How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install libreswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall
Total Page Visits: 177048 - Today Page Visits: 46