my situation it not working with this\n#firewall-cmd --zone=public --permanent --add-masquerade<\/pre>\n<p>We reload firewalld and check our rules:<\/p>\n<pre>firewall-cmd --reload\nfirewall-cmd --zone=public --list-all<\/pre>\n<p>Check if is ipsec OK for itself:<\/p>\n<pre>ipsec verify\n------------\nVerifying installed system and configuration files\nVersion check and ipsec on-path\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nLibreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64\nChecking for IPsec support in kernel\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0NETKEY: Testing XFRM related proc values\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ICMP default\/send_redirects\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ICMP default\/accept_redirects\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 XFRM larval drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nPluto ipsec.conf syntax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nHardware random device\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [N\/A]\nTwo or more interfaces found, checking IP forwarding\u00a0\u00a0\u00a0 [OK]\nChecking rp_filter\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nChecking that pluto is running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0Pluto listening for IKE on udp 500\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0Pluto listening for IKE\/NAT-T on udp 4500\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\n\u00a0Pluto ipsec.secret syntax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nChecking 'ip' command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nChecking 'iptables' command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nChecking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [OK]\nOpportunistic Encryption\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [DISABLED]<\/pre>\n<p>Now, create a configuration file for our one connection<\/p>\n<pre>vim \/etc\/ipsec.d\/blava.conf\n---------------------------\nconn blava\n\u00a0\u00a0\u00a0 left=%defaultroute\n\u00a0\u00a0\u00a0 leftid=192.168.201.75\n    leftsubnet=192.168.201.0\/24\n\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0 right=#public IP other side#\n    rightid=192.168.202.177\n\u00a0\u00a0\u00a0 rightsubnet=192.168.202.0\/24\n\u00a0\u00a0\u00a0 type=tunnel\n\u00a0\u00a0\u00a0 authby=secret\n\u00a0\u00a0\u00a0 pfs=no\n\u00a0\u00a0\u00a0 auth=esp\n\u00a0\u00a0\u00a0 keyexchange=ike\n\u00a0\u00a0\u00a0 keyingtries=0\n\u00a0\u00a0\u00a0 ikelifetime=28800s\n\u00a0\u00a0\u00a0 salifetime=360000s\n\u00a0\u00a0\u00a0 esp=3des-sha1\n\u00a0\u00a0\u00a0 ike=aes256-sha1;modp1024\n\u00a0\u00a0\u00a0 auto=start\n\u00a0\u00a0\u00a0 compress=no<\/pre>\n<p>And configuration file for other connection:<\/p>\n<pre>vim \/etc\/ipsec.d\/blava.conf\n---------------------------\nconn blava\n\u00a0\u00a0\u00a0 left=#public IP this side#\n    leftid=192.168.202.177\n\u00a0\u00a0\u00a0 leftsubnet=192.168.202.0\/24\n\u00a0\u00a0\u00a0 right=%any\n\u00a0\u00a0\u00a0 rightid=192.168.201.75\n\u00a0\u00a0\u00a0 rightsubnet=192.168.201.0\/24\n\u00a0\u00a0\u00a0 type=tunnel\n\u00a0\u00a0\u00a0 authby=secret\n\u00a0\u00a0\u00a0 pfs=no\n\u00a0\u00a0\u00a0 auth=esp\n\u00a0\u00a0\u00a0 keyexchange=ike\n\u00a0\u00a0\u00a0 keyingtries=0\n\u00a0\u00a0\u00a0 ikelifetime=28800s\n\u00a0\u00a0\u00a0 salifetime=360000s\n\u00a0\u00a0\u00a0 esp=3des-sha1\n\u00a0\u00a0\u00a0 ike=aes256-sha1;modp1024\n\u00a0\u00a0\u00a0 auto=add\n\u00a0\u00a0\u00a0 compress=no\n\u00a0\u00a0\u00a0 keep_alive=30<\/pre>\n<p>Now create on both sides secrets file for PSK with your public IP:<\/p>\n<pre>vim \/etc\/ipsec.d\/blava.secrets\n------------------------------\n%any 1.1.1.1: PSK \"ahoj12345\"<\/pre>\n<pre>vim \/etc\/ipsec.d\/blava.secrets\n------------------------------\n1.1.1.1 %any: PSK \"ahoj12345\"<\/pre>\n<p>Now, restart ipsec for apply configurations<\/p>\n<pre>systemctl restart ipsec.service<\/pre>\n<p>And if we are good, we must see some like this in pluto.log<\/p>\n<pre> STATE_MAIN_R3: sent MR3, ISAKMP SA established\n STATE_QUICK_R2: IPsec SA established tunnel mode<\/pre>\n<p>Or check ipsec status:<\/p>\n<pre>ipsec auto --status\n-------------------\nTotal IPsec connections: loaded 4, active 1\nSTATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s\nSTATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;<\/pre>\n<p>Some usefull commands for work with ipsec&#8230;<br \/>\nWhen we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:<\/p>\n<pre>ipsec auto --down blava\nipsec auto --replace blava\nipsec auto --up blava<\/pre>\n<p>If we change secrets file and PSK, we must use too, before &#8211;up:<\/p>\n<pre>ipsec auto --rereadall\n<\/pre>\n ","protected":false},"excerpt":{"rendered":"<p>Install and enable the EPEL using Yum, with some useful software: yum install epel-release.noarch yum install htop dstat tcpdump On Red Hat based Systems (CentOS, Fedora or RHEL): yum install libreswan Now we disable VPN redirects, if any, in the server using these commands: for vpn in \/proc\/sys\/net\/ipv4\/conf\/*; do echo 0 &gt; $vpn\/accept_redirects; echo 0 &hellip; <a href=\"https:\/\/www.gonscak.sk\/?p=13\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">How to create a site-to-site ipsec vpn connection<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2,3,5,6,7,8,9,10],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-centos","tag-auto","tag-centos","tag-epel","tag-firewall-cmd","tag-ipsec","tag-linux","tag-pluto","tag-sysctl"],"_links":{"self":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13"}],"version-history":[{"count":2,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":1041,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions\/1041"}],"wp:attachment":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}