The Linux Client is assumed to run the Fedora Core 5 distribution with ipsec-tools installed. For other distributions refer to the "IPsec-Tools home page" .
Setting up the tunnel consists of authenticating the client, and setting up the encryption keys and policy. In this example:
Authentication will be based on X.509 certificates. If the client has a certificate that was issued by the same Certifying Authority as the server's certificate, the client is considered trustworthy.
Internet Key Exchange (IKE) will exchange randomly generated encryption keys, and generate the authentication policies.
The encryption policy will be set using a script.
Setup an X.509 Certifying Authority (CA). Using this CA, sign the certificates for the Linux client. This process is described in Section 6.1, “ Certificates ”. Install the client's unencrypted private key, along with the certificates for the CA, SISO server and the client. Then verify the certificate.
SSL_DIR=$PRJ_DIR/openssl CLIENT_DIR=/etc/ipsec ssh email@example.com "mkdir $CLIENT_DIR" scp $SSL_DIR/ca/CAcert.pem \ $SSL_DIR/ca/CRL.pem \ $SSL_DIR/certs/crox.vonk-key.pem \ $SSL_DIR/certs/crox.vonk-cert.pem root@
crox.vonk:/etc/ipsec/ HASH=`openssl x509 -noout -hash -in $SSL_DIR/ca/CAcert.pem` ssh firstname.lastname@example.org "( cd $CLIENT_DIR ; ln -sf CAcert.pem $CLIENT_DIR/$HASH.0 )" ssh email@example.com "( cd $CLIENT_DIR ; ln -sf CRL.pem $CLIENT_DIR/$HASH.r0 )"
Ensure that the IKE daemon
 is installed on the client.
An example configuration file for racoon on the client can be found
in Example E.7, “vpn-client:/etc/sysconfig/racoon/racoon.conf”.
The outgoing encryption policy tells the operating system when an IPsec tunnel should be used to sent traffic. An example policy script can be found in Example E.8, “vpn-client:/etc/sysconfig/ipsec/setkey.conf”.
syslog on Linux IPsec client looks like shown
racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) racoon: INFO: fe80::290:4bff:fe2f:6ed4%wlan0 used as isakmp port (fd=8) racoon: INFO: fe80::20d:56ff:fe32:dd8b%eth0 used as isakmp port (fd=9) racoon: INFO: ::1 used as isakmp port (fd=11) racoon: INFO: 10.0.2.111 used as isakmp port (fd=12) racoon: INFO: 10.0.1.111 used as isakmp port (fd=13) racoon: INFO: 127.0.0.1 used as isakmp port (fd=14) racoon: NOTIFY: no in-bound policy found: 10.0.0.2/32 10.0.1.111/32 proto=any dir=in racoon: INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: 10.0.1.111<=>10.0.0.2 racoon: INFO: begin Identity Protection mode. racoon: INFO: ISAKMP-SA established 10.0.1.111-10.0.0.2 spi:9dd5743702d60465:b1770e32da384dcc racoon: INFO: initiate new phase 2 negotiation: 10.0.1.111<=>10.0.0.2 racoon: INFO: IPsec-SA established: ESP/Transport 10.0.0.2->10.0.1.111 spi=6958467(0x6a2d83) racoon: INFO: IPsec-SA established: ESP/Transport 10.0.1.111->10.0.0.2 spi=112868448(0x6ba3c60)
tcpdump for the same section shows the ESP
encapsulation for the ICMP (ping) packets.
IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x1) IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x1) IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x2) IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x2)