site to site vpn using ipsec?

Forums Network Management VPN site to site vpn using ipsec?

  • This topic is empty.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • April 1, 2010 at 7:27 pm #42324
    apatheticsheep
    Member

    Is there aa way to use ipsec for a site-to-site vpn in preference to the ssl implementation. I would love to use the ssl stuff but I have a significant investment in Linsys RV042 routers at a number of home offices.

    I would like to connect these home offices to my Zeroshell box at the main office so that the voip extensions can connect to the PBX but i cannot do this with the ssl implementation afaik.

    April 21, 2010 at 8:59 am #49988
    bradj
    Member

    I’m not aware of a way of doing this, did you get a solution?

    April 21, 2010 at 2:13 pm #49989
    apatheticsheep
    Member

    i have not figured out a way to do this although I have not worked on it since posting this question.

    I see how the ssl implementation is a a better solution but in some cases it is just not feasible to replace a large amount of existing equipment.

    If anyone knows more about this topic any info would be greatly appreciated.

    If you would like to know more about this please bump.

    April 21, 2010 at 9:49 pm #49990
    ppalias
    Member

    1) No need to answer back to bots (bradj) 😀
    2) How about the Host-to-LAN (L2TP/IPSec)? Isn’t that working for you?

    April 21, 2010 at 10:59 pm #49991
    apatheticsheep
    Member

    to my knowledge the “host to lan” implementation does not work with PSKs. although i do not currently have a box up to confirm this on. if it does that I suppose I could just use that section to build a lan-to-lan vpn

    April 22, 2010 at 6:33 am #49992
    ppalias
    Member

    No it doesn’t, at least on the web interface. I suppose that you could give it a try in the CLI.

    January 19, 2011 at 10:01 am #49993
    sergej
    Participant

    My configuration of site-to-site IPsec with PSKs:

    Assume network parameters:
    My IP (zeroshell site): 120.120.120.120
    Remote IP: 100.100.100.100
    My LAN (behind zeroshell): 10.0.0.0/16
    Remote LAN: 192.168.47.0/24

    Config preparation:
    mkdir -p /Database/custom/ipsec

    Here I made 3 files

    psk.txt (with PSKs – preshared keys):


    
100.100.100.100        Preshared key 1

    ipsec.conf (with IPsec policies):

    #!/usr/sbin/setkey -f
    
#
    
# Flush SAD and SPD
    
flush;
    
spdflush;
    

    
# Create policies for racoon
    
spdadd 10.0.0.0/16 192.168.47.0/24 any -P out ipsec
    
esp/tunnel/120.120.120.120-100.100.100.100/require;
    

    
spdadd 192.168.47.0/24 10.0.0.0/16 any -P in ipsec
    
esp/tunnel/100.100.100.100-120.120.120.120/require;

    racoon.conf:

    path pre_shared_key "/Database/custom/ipsec/psk.txt";
    

    
listen { isakmp 120.120.120.120; }
    

    
remote 100.100.100.100 {
    
exchange_mode main;
    
proposal {
    
encryption_algorithm 3des;
    
hash_algorithm md5;
    
authentication_method pre_shared_key;
    
dh_group modp1024;
    
}
    
}
    

    
sainfo address 10.0.0.0/16 any address 192.168.47.0/24 any {
    
pfs_group modp1024;
    
encryption_algorithm 3des;
    
authentication_algorithm hmac_md5;
    
compression_algorithm deflate;
    
}

    Start IPsec in zeroshell’s post boot script:

    # Start IPsec
    
iptables -t nat -I POSTROUTING -s 10.0.0.0/16 -d 192.168.47.0/24 -j ACCEPT
    
setkey -f /Database/custom/ipsec/ipsec.conf
    
racoon -f /Database/custom/ipsec/racoon.conf

    You should allow VPN traffic by firewall rules as well (UDP/500, ESP and site-to-site traffic).

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.