Install Openswan
apt-get install openswan
You may wish to run reconfig in future for change of setting
dpkg-reconfigure openswan
Below are required for forwarding. Execute line by line
sudo vim -c '%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=0/gc' -c 'wq' /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Configuration file for ipsec
sudo nano /etc/ipsec.conf
Assuming Site to Site with both PUBLIC IP (noone behind NAT router)
conn kim
authby=rsasig
pfs=no
auto=start
keyingtries=%forever
ikelifetime=8h
keylife=1h
ike=3des-md5;modp1024
phase2alg=3des-md5
type=tunnel
left=xx.xx.xx.xx # Site A Public IP
leftsubnet=192.168.1.0/24 # Site A LAN address
leftsourceip=192.168.1.242 # Site A LAN IP. Required for routing later with static route entry
leftrsasigkey= # Site A PUBLIC KEY
aggrmode=no
right=xx.xx.xx.xx # Site B Public IP
rightsubnet=192.168.32.0/24 # Site B LAN
rightrsasigkey= # Site B PUBLIC KEY
dpddelay=10
dpdtimeout=3600
dpdaction=restart
Create a RSA key pair
sudo ipsec newhostkey --output /etc/ipsec.secrets --random /dev/urandom
Show hostkeys
ipsec showhostkey --left
ipsec showhostkey --right
You may see the rsa key manually at /etc/ipsec.secrets
sudo cat /etc/ipsec.secrets
Restart IPsec service
sudo service ipsec restart
Check connection
sudo ipsec auto --up $CONN_NAME
Add static route for both sites (Tested. This step is not required if configured correctly)
sudo route add -net 192.168.x.x netmask 255.255.255.0 gw $SITE_B_LOCAL_IP
!! IMPORTANT STEP !!
On Site A, replace
sudo iptables -t nat -A POSTROUTING -o wan -s 172.168.1.0/24 -j MASQUERADE
to
sudo iptables -t nat -A POSTROUTING -o wan -s 172.168.1.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
On Site B, replace
sudo iptables -t nat -A POSTROUTING -o wan -s 10.0.0.0/24 -j MASQUERADE
to
sudo iptables -t nat -A POSTROUTING -o wan -s 10.0.0.0/24 ! -d 172.168.1.0/24 -j MASQUERADE
Troubleshooting
route
sudo ipsec auto --status
sudo ipsec verify
sudo ipsec auto --up $CONN_NAME