Setup a peer to peer IPSec VPN tunnel (transport mode) on Debian

by Pierre-Yves Landuré — last modified Dec 06, 2017 04:32

IPSec is a encryption protocol for the IP layer of Internet communications. This howto create a encrypted tunnel securing communications between two hosts.

This howto is tested on:

Debian 7.0 Wheezy

Parameters

Provide the remote peer IP address:

REMOTE_IP="xx.xx.xx.xx"

Provide the name of the network interface connected to the network of the remote peer:

LOCAL_INET="eth0"

Provide the hmac-md5 encryption keys for the AH protocol (optional, must be shared between the two peers):

# AH_KEY_LR="0x70f83693013f5b12b30a893dce771198"
# AH_KEY_RL="0x70f83693013f5b12b30a893dce771198"

Provide the Security Parameter Index (SPI) for the AH protocol (optional, must be shared between the two peers):

# AH_SPI_LR="15700"
# AH_SPI_RL="24500"

Provide the 3des-cbc encryption keys for the ESP protocol (optional, must be shared between the two peers):

# ESP_KEY_LR="0xb2dd4108a04b0c7dd087f1dd169036565ce4d7cb3549ed92"
# ESP_KEY_RL="0xb2dd4108a04b0c7dd087f1dd169036565ce4d7cb3549ed92"

Provide the Security Parameter Index (SPI) for the ESP protocol (optional, must be shared between the two peers):

# ESP_SPI_LR="15701"
# ESP_SPI_RL="24501"

Installation

Detect the local peer IP address:

if [ -z "${LOCAL_IP}" ]; then
  LOCAL_IP="$(command ifconfig "${LOCAL_INET}" \
    | command grep 'inet ' \
    | command sed -e 's/^.*inet [^:]*:\([^ ]*\) .*$/\1/')"
fi

Create the hmac-md5 encryption keys for the AH protocol, if necessary:

if [ -z "${AH_KEY_RL}" -a -z "${AH_KEY_LR}" ]; then
  AH_KEY_RL="0x$(command hexdump -e '1/1 "%02x"' '/dev/urandom' -n 16)"
  AH_KEY_LR="0x$(command hexdump -e '1/1 "%02x"' '/dev/urandom' -n 16)"
fi

Create the Security Parameter Index (SPI) for the AH protocol, if necessary:

if [ -z "${AH_SPI_RL}" -a -z "${AH_SPI_LR}" ]; then
  AH_SPI_RL="$((((${RANDOM} + ${RANDOM}) % 63488) + 256))"
  AH_SPI_LR="$((((${RANDOM} + ${RANDOM}) % 63488) + 256))"
fi

Create the 3des-cbc encryption keys for the ESP protocol, if necessary:

if [ -z "${ESP_KEY_RL}" -a -z "${ESP_KEY_LR}" ]; then
  ESP_KEY_RL="0x$(command hexdump -e '1/1 "%02x"' '/dev/urandom' -n 24)"
  ESP_KEY_LR="0x$(command hexdump -e '1/1 "%02x"' '/dev/urandom' -n 24)"
fi

Create the Security Parameter Index (SPI) for the ESP protocol, if necessary:

if [ -z "${ESP_SPI_RL}" -a -z "${ESP_SPI_LR}" ]; then
  ESP_SPI_RL="$((((${RANDOM} + ${RANDOM}) % 63488) + 256))"
  ESP_SPI_LR="$((((${RANDOM} + ${RANDOM}) % 63488) + 256))"
fi

Compute the configuration file name:

CONFIG_FILE="/etc/ipsec-tools.d/transport-${REMOTE_IP//\./-}.conf"

Environment preparation

Install the needed software:

command apt-get install ipsec-tools

Tunnel setup

Enable the rules initializing the configuration:

command sed -i \
    -e 's/# flush/flush/' \
    -e 's/# spdflush/spdflush/' \
  '/etc/ipsec-tools.conf'

Initialize the IPSec configuration file:

echo "#"\!"/usr/sbin/setkey

" > "${CONFIG_FILE}"

Setup the AH protocol:

echo "
# AH SAs using 128 bit long keys
add ${REMOTE_IP} ${LOCAL_IP} ah ${AH_SPI_RL} -A hmac-md5 ${AH_KEY_RL};
add ${LOCAL_IP} ${REMOTE_IP} ah ${AH_SPI_LR} -A hmac-md5 ${AH_KEY_LR};
" >> "${CONFIG_FILE}"

Setup the ESP protocol:

echo "
# ESP SAs using 192 bit long keys (168 + 24 parity)
add ${REMOTE_IP} ${LOCAL_IP} esp ${ESP_SPI_RL} -E 3des-cbc ${ESP_KEY_RL};
add ${LOCAL_IP} ${REMOTE_IP} esp ${ESP_SPI_LR} -E 3des-cbc ${ESP_KEY_LR};
" >> "${CONFIG_FILE}"

Setup the tunnel using AH and ESP transports:

echo "# Tunnel setup
spdadd ${LOCAL_IP} ${REMOTE_IP} any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd ${REMOTE_IP} ${LOCAL_IP} any -P in ipsec
           esp/transport//require
           ah/transport//require;
" >> "${CONFIG_FILE}"

Secure the configuration file:

command chmod 750 "${CONFIG_FILE}"

Start the tunnel:

/etc/init.d/setkey start

Remote peer setup

Run the installation process of this howto on the remote peer with the parameters provided by:

echo "# Remote peer setup parameters:
REMOTE_IP='${LOCAL_IP}'
LOCAL_IP='${REMOTE_IP}'
AH_KEY_RL='${AH_KEY_LR}'
AH_KEY_LR='${AH_KEY_RL}'
AH_SPI_RL='${AH_SPI_LR}'
AH_SPI_LR='${AH_SPI_RL}'
ESP_KEY_RL='${ESP_KEY_LR}'
ESP_KEY_LR='${ESP_KEY_RL}'
ESP_SPI_RL='${ESP_SPI_LR}'
ESP_SPI_LR='${ESP_SPI_RL}'
"

Once the remote peer configured, the communications between the two hosts are encrypted.

Thanks

Thanks to GuiguiAbloc (fr) for Cluster Haute-Disponibilité chez OVH, avec IpFailover, Heartbeat et DRBD via IPSEC (fr).
Thanks to IPSecHowTo (en) authors in Ubuntu documentation (en).