| View previous topic :: View next topic |
| Author |
Message |
apatheticsheep
Joined: 23 Feb 2010
Posts: 11
|
 Posted: Thu Apr 01, 2010 7:27 pm Post subject: site to site vpn using ipsec? |
 |
|
Is there aa way to use ipsec for a site-to-site vpn in preference to the ssl implementation. I would love to use the ssl stuff but I have a significant investment in Linsys RV042 routers at a number of home offices.
I would like to connect these home offices to my Zeroshell box at the main office so that the voip extensions can connect to the PBX but i cannot do this with the ssl implementation afaik. |
|
| Back to top |
|
 |
bradj
Joined: 21 Apr 2010
Posts: 1
|
| Posted: Wed Apr 21, 2010 8:59 am Post subject: |
|
|
| I'm not aware of a way of doing this, did you get a solution? |
|
| Back to top |
|
|
apatheticsheep
Joined: 23 Feb 2010
Posts: 11
|
| Posted: Wed Apr 21, 2010 2:13 pm Post subject: |
|
|
i have not figured out a way to do this although I have not worked on it since posting this question.
I see how the ssl implementation is a a better solution but in some cases it is just not feasible to replace a large amount of existing equipment.
If anyone knows more about this topic any info would be greatly appreciated.
If you would like to know more about this please bump. |
|
| Back to top |
|
|
ppalias
Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece
|
| Posted: Wed Apr 21, 2010 9:49 pm Post subject: |
|
|
1) No need to answer back to bots (bradj) 
2) How about the Host-to-LAN (L2TP/IPSec)? Isn't that working for you? |
|
| Back to top |
|
|
apatheticsheep
Joined: 23 Feb 2010
Posts: 11
|
| Posted: Wed Apr 21, 2010 10:59 pm Post subject: |
|
|
| to my knowledge the "host to lan" implementation does not work with PSKs. although i do not currently have a box up to confirm this on. if it does that I suppose I could just use that section to build a lan-to-lan vpn |
|
| Back to top |
|
|
ppalias
Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece
|
| Posted: Thu Apr 22, 2010 6:33 am Post subject: |
|
|
| No it doesn't, at least on the web interface. I suppose that you could give it a try in the CLI. |
|
| Back to top |
|
|
sergej
Joined: 25 Nov 2010
Posts: 2
|
| Posted: Wed Jan 19, 2011 10:01 am Post subject: |
|
|
My configuration of site-to-site IPsec with PSKs:
Assume network parameters:
My IP (zeroshell site): 120.120.120.120
Remote IP: 100.100.100.100
My LAN (behind zeroshell): 10.0.0.0/16
Remote LAN: 192.168.47.0/24
Config preparation:
mkdir -p /Database/custom/ipsec
Here I made 3 files
psk.txt (with PSKs - preshared keys):
| Code: |
100.100.100.100 Preshared key 1
|
ipsec.conf (with IPsec policies):
| Code: | #!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
esp/tunnel/120.120.120.120-100.100.100.100/require;
spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
esp/tunnel/100.100.100.100-120.120.120.120/require;
|
racoon.conf:
| Code: | path pre_shared_key "/Database/custom/ipsec/psk.txt";
listen { isakmp 120.120.120.120; }
remote 100.100.100.100 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
|
Start IPsec in zeroshell's post boot script:
| Code: | # Start IPsec
iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
setkey -f /Database/custom/ipsec/ipsec.conf
racoon -f /Database/custom/ipsec/racoon.conf |
You should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic). |
|
| Back to top |
|
|
|
Search
Register
Usergroups
Profile
Log in
Private Message
