#format wiki
#language fr

= IpSec sur Squeeze =


Voici une guide pour faire un IPSec tunnel entre 2 serveurs Debian Squeeze.

Serveur 1: 
IP: 10.230.33.121  
IP sur le tunnel: 192.168.203.1

Serveur 2:
IP: 192.168.104.145
IP sur le tunnel: 192.168.22.1

Sur chaque serveur:
{{{
apt-get install racoon ipsec-tools
}}}



== Configuration de racoon ==
Racoon est un daemon qui s'occupe d'échange des clés.

=== Sur le serveur 1 ===

Editer /etc/racoon/racoon.conf

{{{
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";

remote 192.168.104.145 {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
 
sainfo address 192.168.203.0/24 any address 192.168.22.0/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
}}}

Editer /etc/racoon/psk.txt

{{{
192.168.104.145 mekmitasdigoat
}}}

Attn: le text après le IP doit être identique sur les 2 serveurs.

=== Sur le serveur 2 ===

Editer /etc/racoon/racoon.conf

{{{
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";

remote 10.230.33.121 {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}



 
sainfo address 192.168.22.0/24 any address 192.168.203.0/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
}}}

Editer /etc/racoon/psk.txt

{{{
10.230.33.121 mekmitasdigoat
}}}

== Configuration de security policy avec ipsec-tools ==

=== Sur le serveur 1 ===
Editer /etc/ipsec-tools.conf

{{{
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.203.0/24 192.168.22.0/24 any -P out ipsec
    esp/tunnel/10.230.33.121-192.168.104.145/require;

spdadd 192.168.22.0/24 192.168.203.0/24 any -P in ipsec
    esp/tunnel/192.168.104.145-10.230.33.121/require;

}}}


=== Sur le serveur 2 ===
Editer /etc/ipsec-tools.conf

{{{
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.22.0/24 192.168.203.0/24  any -P out ipsec
    esp/tunnel/192.168.104.145-10.230.33.121/require;

spdadd 192.168.203.0/24 192.168.22.0/24 any -P in ipsec
    esp/tunnel/10.230.33.121-192.168.104.145/require;
}}}


== Relancer les deamons  ==
Sur les 2 serveurs lance

{{{
#service ipsec restart
Flushing IPsec SA/SP database: done.
Loading IPsec SA/SP database: 
 - /etc/ipsec-tools.conf
done.

# service racoon restart
Stopping IKE (ISAKMP/Oakley) server: racoon.
Starting IKE (ISAKMP/Oakley) server: racoon.
}}}

Attn:
- Il faut faire dans l'ordre ci-dessus

- Quand on lance ipsec, dans le log on peut voir 
  racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
Mais c'est pas grave. Quand on redémarre racoon il n'y a plus cette erreur

== Configuration de réseau sur chaque serveur  ==
=== Sur le serveur 1 ===

{{{
ip addr add 192.168.203.1 dev eth0
ip route add to 192.168.22.0/24 via 192.168.203.1 src 10.230.33.121
}}}

=== Sur le serveur 1 ===
{{{
ip addr add 192.168.22.1 dev eth0
ip route add to 192.168.203.0/24 via 192.168.104.145 src 192.168.22.1
}}}

== Tester  ==

Sur le serveur 1 

{{{
ping 192.168.22.1
}}}