Deploying IPsec in small LAN in 3 easy steps

I think about installing IPsec on computers in my home LAN for some time. There are many configurations possible: tunnel mode, transport mode, peer-to-peer solution or star topology with single VPN hub. Also there are different IPsec implementations. KAME for *BSD, Openswan, strongSwan and Linux 2.6 PF_KEY implementation (which can be used with setkey and racoon or with OpenBSD’s isakmpd). Choosing one is not easy, but for me the simplest method was best. I choose Linux 2.6 PF_KEY with ipsec-tools and racoon for dynamic key exchange (now part of ipsec-tools). Its simple, easy to implement and… configuration files without any modification (except file paths) can be used also in FreeBSD (tested with 6.3-RELEASE).

Step 1. Use OpenVPN easyRSA to set up your own Certificate Authority, generate certificates and keys and sign them. You will need to create links to certificates and keys in form hash.(r)0. Use this command to compute hash:

# openssl x509 -hash -in keys/ca.crt

And then create links replacing question marks by hashes.

# ln -s ca.crt keys/????????.0
# ln -s crl.pem keys/????????.r0

Step 2. When you have all your certificates created you need only to do two more things. First create /etc/ipsec-tools.conf to set Security Policy Database (SPD):

#!/usr/sbin/setkey -f

## Flush the SAD and SPD


## SPDs for racoon

spdadd any -P out ipsec esp/transport//use;
spdadd any -P in  ipsec esp/transport//use;

Step 3. And then configure racoon to negotiate and maintain Security Association Database (SAD). Racoon read configuration from /etc/racoon/racoon.conf:

path certificate "/etc/racoon/certs";

sainfo anonymous {
    encryption_algorithm aes256,aes128,blowfish128,3des;
    authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
    compression_algorithm deflate;
    lifetime time 30 min;

remote anonymous {
    exchange_mode main,aggressive;
    lifetime time 60 min;
    certificate_type x509 "host.crt" "host.key";
    verify_cert on;
    my_identifier asn1dn;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method rsasig;
        dh_group modp1024;

Now (re)start setkey and racoon on all hosts in LAN. If everything is fine IPsec should be in use for all local connections.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.