IPsec: Authby=secret Configuration

TL;DR

This guide shows you how to configure IPsec using authby=secret as an alternative to pre-shared keys (PSK) or certificates. This is useful for simple setups, testing, or environments where more complex authentication isn’t required.

Configuration Steps

1. Understand the Risks
• Using authby=secret transmits passwords in plain text. This is inherently insecure and should only be used on trusted networks or for testing purposes.
• Avoid using this method in production environments where security is critical.
2. Edit your ipsec.conf file

Open your /etc/ipsec.conf (or equivalent, depending on your distribution) with a text editor as root.

sudo nano /etc/ipsec.conf

3. Configure the Connection

Add or modify a connection entry to include authby=secret. Here’s an example:

conn myconnection
    left=192.168.1.10
    right=192.168.1.20
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256!
    authby=secret
    keyexchange=ikev2

• Replace myconnection with a descriptive name for your connection.
• Replace left and right with the IP addresses of your two endpoints.
• Adjust ike and esp to match your security requirements (encryption and hashing algorithms). The ‘!’ forces negotiation, which is generally recommended.
4. Set the Pre-Shared Key

Add a line in your ipsec.conf file defining the pre-shared key:

secret = your_secret_key_here

• Replace your_secret_key_here with a strong, randomly generated password.
• This line *must* be outside of any connection block.
5. Restart IPsec

Restart the IPsec service to apply the changes.

sudo systemctl restart ipsec

(or use your distribution’s equivalent command, e.g., service ipsec restart)

6. Initiate the Connection

Attempt to initiate a connection from one of the endpoints.

sudo ipsec up myconnection

7. Verify the Connection

Check the IPsec logs for errors. Use commands like ipsec statusall or examine system logs (e.g., /var/log/syslog) to confirm that the connection is established.

Important Considerations

• Security: Again, this method is insecure for production use.
• Firewall Rules: Ensure your firewall allows IPsec traffic (UDP ports 500 and 4500).
• Key Management: Securely manage the pre-shared key if you must use this approach.