IP Security and Hardware EncryptionSetting up an IPsec connection: examples Parent topic: Setting up an IPsec connection: examples

With authentication using the preshared-key method

Consider the simplest case where there are two boxes, BoxA and BoxB. User A is on BoxA, User B is on Box B, and the two users have a shared secret, which is a string of hello_world.

  1. On Box A, create a file, psk.txt, that has these related lines: 
    usera@qnx.com   "Hello_world"
userb@qnx.com   "Hello_world"

    The IPsec IKE daemon, racoon, will use this file to do the authentication and IPsec connection job.

  2. The root user must own psk.txt and the file's permissions must be read/write only by root. To ensure this is the case, run: 
    chmod 0600 psk.txt
  3. The racoon daemon needs a configuration file (e.g., racoon.conf) that defines the way that racoon is to operate. In the remote session, specify that we're going to use the preshared key method as authentication and let racoon know where to find the secret. For example: 
    ...
# Let racoon know where your preshared keys are:

path pre_shared_key "your_full_path_to_psk.txt" ;
remote anonymous
{
    exchange_mode aggressive,main;
    doi ipsec_doi;
    situation identity_only;

    #my_identifier address;
    my_identifier user_fqdn "usera@qnx.com";
    peers_identifier user_fqdn "userb@qnx.com";

    nonce_size 16;
    lifetime time 1 hour;   # sec,min,hour
    initial_contact on;
    proposal_check obey;    # obey, strict or claim

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key ;
        dh_group 2 ;
    }
}
...
  4. Set up the policy using setkey. You can use the following script (called my_script) to tell the stack that the IPsec between BoxA and BoxB requires key negotiation: 
    #!/bin/sh
# This is a simple configuration for testing racoon negotiation.
# 

Myself=$1
Remote=$2

setkey -FP
setkey -F
setkey -c << EOF
#
spdadd $Remote $Myself any -P in  ipsec esp/transport/$Remote-$Myself/require;
spdadd $Myself $Remote any -P out ipsec esp/transport/$Myself-$Remote/require;
#
EOF

    Run this on BoxA as ./my_script BoxA BoxB.

  5. Repeat the above steps on BoxB. Needless to say, on BoxB you need to run as ./my_script BoxB BoxA (and so on).
  6. On both boxes, run racoon -c full_path_to_racoon.conf. When you initiate traffic, say by trying to ping the peer box, racoon will do its job and establish the IPsec connection by creating Security Associations (SAs) for both directions, and then you can see the traffic passing back and forth, which indicates that the IPsec connection is established.
Parent topic: Setting up an IPsec connection: examples