# [Solved] VPN with IPSec

## Moreaulf

Hi!

I've searched these forums and the Gentoo web page to find information and have been somewhat successful. So now I'm turning to this forum where I've received many helpful inputs in the past.

I got an updated Gentoo system running on a public IP on the Internet. There is no firewall nor NAT routers on my side. My task is to setup an IPSec VPN tunnel to another network and I would appreciate any help anyone could give here.

First, to be sure it's possible. These are the settings I need to use to setup the tunnel:

```
Phase 1

encryption scheme:         ike

ike mode:                  main mode

encryption algorithm:      3des

authentication algorithm:  sha1

diffe hellman group:       group 2

authentication method:     pre-shared

isakmp lifetime:           500, 1440, 3600, 7800 seconds

Phase 2

ipsec mode:                tunnel

ipsec protocol:            esp

security lifetime:         3600

pfs group:                 none

encryption algorithm:      3des

authentication algorithm:  sha1

ipsec policy:              File Server/32 to File Server/32 with IP any.
```

I've read the HOWTO IPSec and know that my configuration wouldn't be the same but it would be a good start at least.

I've worked with VPN using both Cisco/Nortel/Checkpoint hardware and software so I'm not unfamiliar with the technology but I haven't any experience of VPN on Linux/Gentoo, yet. Hopefully someone here could give me a hand.

I have a test server which is located on my LAN and have almost the same configuration as the production server and I tried to install the three packages stated in the Howto. The ipsec-tools and iptables went fine but iproute2 breaks with this error message:

```
...

make[1]: *** [m_ipt.o] Error 1

make[1]: *** Waiting for unfinished jobs....

rm emp_ematch.lex.c emp_ematch.yacc.c

make[1]: Leaving directory `/var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work/iproute-2.6.20-070313/tc'

make: *** [all] Error 2

!!! ERROR: sys-apps/iproute2-2.6.20.20070313 failed.

Call stack:

  ebuild.sh, line 1638:   Called dyn_compile

  ebuild.sh, line 985:   Called qa_call 'src_compile'

  ebuild.sh, line 44:   Called src_compile

  iproute2-2.6.20.20070313.ebuild, line 68:   Called die
```

I've searched for a solution but haven't found any (although a couple of more people asking on other pages/forums).

The tunnel must not interfer with any other services and only the data to a specific IP address should be tunneled. The tunnel should either be permanently open or should be opened on request from the other side since the connected network should be able to initiate traffic to my server as well as my server should be able to initiate traffic.

Does anyone here have some time to help?

Many thanks in advance!

/ThomasLast edited by Moreaulf on Thu Sep 06, 2007 3:09 pm; edited 1 time in total

----------

## Rob1n

I'll help as much as I can - I've got an IPSec VPN set up for accessing the systems at work so I've got some idea of how it all works.  Unfortunately the log snippet you've posted doesn't include the actual error - can you post the preceding dozen or so lines, which should give the gcc error message.

----------

## Moreaulf

It isn't that big so I give you the whole emerge log for the package.

```

>>> Emerging (1 of 1) sys-apps/iproute2-2.6.20.20070313 to /

 * iproute2-2.6.20-070313.tar.gz RMD160 ;-) ...                                                                             [ ok ]

 * iproute2-2.6.20-070313.tar.gz SHA1 ;-) ...                                                                               [ ok ]

 * iproute2-2.6.20-070313.tar.gz SHA256 ;-) ...                                                                             [ ok ]

 * iproute2-2.6.20-070313.tar.gz size ;-) ...                                                                               [ ok ]

 * checking ebuild checksums ;-) ...                                                                                        [ ok ]

 * checking auxfile checksums ;-) ...                                                                                       [ ok ]

 * checking miscfile checksums ;-) ...                                                                                      [ ok ]

 * checking iproute2-2.6.20-070313.tar.gz ;-) ...                                                                           [ ok ]

 * QA Notice: USE Flag 'kernel_linux' not in IUSE for sys-apps/iproute2-2.6.20.20070313

 *

 * iproute2 requires kernel support for Netlink (CONFIG_NETLINK).

 * This is only applies for kernels prior to 2.4.17

 *

>>> Unpacking source...

>>> Unpacking iproute2-2.6.20-070313.tar.gz to /var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work

 * Applying iproute2-2.6.16.20060323-build.patch ...                                                                        [ ok ]

 * Applying iproute2-2.6.16.20060323-routef-safe.patch ...                                                                  [ ok ]

 * Applying iproute2-051007-esfq-2.6.13.patch ...                                                                           [ ok ]

 * Applying iproute2-2.6.11.20050330-wrr.patch ...                                                                          [ ok ]

>>> Source unpacked.

>>> Compiling source in /var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work/iproute-2.6.20-070313 ...

make[1]: Entering directory `/var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work/iproute-2.6.20-070313/lib'

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ll_map.o ll_map.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o libnetlink.o libnetlink.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o utils.o utils.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o rt_names.o rt_names.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ll_types.o ll_types.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ll_proto.o ll_proto.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ll_addr.o ll_addr.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o inet_proto.o inet_proto.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o dnet_ntop.o dnet_ntop.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o dnet_pton.o dnet_pton.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ipx_ntop.o ipx_ntop.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ipx_pton.o ipx_pton.c

i686-pc-linux-gnu-ar rcs libnetlink.a ll_map.o libnetlink.o

i686-pc-linux-gnu-ar rcs libutil.a utils.o rt_names.o ll_types.o ll_proto.o ll_addr.o inet_proto.o  dnet_ntop.o dnet_pton.o ipx_ntop.o ipx_pton.o

make[1]: Leaving directory `/var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work/iproute-2.6.20-070313/lib'

make[1]: Entering directory `/var/tmp/portage/sys-apps/iproute2-2.6.20.20070313/work/iproute-2.6.20-070313/ip'

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ip.o ip.c

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o ipaddress.o ipaddress.c

ipaddress.c: In function `print_link_flags':

ipaddress.c:102: error: `IFF_DYNAMIC' undeclared (first use in this function)

ipaddress.c:102: error: (Each undeclared identifier is reported only once

ipaddress.c:102: error: for each function it appears in.)

gcc -D_GNU_SOURCE -O2 -mcpu=i686 -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES   -c -o iproute.o iproute.c

```

Thanks Rob1n!

/Thomas

----------

## Rob1n

Looks like you need to update linux-headers - what version do you have installed?

----------

## Moreaulf

Server is running linux-headers 2.6.21 (which is the last stable build I get from emerge).

I've been reading out on iproute2 and it seem to be a pretty common package. Replacing ifconfig and all...

Might be something else in my case?

----------

## Rob1n

Yeah - looking into it further, the file from linux-headers isn't actually used - it just points on to one from glibc.  What glibc version do you have installed?

----------

## Moreaulf

Ahh, okay. Turned out the glibc installation failed due to an not updated source. I did the source update and the gclib installed correctly, which made the iproute2 install as well.

Thank you Rob1n!

Now onto the VPN configuration (and maybe fw/iptables)?

----------

## Moreaulf

I'm afraid to say I'm not making much progress...

ipsec-tools, iptables and iproute2 are installed and works all right now.

I've begun to look into the configuration but I can't find any good information source. The HOWTO IPSec states these commands for the iptables:

 *Quote:*   

> iptables -A INPUT -p udp --dport 500 -m state --state NEW -j ACCEPT

 

Which causes this command to echo:

 *Quote:*   

> iptables: No chain/target/match by that name

 

Also the racoon.conf doesn't exist and I haven't found a good racoon.conf.dist to begin with...

I've read some information on Freeswan and Openswan and there the configuration files includes information like which algorithm, diffe hellman group and authentication method. I guess the racoon.conf should include this as well but how?

Very thankful for any help on setting up a VPN with IPSec.

/Thomas

----------

## Moreaulf

Thanks to massimo the iptables problem is solved  :Smile: 

If anyone have any information on howto setup a VPN using IPSec and the following settings I'd appreciate the help! (same settings as posted in the first post)

```
Phase 1

encryption scheme:         ike

ike mode:                  main mode

encryption algorithm:      3des

authentication algorithm:  sha1

diffe hellman group:       group 2

authentication method:     pre-shared

isakmp lifetime:           500, 1440, 3600, 7800 seconds

Phase 2

ipsec mode:                tunnel

ipsec protocol:            esp

security lifetime:         3600

pfs group:                 none

encryption algorithm:      3des

authentication algorithm:  sha1

ipsec policy:              File Server/32 to File Server/32 with IP any.
```

Thank you all helpful users of this forum!!

/Thomas

----------

## Rob1n

Here's the racoon.conf I'm using (I've put in your parameters where I can).

```

path pre_shared_key "/etc/racoon/psk.txt";

listen {

        isakmp a.b.c.d;

        strict_address;

}

remote anonymous {

        exchange_mode main;

        my_identifier address a.b.c.d;

        lifetime time 24 hour;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo anonymous {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

        lifetime time 1 hour;

}

```

----------

## Moreaulf

I was pretty close from what I gathered from other web sites, this looks much cleaner and I think it's working. tcpdump reports AH and ESP packets when I'm pinging a host.

Thank you very much Rob1n!  :Smile: 

----------

