After spending a crazy amount of time trying to find something up to date regarding network security and host to host VPN I decided to write something which will hopefully be useful to other people in the same situation.
Setting up a host to host IPSec connection between two or more hosts running Ubuntu isn’t always a simple process. We want encryption to protect all the communication between two hosts and for this tutorial we will be using what I feel to be the simplest method of using Pre-shared Keys (PSK).
Remember that we’re creating a transport IPSec VPN and not a network to network VPN, we only want two or more hosts having encrypted conversations between them.
Why would you want to have a VPN running inside your network? Well possible use cases include:
- You want to prevent the use of packet sniffing to discover network traffic
- There are governance reasons why you must make two hosts communicate securely
- You want to make sure that two or more hosts are having TCP and UDP communications which aren’t being tampered with
For this tutorial I will assume the following:
- You have at least two Ubuntu 14.04 devices which you want to encrypt communications between (named Red and Blue in these examples)
- These devices can access each other without any NAT in the way (NAT adds an additional layer of complexity for VPNs like this)
- You want a comparatively quick and easy IPSec configuration so you want to use pre-shared keys (PSK) for authentication
We want some assurance that things will be secure so we’ll be using Suite B assured cryptography for IPSec
In my example the servers I’m connecting together look like the below, they don’t have to be on the same subnet but as I mentioned above this method will not work with NAT.
Red Server IP 192.168.100.100/24
Blue Server IP 192.168.100.200/24
Instructions – Red Server
Firstly SSH onto your first server as normal and install the following dependancies:
apt-get install ipsec-tools strongswan-starter
Now we need to create the actual crypto maps which we’ll be using, so edit the IPSec configuration file on the Red:
nano /etc/ipsec.conf
And fill in the following with the details pertinent to your network at the end of that file, e.g. IP address:
conn red-to-blue
authby=secret
auto=route
keyexchange=ike
left=192.168.100.100
right=192.168.100.200
type=transport
esp=aes128gcm16!
Now create the file which holds the PSKs
nano /etc/ipsec.secrets
Populate like the following with your IP datails (warning each element in this file should be separated by a space NOT a tab):
192.168.100.100 192.168.100.200 : PSK "Your password here!"
Lets restart our IPSec:
ipsec restart
Then you should have something like the following:
Stopping strongSwan IPsec…
Starting strongSwan 5.1.2 IPsec [starter]…
If you type in:
ipsec statusall
You should see something like the following which means we’re looking healthy and ready to go.
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
uptime: 98 seconds, since Jun 05 19:34:12 2015
malloc: sbrk 1486848, mmap 0, used 318864, free 1167984
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
192.168.100.100
Connections:
red-to-blue: 192.168.100.100…192.168.100.200 IKEv1/2
red-to-blue: local: [192.168.100.100] uses pre-shared key authentication
red-to-blue: remote: [192.168.100.200] uses pre-shared key authentication
red-to-blue: child: dynamic === dynamic TRANSPORT
Routed Connections:
red-to-blue{1}: ROUTED, TRANSPORT
red-to-blue{1}: 192.168.100.100/32 === 192.168.100.200/32
Security Associations (0 up, 0 connecting):
none
Instructions – Blue Server
SSH onto this server as usual and do some very similar things as what we did on the Red server, other than some changes to IP addresses the rest is identical.
Make sure the necessary packages are installed:
apt-get install ipsec-tools strongswan-starter
Edit the ipsec.conf again:
nano /etc/ipsec.conf
And populate like the following, again bear in mind your IP addresses could be different and should be different than on our Red server, namely the left and right side of the tunnel:
conn blue-to-red
authby=secret
auto=route
keyexchange=ike
left=192.168.100.200
right=192.168.100.100
type=transport
esp=aes128gcm16!
Now create the file which holds the PSKs
nano /etc/ipsec.secrets
Populate like the following with your IP datails (warning each element in this file should be separated by a space NOT a tab):
192.168.100.100 192.168.100.200 : PSK "Your password here!"
Lets restart IPsec:
ipsec restart
Testing our Tunnel
On the red server do the following and leave it running:
ping -s 4048 192.168.100.200
On the blue server run the following:
watch ipsec statusall
If you notice the the number of packets and the number of bytes should be increasing with the ping being run, this shows things are running the way they should be.
Or you could run the following to show the ESP packets hitting the interfaces:
tcpdump esp
But congratulations you now have a host to host VPN up and working on Ubuntu!
Update 17 July 2015 – Fixed the indentations on the ipsec.conf examples.
29 Comments
Hi thanks for this article! I am trying to configure a host2host VPN , and tried to follow your steps. In the first step, after editing the ipsec.conf and ipsec.secrets and restarting I get this message:
Stopping strongSwan IPsec…
Starting strongSwan 5.3.2 IPsec [starter]…
/etc/ipsec.conf:9: syntax error, unexpected STRING [authby]
invalid config file ‘/etc/ipsec.conf’
unable to start strongSwan — fatal errors in config
Can you please help me out. Thanks!
Hi Sharat,
Happy to help how I can, and I must apologise, the code snippets on this post are not correct. The syntax in the ipsec.conf file should be indented for everything under the “conn” section.
When I copied and pasted from the original post I got the same errors as yourself, but it looks like it’s working great now.
I’ve updated the main post if you could test again for me? But thanks for commenting!
Gyp
Yeah I figured that out, but know I have a new problem for some reason, the ipsec statusall command on the red server doesn’t work. version of strongswan I am using is Linux strongSwan U5.1.2/K3.13.0-32-lowlatency .
Thinking out load, could it be possible you’ve not “ipsec restart”? The other thing I’d try is something like “ipsec route blue-to-red” or whichever name you’ve given it. Although I dare say a reboot could help too 🙂
Reinstalling Strongswan worked. Doing ipsec statusall on the RED works, but doesn’t show any connections. Connections are shown on BLUE.
Okay ..finally succeeded.. 😀
Problem was there were two different ipsec.conf files on the RED server. they were located in different locations.
/usr/etc/ipec.conf
/etc/ipsec.conf
I was accessing the second file and the changes were not taking effect.. I changed the first file and Voila.. ipsec.statusall was displaying the connections!
ping worked too,,,i was able to test the connection only once… the Other BLUE server was Unreachable later…and I wasn’t able to ssh into it. Any thoughts on this? Did the VPN effect it in anyway? THANKS!!!!!
Hi Sarat,
Glad you managed to get it working!
That’s really quite strange, what version of Ubuntu are you using and are you logged on as root? The handful of times I’ve done this I’ve never seen the ipsec.conf file be anywhere else other than in etc, so I’m a little confused too 🙂
But again glad you got it working and thanks for the help tidying up the configs on the post.
Gyp
Okay I was able to run the blue server, but on the red server the ipsec statusall command outputs nothing…
I donno what the problem is…
Thanks for your article..It is so much simpler than the other articles on Host2host configuration.. Now i am trying to implement certificate based authentication. Can you post another article dealing with certificates in strongswan…it would be great! 😀
Hi Sarat,
I know it was a few months ago now, but if you’re still interested in certificate based authentication I’ve written a tutorial here:
https://www.gypthecat.com/easyish-ipsec-vpn-with-shared-ecdsa-certificates-for-host-to-host-connections
Gyp
Great! Thanks for the article! Love your website! 😀
[…] one of my recent tutorials about a host to host Linux VPN this post is a how to create a host to host VPN between Windows 2012 and Ubuntu 14.04. […]
Hello I have followed the steps.
I connected both the side using ipsec start and successfully connected.
but esp packets are not seen in tcpdump -f esp output either in watch ipsec statusall
root@phyCORE-AM335x:/sbin ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2, Linux 3.2.0-PD13.1.2, armv7l):
uptime: 8 minutes, since Jan 01 00:41:38 1970
malloc: sbrk 405504, mmap 0, used 94048, free 311456
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon curl aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.82.99
192.168.4.11
Connections:
host-host: 192.168.82.99…192.168.82.111 IKEv1/2
host-host: local: [192.168.82.99] uses pre-shared key authentication
host-host: remote: [192.168.82.111] uses pre-shared key authentication
host-host: child: dynamic === dynamic TRANSPORT
Security Associations (0 up, 0 connecting):
none
Hello Hardik,
Can you try:
ipsec up [name of tunnel]
ping 192.168.4.11
And if it still doesn’t come up:
ipsec restart
And then:
ipsec listall
And we shall see what we can sort out 🙂
Gyp
Doesn’t work still
CPU7501#~ipsec up host-host
initiating IKE_SA host-host[3] to 192.168.100.111
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
retransmit 1 of request with message ID 0
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
retransmit 2 of request with message ID 0
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
retransmit 3 of request with message ID 0
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
retransmit 4 of request with message ID 0
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
retransmit 5 of request with message ID 0
sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
giving up after 5 retransmits
peer not responding, trying again (2/3)
CPU6501#ipsec listall
List of registered IKEv2 Algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
integrity: AES_XCBC_96[xcbc] AES_CMAC_96[cmac] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
aead:
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_1536[gmp] MODP_3072[gmp] MODP_4096[gmp]
MODP_6144[gmp] MODP_8192[gmp] MODP_1024[gmp] MODP_1024_160[gmp] MODP_768[gmp] MODP_CUSTOM[gmp]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
curl:
FETCHER:file://
FETCHER:http://
FETCHER:https://
FETCHER:ftp://
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
des:
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
constraints:
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
pkcs8:
PRIVKEY:RSA
PRIVKEY:ECDSA
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA (not loaded)
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CERT_DECODE:PLUTO_CERT
CERT_DECODE:PLUTO_AC
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC (not loaded)
CRYPTER:CAMELLIA_CBC-16
CPU6501#ipsec listall
List of registered IKEv2 Algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
integrity: AES_XCBC_96[xcbc] AES_CMAC_96[cmac] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
aead:
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_1536[gmp] MODP_3072[gmp] MODP_4096[gmp]
MODP_6144[gmp] MODP_8192[gmp] MODP_1024[gmp] MODP_1024_160[gmp] MODP_768[gmp] MODP_CUSTOM[gmp]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
curl:
FETCHER:file://
FETCHER:http://
FETCHER:https://
FETCHER:ftp://
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
des:
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
constraints:
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
pkcs8:
PRIVKEY:RSA
PRIVKEY:ECDSA
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA (not loaded)
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CERT_DECODE:PLUTO_CERT
CERT_DECODE:PLUTO_AC
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC (not loaded)
CRYPTER:CAMELLIA_CBC-16
SIGNER:CAMELLIA_XCBC_96 (not loaded)
CRYPTER:CAMELLIA_CBC-16
SIGNER:AES_XCBC_96
CRYPTER:AES_CBC-16
cmac:
PRF:PRF_AES128_CMAC
CRYPTER:AES_CBC-16
SIGNER:AES_CMAC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
attr:
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
socket-default:
CUSTOM:socket
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
xauth-generic:
XAUTH_SERVER:generic
XAUTH_CLIENT:generic
List of IKE counters:
ikeInitRekey 0
ikeRspRekey 0
ikeChildSaRekey 0
ikeInInvalid 0
ikeInInvalidSpi 0
ikeInInitReq 0
ikeInInitRsp 1
ikeOutInitReq 1
ikeOutInitRsp 0
ikeInAuthReq 0
ikeInAuthRsp 0
ikeOutAuthReq 0
ikeOutAuthRsp 0
ikeInCrChildReq 0
ikeInCrChildRsp 0
ikeOutCrChildReq 0
ikeOutCrChildRsp 0
ikeInInfoReq 0
ikeInInfoRsp 0
ikeOutInfoReq 0
ikeOutInfoRsp 0
CPU6501#
Hi Hardik,
In your original post you had:
host-host: 192.168.82.99…192.168.82.111 IKEv1/2
And
Listening IP addresses:
192.168.82.99
192.168.4.11
But in what you’ve posted above you’ve got listed:
192.168.100.99[500] to 192.168.100.111[500]
The error message above looks like the communication just isn’t getting through, I’d be checking:
– Make sure the IP addresses are correct both on your system and in your ipsec.conf
– Make sure that the two hosts can communicate with each other without any NAT
– Make sure IPtables isn’t blocking anything by running “iptables -L”
– Turn off ipsec by running “ipsec stop” and trying pinging between the hosts
Gyp
Sorry IP addresses was the problem.Also i need to disable esp parameter.
Glad you got it working 🙂
[…] you followed my previous Ubuntu IPSec VPN post your ipsec.conf could look like the […]
Excellent and well explained post. I had a small doubt. What if I wanted a tunnel mode instead of transport mode. Just changing the type=tunnel in the Ipsec.conf would do the task ?
Hi Vibha,
Thanks for dropping by and thanks for the comments.
If you have host to host on the same network why would you want to use Tunnel Mode? But if you change the ipsec.conf with the details and give it a reload you should see some information in the logs. I suppose if you had two hosts which had internal IP ranges then yes this should work, and you would see the backend IPs in the logs on each device.
Gyp
Hello,
In client configuration where i should put the server public IP in order to connect?
Hi Mohammed,
It goes in:
right=192.168.100.200
Hope this helps 🙂
Gyp
Hi,
Just wanted to thank you for the article.
I never leave comments but your article REALLY helped me and saved lot of time.
Thanks man.
Hi Shahriar,
Glad it came in useful for you. And especially thank you for taking the time to comment 🙂
Gyp
Thanks a lot dear. I have been looking for this for a month now, and your tutorial helped me and i got it going in 15 mins. love you
Thank you 🙂 Glad it worked for you.
Hi there I was to give me a hand with installing IP sec tools it doesn’t seem to be available in the repository for Ubuntu desktop.
Hi Jacob,
Sorry for the tardy response. Life has been interesting.
I’m not sure for your answer, but if you ran “apt-cache search ipsec” it should list everything is available and you may be able to find it under a different name. Hope this helps,
Gyp