www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

site to site vpn using ipsec?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN
View previous topic :: View next topic  
Author Message
apatheticsheep



Joined: 23 Feb 2010
Posts: 11

PostPosted: Thu Apr 01, 2010 7:27 pm    Post subject: site to site vpn using ipsec? Reply with quote

Is there aa way to use ipsec for a site-to-site vpn in preference to the ssl implementation. I would love to use the ssl stuff but I have a significant investment in Linsys RV042 routers at a number of home offices.

I would like to connect these home offices to my Zeroshell box at the main office so that the voip extensions can connect to the PBX but i cannot do this with the ssl implementation afaik.
Back to top
View user's profile Send private message
bradj



Joined: 21 Apr 2010
Posts: 1

PostPosted: Wed Apr 21, 2010 8:59 am    Post subject: Reply with quote

I'm not aware of a way of doing this, did you get a solution?
Back to top
View user's profile Send private message
apatheticsheep



Joined: 23 Feb 2010
Posts: 11

PostPosted: Wed Apr 21, 2010 2:13 pm    Post subject: Reply with quote

i have not figured out a way to do this although I have not worked on it since posting this question.

I see how the ssl implementation is a a better solution but in some cases it is just not feasible to replace a large amount of existing equipment.

If anyone knows more about this topic any info would be greatly appreciated.

If you would like to know more about this please bump.
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Apr 21, 2010 9:49 pm    Post subject: Reply with quote

1) No need to answer back to bots (bradj) Very Happy
2) How about the Host-to-LAN (L2TP/IPSec)? Isn't that working for you?
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
apatheticsheep



Joined: 23 Feb 2010
Posts: 11

PostPosted: Wed Apr 21, 2010 10:59 pm    Post subject: Reply with quote

to my knowledge the "host to lan" implementation does not work with PSKs. although i do not currently have a box up to confirm this on. if it does that I suppose I could just use that section to build a lan-to-lan vpn
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Thu Apr 22, 2010 6:33 am    Post subject: Reply with quote

No it doesn't, at least on the web interface. I suppose that you could give it a try in the CLI.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
sergej



Joined: 25 Nov 2010
Posts: 2

PostPosted: Wed Jan 19, 2011 10:01 am    Post subject: Reply with quote

My configuration of site-to-site IPsec with PSKs:

Assume network parameters:
My IP (zeroshell site): 120.120.120.120
Remote IP: 100.100.100.100
My LAN (behind zeroshell): 10.0.0.0/16
Remote LAN: 192.168.47.0/24


Config preparation:
mkdir -p /Database/custom/ipsec

Here I made 3 files

psk.txt (with PSKs - preshared keys):
Code:

100.100.100.100        Preshared key 1


ipsec.conf (with IPsec policies):
Code:
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
           esp/tunnel/120.120.120.120-100.100.100.100/require;

spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
           esp/tunnel/100.100.100.100-120.120.120.120/require;


racoon.conf:
Code:
path pre_shared_key "/Database/custom/ipsec/psk.txt";

listen { isakmp 120.120.120.120; }

remote 100.100.100.100 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}



Start IPsec in zeroshell's post boot script:

Code:
# Start IPsec
iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
setkey -f /Database/custom/ipsec/ipsec.conf
racoon -f /Database/custom/ipsec/racoon.conf


You should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic).
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group