# ipsec client with PSK - need some help

## E-Razor

Hi all,

I'm getting grey hairs right now cos of ipsec  :Sad: 

I tried to setup an ipsec-client with PSK and these data:

Server-IP: <server_ip>

my-IP: <my_ip>

Phase 1

  Encryption Algorithm: 3 DES

  Hash Algorithm: MD5 

  Authentication Method: Pre-shared 

  Diffie-Hellman group: D-H group 2 

  Security Association's lifetime: 86400 seconds 

Phase 2

  ESP Encryption Transform:  ESP-3DES 

  ESP Authentication Transform: ESP-MD5-HMAC 

My net: <my_net> = 0.0.0.0/0

server net: <server_net> = 192.168.1.0/24

I found some howtos but somehow I wasn't able to get any of them to work.

Some are using racoon some are using openswan.

I tried the one mentioned at the gentoo wiki with racoon. I think I've configured everything correctly, the only part which was strange for me are the random keys in /etc/ipsec.conf .

Do I need these?

After starting racoon (/etc/init.d/racoon start) I tried to ping a host from <server_net> which does not work.

I'd be very grateful if someone could give me some hints or points me to another good HowTo.

Thanks!

----------

## E-Razor

Took me a while but now I got it.

The howto at http://www.ipsec-howto.org/x304.html helped me a lot.

For the client part I'm using racoon which manages most of the ipsec stuff.

The setup is pretty easy:

```

#/etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

remote <server_ip> {

   exchange_mode main,aggressive;

   proposal {

      encryption_algorithm 3des;

      hash_algorithm md5;

      authentication_method pre_shared_key;

      dh_group 2;

   }

}

sainfo address <my_net> any address <server_net> any {

   pfs_group 2;

   encryption_algorithm 3des;

   authentication_algorithm hmac_md5;

   compression_algorithm deflate;

}

```

The first issue was that I permuted <my_net> and <server_net> .

You need to set up the psk:

```

#/etc/racoon/psk.txt

<server_ip> <psk>

```

Then you need to configure the /etc/ipsec.conf like this:

```

#!/usr/sbin/setkey -f

#

# Flush SAD and SPD

flush;

spdflush;

# Create policies for racoon

spdadd <my_net> <server_net> any -P out ipsec

           esp/tunnel/<my_ip>-<server_ip>/require;

spdadd <server_net> <my_net> any -P in ipsec

           esp/tunnel/<server_ip>-<my_ip>/require;

```

Restart racoon:

# /etc/init.d/racoon restart

Connect:

# racoonctl vpn-connect <server_ip>

Then you can simply ping anyone from <server_net>.

There is no additional network interface or route, the kernel does everything on it's own - pretty confusing for me.

----------

