Author: Matthias Gorjup
Last Update: 3rd Dec 2002
This How To provides information about establishing ipsec conection
with preshared secret between two
gateways, connected to internet via ADSL (pppoe version).
If IP addresses on both gateways are not static (which is usually the
case), they need to be entered
manually into ipsec.conf and
ipsec.secrets
files after starting adsl connection and before starting ipsec!!
GW1 === ADSL modem == internet
== ADSL modem === GW2
The best way for establishing ADSL connection is by using a rp-pppoe
package from http://www.roaringpenguin.com/pppoe.
Use ifconfig to set the IP
address for eth0 interfaces. Check
the configuration using route and
ping
commands.
# ifconfig
eth0 Link encap:Ethernet
HWaddr 00:40:F4:65:14:DD
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3528 (3.4 Kb) TX bytes:3190 (3.1 Kb)
Interrupt:11 Base address:0x9000
lo Link
encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0
0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
- You don't need to set any default route !!!
Setup ADSL connection:
# adsl-setup
Start connection and check it:
# adsl-start
# ifconfig
eth0 Link encap:Ethernet
HWaddr 00:40:F4:65:14:DD
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3228 (3.1 Kb) TX bytes:2851 (2.7 Kb)
Interrupt:11 Base address:0x9000
lo Link
encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
ppp0 Link encap:Point-to-Point
Protocol
inet addr:193.77.15.251 P-t-P:193.77.15.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:372 (372.0 b) TX bytes:312 (312.0 b)
# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric Ref Use Iface
193.77.15.1 0.0.0.0 255.255.255.255
UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0
U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 193.77.15.1 0.0.0.0 UG 0 0
0 ppp0
Check if you can ping the opposite gateway.
GW1)
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
pluto=yes
plutostart=vpn
plutoload=vpn
conn vpn
type=tunnel
auto=start
keyexchange=ike
auth=esp
keylife=2h
keyingtries=0
left=%defaultroute
right=a.b.c.d
a.b.c.d is a dynamically delivered IP address of the gateway GW2.
GW2)
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
pluto=yes
plutostart=vpn
plutoload=vpn
conn vpn
type=tunnel
auto=start
keyexchange=ike
auth=esp
keylife=2h
keyingtries=0
left=193.77.15.251
right=%defaultroute
GW1)
193.77.15.251 a.b.c.d "abcdefghijklmnoprs"
GW2)
a.b.c.d 193.77.15.251 "abcdefghijklmnoprs"
# service ipsec start
(rcipsec start on SuSE distributions)
# ipsec look
You should now see a tunnel established between both gateways.
If you have troubles, you can use
# tcpdump -i ppp0
to monitor the traffic.