Welcome to the house of PSK!

We are now going to attempt to set up an IPSec tunnel between two hosts using PreSharedKey? authentication.

First, some basic information. In this little page, I'm going to assume we have two machines - "green" and "orange". Green has an IP of and Orange has an IP of The PreSharedKey? we are using will be "Welcome to IPSec" because that seems appropriate somehow.

The two important files in this little play are:

  • /etc/ipsec.conf
  • /etc/ipsec.secrets

The configuration file stores (surprise) your configuration! The secrets file stores authentication methods (PSK in this case, but it can also store RSA keys or X.509 certificates).

There are a couple of default sections in ipsec.conf that make everything OK for me. I suspect almost all installs will have the same sections, but just to be on the safe side make sure your "config setup" and "conn %default" sections are as follows:

config setup

interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes

conn %default

keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%dnsondemand rightrsasighkey=%dnsondemand

All of the options used are explained in much detail in "man ipsec.conf". I suspect the (left|right)rsasigkey params are useless in this particular setup but having a secure default set never hurts.

Now for the section that actually details our connect. I chose the name "green-orange" for this.

conn green-orange

left= right= auto=start authby=secret

Now, lets explain a few things about that setup. The first thing that generally confused me was this left and right business. How do you know what to call which? The answer, fortunately is simple - FreeS/WAN figures out which machine is left and right. The idea behind this is that you can cut and paste the configuration from one box to another without having to change anything at all, and it will work because it will realise which of left/right that machine it is on, is. Magic, eh?

auto=start is an option that means that FreeS/WAN will attempt to initiate this connection as soon as it is started. This means that when the box is rebooted, it will immediately attempt to establish this tunnel, ready for data.

authby=secret here is the important one for this page - selecting "secret" as our authby option means that we are authenticating this connection using a PreSharedKey?. The alternative option here is rsasig - see IPSecConfigurationRSA.

Now that we have that sorted (don't start ipsec yet) we need to sort out ipsec.secrets - it is in there we decide what PreSharedKey? to use! So, fire up your favourite text editor and enter the following somewhere inside that file (try to avoid sticking it in the middle of a clause already there - there may well already be an RSA key): PSK "Welcome to IPSec"

Make sure those config files are the same on both servers, else you will have problems. Also, if you are actually on one of them and SSHing to the other, I strongly suggest you start IPSec on the remote box first. Once you start one, you see, the other one won't talk to it until it too has IPSec up and running. This might seem a little dumb at first, but on the flip side it means that if you can talk to that machine, you are guaranteed that the connection is encrypted. Probably. Unless someone turned off IPSec at both ends.

Now, if you used the distribution-specific installation methods, you will likely need to type
/etc/init.d/ipsec start
If you did not, now is the time to type
/usr/local/sbin/ipsec setup start

You will notice that you now have an ipsec0 interface. This is the virtual interface that all IPSec tunnels communicate through. There is one ipsec interface per physical interface it uses - many tunnels, however, can all use the same interface. I hope that made sense.

Now! At this point, you should be able to ping between the boxes and notice that the data transferred over the ipsec0 interface (ifconfig is your friend here) increases. If you run something nice like gkrellm, you will notice a new interface popped up under eth0 and it will start showing you the activity as you ping. According to that, a constant once-per-second ping generates 234 bytes of data per second.

As a final note - to shut IPSec off again is as easy as turning it on. If you used a distro specific install, use
/etc/init.d/ipsec stop
Otherwise, use
/usr/local/sbin/ipsec setup stop

I'm going to start keeping some benchmarks over at IPSecBenchmarks so people can compare performance of tunnels.

Hope you enjoyed PSKing!