IPSec VPN Host to Host (without NAT)

WEST


vagrant@west-01:
sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
cat<<EOF | sudo tee /etc/ipsec.conf
conn west-to-east
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.1.120
    right=192.168.1.121
    type=transport
    esp=aes128gcm16!
EOF
sudo cp /etc/ipsec.secrets /etc/ipsec.secrets.orig
cat<<EOF | sudo tee /etc/ipsec.secrets
192.168.1.120 192.168.1.121 : PSK "vagrant"
EOF
sudo ipsec restart
sudo ipsec statusall

EAST


vagrant@east-01:~$
sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
cat<<EOF | sudo tee /etc/ipsec.conf
conn east-to-west
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.1.121
    right=192.168.1.120
    type=transport
    esp=aes128gcm16!
EOF
sudo cp /etc/ipsec.secrets /etc/ipsec.secrets.orig
cat<<EOF | sudo tee /etc/ipsec.secrets
192.168.1.120 192.168.1.121 : PSK "vagrant"
EOF
sudo ipsec restart
sudo ipsec statusall

smoke tests


LEFT-WEST
vagrant@west-01::~/strongswan-5.8.2$ ping -s 4048 192.168.1.121
RIGHT-EAST
vagrant@east-01:~/strongswan-5.8.2$ sudo watch ipsec statusall
Every 2.0s: ipsec statusall                                                                                                                                 east-01: Sun Feb 16 18:48:07 2020
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.0.0-37-generic, x86_64):
  uptime: 33 seconds, since Feb 16 18:47:34 2020
  malloc: sbrk 2146304, mmap 0, used 425408, free 1720896
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  10.0.2.15
  192.168.1.121
Connections:
east-to-west:  192.168.1.121...192.168.1.120  IKEv1/2
east-to-west:   local:  [192.168.1.121] uses pre-shared key authentication
east-to-west:   remote: [192.168.1.120] uses pre-shared key authentication
east-to-west:   child:  dynamic === dynamic TRANSPORT
Routed Connections:
east-to-west{1}:  ROUTED, TRANSPORT, reqid 1
east-to-west{1}:   192.168.1.121/32 === 192.168.1.120/32
Security Associations (1 up, 0 connecting):
east-to-west[1]: ESTABLISHED 21 seconds ago, 192.168.1.121[192.168.1.121]...192.168.1.120[192.168.1.120]
east-to-west[1]: IKEv2 SPIs: 890f31a2573445ec_i 8526fa4155f6c299_r*, pre-shared key reauthentication in 2 hours
east-to-west[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
east-to-west{2}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cbb690a7_i c45ce6ae_o
east-to-west{2}:  AES_GCM_16_128, 81120 bytes_i (20 pkts, 1s ago), 81120 bytes_o (20 pkts, 1s ago), rekeying in 44 minutes
east-to-west{2}:   192.168.1.121/32 === 192.168.1.120/32
vagrant@east-01:~$ sudo tcpdump esp -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:48:56.337730 IP west-01.local > east-01.local: ESP(spi=0xcbb690a7,seq=0x45), length 1440
18:48:56.337787 IP west-01.local > east-01.local: esp
18:48:56.337805 IP west-01.local > east-01.local: esp
18:48:56.337870 IP east-01.local > west-01.local: ESP(spi=0xc45ce6ae,seq=0x45), length 1440
18:48:56.337923 IP east-01.local > west-01.local: esp
18:48:56.337933 IP east-01.local > west-01.local: esp
18:48:57.362834 IP west-01.local > east-01.local: ESP(spi=0xcbb690a7,seq=0x46), length 1440
18:48:57.362876 IP west-01.local > east-01.local: esp
18:48:57.362880 IP west-01.local > east-01.local: esp
18:48:57.363036 IP east-01.local > west-01.local: ESP(spi=0xc45ce6ae,seq=0x46), length 1440
18:48:57.363152 IP east-01.local > west-01.local: esp
18:48:57.363178 IP east-01.local > west-01.local: esp
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel