{"id":27,"date":"2015-08-16T21:55:08","date_gmt":"2015-08-16T13:55:08","guid":{"rendered":"http:\/\/tbex.idv.tw\/wordpress_G2\/?p=27"},"modified":"2015-08-16T21:55:08","modified_gmt":"2015-08-16T13:55:08","slug":"note-site-to-site-vpn","status":"publish","type":"post","link":"https:\/\/tbex.idv.tw\/wordpress_G2\/blog\/2015\/08\/16\/note-site-to-site-vpn\/","title":{"rendered":"[note] site to site VPN"},"content":{"rendered":"<header class=\"entry-header\">\n<h1 class=\"entry-title\"><a title=\"Permalink to How to create a site-to-site IPsec VPN tunnel using Openswan in Linux\" href=\"http:\/\/xmodulo.com\/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html\" rel=\"bookmark\">How to create a site-to-site IPsec VPN tunnel using Openswan in Linux<\/a><\/h1>\n<\/header>\n<div class=\"heatmapthemead-header-entry-meta entry-meta\"><span class=\"heatmapthemead-post-details\">Last updated on <a title=\"6:00 am\" href=\"http:\/\/xmodulo.com\/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html\" rel=\"bookmark\"><time class=\"entry-date\" datetime=\"2014-08-26T06:00:27+00:00\">August 26, 2014<\/time><\/a><span class=\"byline\"> Authored by <span class=\"author vcard\"><a class=\"url fn n\" title=\"View all posts by Sarmed Rahman\" href=\"http:\/\/xmodulo.com\/author\/sarmed\" rel=\"author\">Sarmed Rahman<\/a><\/span><\/span><\/span> <span class=\"comments-link\"><a href=\"http:\/\/xmodulo.com\/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html#comments\">4 Comments<\/a><\/span><\/div>\n<div class=\"entry-content\">\n<p>A virtual private network (VPN) tunnel is used to securely interconnect two physically separate networks through a tunnel over the Internet. Tunneling is needed when the separate networks are private LAN subnets with globally non-routable private IP addresses, which are not reachable to each other via traditional routing over the Internet. For example, VPN tunnels are often deployed to connect different NATed branch office networks belonging to the same institution.<\/p>\n<p>Sometimes VPN tunneling may be used simply for its security benefit as well. Service providers or private companies may design their networks in such a way that vital servers (e.g., database, VoIP, banking servers) are placed in a subnet that is accessible to trusted personnel through a VPN tunnel only. When a secure VPN tunnel is required, <a href=\"http:\/\/en.wikipedia.org\/wiki\/IPsec\" target=\"_blank\">IPsec<\/a> is often a preferred choice because an IPsec VPN tunnel is secured with multiple layers of security.<\/p>\n<p>This tutorial will show how we can easily create a site-to-site VPN tunnel using <a href=\"https:\/\/www.openswan.org\/\" target=\"_blank\">Openswan<\/a> in Linux.<\/p>\n<h2>Topology<\/h2>\n<p>This tutorial will focus on the following topologies for creating an IPsec tunnel.<\/p>\n<p><a href=\"https:\/\/www.flickr.com\/photos\/xmodulo\/15004668831\/\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" src=\"https:\/\/farm4.staticflickr.com\/3838\/15004668831_fd260b7f1e_z.jpg\" alt=\"\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.flickr.com\/photos\/xmodulo\/15004668821\/\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" src=\"https:\/\/farm6.staticflickr.com\/5559\/15004668821_36e02ab8b0_z.jpg\" alt=\"\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.flickr.com\/photos\/xmodulo\/14821245117\/\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" src=\"https:\/\/farm6.staticflickr.com\/5571\/14821245117_3f677e4d58_z.jpg\" alt=\"\" \/><\/a><\/p>\n<h2>Installing Packages and Preparing VPN Servers<\/h2>\n<p>Usually, you will be managing site-A only, but based on the requirements, you could be managing both site-A and site-B. We start the process by installing Openswan.<\/p>\n<p>On Red Hat based Systems (CentOS, Fedora or RHEL):<\/p>\n<div class=\"console\"># yum install openswan lsof<\/div>\n<p>On Debian based Systems (Debian, Ubuntu or Linux Mint):<\/p>\n<div class=\"console\"># apt-get install openswan<\/div>\n<p>Now we disable VPN redirects, if any, in the server using these commands:<\/p>\n<div class=\"console\"># for vpn in \/proc\/sys\/net\/ipv4\/conf\/*;<br \/>\n# do echo 0 &gt; $vpn\/accept_redirects;<br \/>\n# echo 0 &gt; $vpn\/send_redirects;<br \/>\n# done<\/div>\n<p>Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently.<\/p>\n<div class=\"console\"># vim \/etc\/sysctl.conf<\/div>\n<div>\n<div id=\"highlighter_984850\" class=\"syntaxhighlighter  bash\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"bash plain\">net.ipv4.ip_forward = 1<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"bash plain\">net.ipv4.conf.all.accept_redirects = 0<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"bash plain\">net.ipv4.conf.all.send_redirects = 0<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Reload \/etc\/sysctl.conf:<\/p>\n<div><\/div>\n<div class=\"console\"># sysctl -p<\/div>\n<p>We allow necessary ports in the firewall. Please make sure that the rules are not conflicting with existing firewall rules.<\/p>\n<div class=\"console\"># iptables -A INPUT -p udp &#8211;dport 500 -j ACCEPT<br \/>\n# iptables -A INPUT -p tcp &#8211;dport 4500 -j ACCEPT<br \/>\n# iptables -A INPUT -p udp &#8211;dport 4500 -j ACCEPT<\/div>\n<p>Finally, we create firewall rules for NAT.<\/p>\n<div class=\"console\"># iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT &#8211;to site-A-Public-IP<\/div>\n<p>Please make sure that the firewall rules are persistent.<\/p>\n<p><b>Note:<\/b><\/p>\n<ul>\n<li>You could use MASQUERADE instead of SNAT. Logically it should work, but it caused me to have issues with virtual private servers (VPS) in the past. So I would use SNAT if I were you.<\/li>\n<li>If you are managing site-B as well, create similar rules in site-B server.<\/li>\n<li>Direct routing does not need SNAT.<\/li>\n<\/ul>\n<h2>Preparing Configuration Files<\/h2>\n<p>The first configuration file that we will work with is <tt>ipsec.conf<\/tt>. Regardless of which server you are configuring, always consider your site as &#8216;<strong>left<\/strong>&#8216; and remote site as &#8216;<strong>right<\/strong>&#8216;. The following configuration is done in siteA&#8217;s VPN server.<\/p>\n<div class=\"console\"># vim \/etc\/ipsec.conf<\/div>\n<div>\n<div id=\"highlighter_945765\" class=\"syntaxhighlighter  bash\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<div class=\"line number19 index18 alt2\">19<\/div>\n<div class=\"line number20 index19 alt1\">20<\/div>\n<div class=\"line number21 index20 alt2\">21<\/div>\n<div class=\"line number22 index21 alt1\">22<\/div>\n<div class=\"line number23 index22 alt2\">23<\/div>\n<div class=\"line number24 index23 alt1\">24<\/div>\n<div class=\"line number25 index24 alt2\">25<\/div>\n<div class=\"line number26 index25 alt1\">26<\/div>\n<div class=\"line number27 index26 alt2\">27<\/div>\n<div class=\"line number28 index27 alt1\">28<\/div>\n<div class=\"line number29 index28 alt2\">29<\/div>\n<div class=\"line number30 index29 alt1\">30<\/div>\n<div class=\"line number31 index30 alt2\">31<\/div>\n<div class=\"line number32 index31 alt1\">32<\/div>\n<div class=\"line number33 index32 alt2\">33<\/div>\n<div class=\"line number34 index33 alt1\">34<\/div>\n<div class=\"line number35 index34 alt2\">35<\/div>\n<div class=\"line number36 index35 alt1\">36<\/div>\n<div class=\"line number37 index36 alt2\">37<\/div>\n<div class=\"line number38 index37 alt1\">38<\/div>\n<div class=\"line number39 index38 alt2\">39<\/div>\n<div class=\"line number40 index39 alt1\">40<\/div>\n<div class=\"line number41 index40 alt2\">41<\/div>\n<div class=\"line number42 index41 alt1\">42<\/div>\n<div class=\"line number43 index42 alt2\">43<\/div>\n<div class=\"line number44 index43 alt1\">44<\/div>\n<div class=\"line number45 index44 alt2\">45<\/div>\n<div class=\"line number46 index45 alt1\">46<\/div>\n<div class=\"line number47 index46 alt2\">47<\/div>\n<div class=\"line number48 index47 alt1\">48<\/div>\n<div class=\"line number49 index48 alt2\">49<\/div>\n<div class=\"line number50 index49 alt1\">50<\/div>\n<div class=\"line number51 index50 alt2\">51<\/div>\n<div class=\"line number52 index51 alt1\">52<\/div>\n<div class=\"line number53 index52 alt2\">53<\/div>\n<div class=\"line number54 index53 alt1\">54<\/div>\n<div class=\"line number55 index54 alt2\">55<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"bash comments\">## general configuration parameters ##<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"bash plain\">config setup<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">plutodebug=all<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">plutostderrlog=<\/code><code class=\"bash plain\">\/var\/log\/pluto<\/code><code class=\"bash plain\">.log<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">protostack=netkey<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">nat_traversal=<\/code><code class=\"bash functions\">yes<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">virtual_private=%v4:10.0.0.0<\/code><code class=\"bash plain\">\/8<\/code><code class=\"bash plain\">,%v4:192.168.0.0<\/code><code class=\"bash plain\">\/16<\/code><code class=\"bash plain\">,%v4:172.16.0.0<\/code><code class=\"bash plain\">\/16<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## disable opportunistic encryption in Red Hat ##<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">oe=off<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"bash comments\">## disable opportunistic encryption in Debian ##<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"bash comments\">## Note: this is a separate declaration statement ##<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"bash plain\">include <\/code><code class=\"bash plain\">\/etc\/ipsec<\/code><code class=\"bash plain\">.d<\/code><code class=\"bash plain\">\/examples\/no_oe<\/code><code class=\"bash plain\">.conf <\/code><\/div>\n<div class=\"line number15 index14 alt2\"><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"bash comments\">## connection definition in Red Hat ##<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"bash plain\">conn demo-connection-redhat<\/code><\/div>\n<div class=\"line number18 index17 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">authby=secret<\/code><\/div>\n<div class=\"line number19 index18 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">auto=start<\/code><\/div>\n<div class=\"line number20 index19 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">ike=3des-md5<\/code><\/div>\n<div class=\"line number21 index20 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## phase 1 ##<\/code><\/div>\n<div class=\"line number22 index21 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">keyexchange=ike<\/code><\/div>\n<div class=\"line number23 index22 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## phase 2 ##<\/code><\/div>\n<div class=\"line number24 index23 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">phase2=esp<\/code><\/div>\n<div class=\"line number25 index24 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">phase2alg=3des-md5<\/code><\/div>\n<div class=\"line number26 index25 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">compress=no<\/code><\/div>\n<div class=\"line number27 index26 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">pfs=<\/code><code class=\"bash functions\">yes<\/code><\/div>\n<div class=\"line number28 index27 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash functions\">type<\/code><code class=\"bash plain\">=tunnel<\/code><\/div>\n<div class=\"line number29 index28 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">left=&lt;siteA-public-IP&gt;<\/code><\/div>\n<div class=\"line number30 index29 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsourceip=&lt;siteA-public-IP&gt;<\/code><\/div>\n<div class=\"line number31 index30 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsubnet=&lt;siteA-private-subnet&gt;<\/code><code class=\"bash plain\">\/netmask<\/code><\/div>\n<div class=\"line number32 index31 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## for direct routing ##<\/code><\/div>\n<div class=\"line number33 index32 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsubnet=&lt;siteA-public-IP&gt;<\/code><code class=\"bash plain\">\/32<\/code><\/div>\n<div class=\"line number34 index33 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftnexthop=%defaultroute<\/code><\/div>\n<div class=\"line number35 index34 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">right=&lt;siteB-public-IP&gt;<\/code><\/div>\n<div class=\"line number36 index35 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">rightsubnet=&lt;siteB-private-subnet&gt;<\/code><code class=\"bash plain\">\/netmask<\/code><\/div>\n<div class=\"line number37 index36 alt2\"><\/div>\n<div class=\"line number38 index37 alt1\"><code class=\"bash comments\">## connection definition in Debian ##<\/code><\/div>\n<div class=\"line number39 index38 alt2\"><code class=\"bash plain\">conn demo-connection-debian<\/code><\/div>\n<div class=\"line number40 index39 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">authby=secret<\/code><\/div>\n<div class=\"line number41 index40 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">auto=start<\/code><\/div>\n<div class=\"line number42 index41 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## phase 1 ##<\/code><\/div>\n<div class=\"line number43 index42 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">keyexchange=ike<\/code><\/div>\n<div class=\"line number44 index43 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## phase 2 ##<\/code><\/div>\n<div class=\"line number45 index44 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">esp=3des-md5<\/code><\/div>\n<div class=\"line number46 index45 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">pfs=<\/code><code class=\"bash functions\">yes<\/code><\/div>\n<div class=\"line number47 index46 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash functions\">type<\/code><code class=\"bash plain\">=tunnel<\/code><\/div>\n<div class=\"line number48 index47 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">left=&lt;siteA-public-IP&gt;<\/code><\/div>\n<div class=\"line number49 index48 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsourceip=&lt;siteA-public-IP&gt;<\/code><\/div>\n<div class=\"line number50 index49 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsubnet=&lt;siteA-private-subnet&gt;<\/code><code class=\"bash plain\">\/netmask<\/code><\/div>\n<div class=\"line number51 index50 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash comments\">## for direct routing ##<\/code><\/div>\n<div class=\"line number52 index51 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftsubnet=&lt;siteA-public-IP&gt;<\/code><code class=\"bash plain\">\/32<\/code><\/div>\n<div class=\"line number53 index52 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">leftnexthop=%defaultroute<\/code><\/div>\n<div class=\"line number54 index53 alt1\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">right=&lt;siteB-public-IP&gt;<\/code><\/div>\n<div class=\"line number55 index54 alt2\"><code class=\"bash spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"bash plain\">rightsubnet=&lt;siteB-private-subnet&gt;<\/code><code class=\"bash plain\">\/netmask<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Authentication can be done in several different ways. This tutorial will cover the use of pre-shared key, which is added to the file <tt>\/etc\/ipsec.secrets<\/tt>.<\/p>\n<div class=\"console\"># vim \/etc\/ipsec.secrets<\/div>\n<div>\n<div id=\"highlighter_233688\" class=\"syntaxhighlighter  bash\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"bash plain\">siteA-public-IP\u00a0 siteB-public-IP:\u00a0 PSK\u00a0 <\/code><code class=\"bash string\">\"pre-shared-key\"<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"bash comments\">## in case of multiple sites ##<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"bash plain\">siteA-public-IP\u00a0 siteC-public-IP:\u00a0 PSK\u00a0 <\/code><code class=\"bash string\">\"corresponding-pre-shared-key\"<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>Starting the Service and Troubleshooting<\/h2>\n<p>The server should now be ready to create a site-to-site VPN tunnel. If you are managing siteB as well, please make sure that you have configured the siteB server with necessary parameters. For Red Hat based systems, please make sure that you add the service into startup using <tt>chkconfig<\/tt> command.<\/p>\n<div class=\"console\"># \/etc\/init.d\/ipsec restart<\/div>\n<p>If there are no errors in both end servers, the tunnel should be up now. Taking the following into consideration, you can test the tunnel with <tt>ping<\/tt> command.<\/p>\n<ol>\n<li>The siteB-private subnet should not be reachable from site A, i.e., <tt>ping<\/tt> should not work if the tunnel is not up.<\/li>\n<li>After the tunnel is up, try <tt>ping<\/tt> to siteB-private-subnet from siteA. This should work.<\/li>\n<\/ol>\n<p>Also, the routes to the destination&#8217;s private subnet should appear in the server&#8217;s routing table.<\/p>\n<div class=\"console\"># ip route<\/div>\n<pre>[siteB-private-subnet] via [siteA-gateway] dev eth0 src [siteA-public-IP]\r\ndefault via [siteA-gateway] dev eth0\r\n<\/pre>\n<p>Additionally, we can check the status of the tunnel using the following useful commands.<\/p>\n<div class=\"console\"># service ipsec status<\/div>\n<pre>IPsec running  - pluto pid: 20754\r\npluto pid 20754\r\n<b>1 tunnels up<\/b>\r\nsome eroutes exist\r\n<\/pre>\n<div class=\"console\"># ipsec auto &#8211;status<\/div>\n<pre>## output truncated ##\r\n000 \"demo-connection-debian\":     myip=&lt;siteA-public-IP&gt;; hisip=unset;\r\n000 \"demo-connection-debian\":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes\r\n000 \"demo-connection-debian\":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,28; interface: eth0;\r\n\r\n## output truncated ##\r\n000 #184: \"demo-connection-debian\":500 <b>STATE_QUICK_R2 (IPsec SA established);<\/b> EVENT_SA_REPLACE in 1653s; newest IPSEC; eroute owner; isakmp#183; idle; import:not set\r\n\r\n## output truncated ##\r\n000 #183: \"demo-connection-debian\":500 <b>STATE_MAIN_I4 (ISAKMP SA established);<\/b> EVENT_SA_REPLACE in 1093s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set\r\n<\/pre>\n<p>The log file <tt>\/var\/log\/pluto.log<\/tt> should also contain useful information regarding authentication, key exchanges and information on different phases of the tunnel. If your tunnel doesn&#8217;t come up, you could check there as well.<\/p>\n<p>If you are sure that all the configuration is correct, and if your tunnel is still not coming up, you should check the following things.<\/p>\n<ol>\n<li>Many ISPs filter IPsec ports. Make sure that UDP 500, TCP\/UDP 4500 ports are allowed by your ISP. You could try connecting to your server IPsec ports from a remote location by <tt>telnet<\/tt>.<\/li>\n<li>Make sure that necessary ports are allowed in the firewall of the server\/s.<\/li>\n<li>Make sure that the pre-shared keys are identical in both end servers.<\/li>\n<li>The left and right parameters should be properly configured on both end servers.<\/li>\n<li>If you are facing problems with NAT, try using SNAT instead of MASQUERADING.<\/li>\n<\/ol>\n<p>To sum up, this tutorial focused on the procedure of creating a site-to-site IPSec VPN tunnel in Linux using Openswan. VPN tunnels are very useful in enhancing security as they allow admins to make critical resources available only through the tunnels. Also VPN tunnels ensure that the data in transit is secured from eavesdropping or interception.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How to create a site-to-site IPsec VPN tunnel using Ope &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/tbex.idv.tw\/wordpress_G2\/blog\/2015\/08\/16\/note-site-to-site-vpn\/\" class=\"more-link\">\u95b1\u8b80\u5168\u6587<span class=\"screen-reader-text\">\u3008[note] site to site VPN\u3009<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[13],"tags":[],"class_list":["post-27","post","type-post","status-publish","format-standard","hentry","category-geek"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6xFwC-r","_links":{"self":[{"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/posts\/27","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/comments?post=27"}],"version-history":[{"count":1,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/posts\/27\/revisions"}],"predecessor-version":[{"id":28,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/posts\/27\/revisions\/28"}],"wp:attachment":[{"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/media?parent=27"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/categories?post=27"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tbex.idv.tw\/wordpress_G2\/wp-json\/wp\/v2\/tags?post=27"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}