I'd like to connect two remote sites via a secure point to point tunnel. I've been using OpenVPN, but it's a little flakey and really seems to be more for connecting lots of users rather than a point to point link.
Redhat seems to have some nice built in scripts for building Point to Point IPSEC tunnels, but I haven't found anything similar in Ubuntu.
Any guidance on what to use here and how to do it? I'd like to keep it as simple as possible, but still have basic PSK security.
ssh 4.3+ is capable of creating proper VPN tunnels. tun0 and all that.
Assuming the following network settings:
Your public IP: 192.168.1.1
Your private network: 192.168.50.0/24
Remote public IP: 192.168.2.1
Remote private network: 192.168.51.0/24
1) Install StrongSwan using "sudo apt-get install strongswan"
2) Set up a secret key using "sudo vim /etc/ipsec.secrets":
192.168.1.1 192.168.2.1: PSK "secret_password"
3) Configure the routes using "sudo vim /etc/ipsec.conf":
conn partner
left=192.168.1.1
right=192.168.2.1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=yes
auto=start
conn local_to_partner
leftsubnet=192.168.1.1/32
rightsubnet=192.168.51.0/24
also=partner
conn partner_to_local
leftsubnet=192.168.50.0/24
rightsubnet=192.168.2.1/32
also=partner
You can use openVPN to obtain a site to site configuration. You would need to setup each of the Linux machines as routers and create static routes on your internal networks to point to the linux machines. Here is the basic design:
Each local network needs to have its own IP subnet:
LAN1: 192.168.1.0/24
LAN2: 192.168.2.0/24
Say the IPs are such:
PC1 192.168.1.10
GW1 192.168.1.1
Linux1 192.168.1.100
---connected w/ VPN to other network with address 192.168.2.101
PC2 192.168.2.10
GW2 192.168.2.1
linux2 192.168.2.100
if you create static routes in each of your routers to point to the other LAN you should be able to achieve what you're looking for:
Route on GW1:
Destination 192.168.2.0/24
Gateway: 192.168.1.100
Route on GW2:
Destination 192.168.1.0/24
Gateway: 192.168.2.100
Then when PC1 pings PC2 the packet will be routed to the default gateway of 192.168.1.1 which will forward it to the linux machine(1.100) which will send it through the tunnel to LAN2.
Why can't you use what works for Redhat on another linux system? It's not like they're different OSs at heart.
Let me expand on this.
I have used IPSEC to tunnel all traffic between two sites before, and it was not difficult to set up even without tools to do this. If there are scripts that work on redhat, can't you just steal those and run them on your other linux variants? Surely they are not that dissimilar.
You can use SSH's
Tunnelfeature for that. If you already have SSH set up (very likely) then this will be much easier than the alternatives for just connecting two hosts.I would also suggest using SSH tunnels feature. It is easy to set up and since you alluded to running ubuntu, there is even a SSH Tunnel Manager.
OpenVPN is really one of the most common, best understood and documented methods to link server hosts together like this.
I've gotten a lot farther using the openswan and strongswan packages. I still don't have the tunnel up, but these seem to be the tools I want to use. Both are pretty poorly documented, and there seem to be a large number of options with no clear reasons to use one over the other.
So to reframe. has anyone setup openswan/strongswan successfully on Ubuntu using ubuntu debs? Any advice with regard to "IKE vs IKE2", "Encryption method", "PSK configuraton", dynamic port changing, etc.
Thanks..