TL;DR
This guide shows you how to configure IPsec using authby=secret as an alternative to pre-shared keys (PSK) or certificates. This is useful for simple setups, testing, or environments where more complex authentication isn’t required.
Configuration Steps
- Understand the Risks
- Using
authby=secrettransmits passwords in plain text. This is inherently insecure and should only be used on trusted networks or for testing purposes. - Avoid using this method in production environments where security is critical.
Open your /etc/ipsec.conf (or equivalent, depending on your distribution) with a text editor as root.
sudo nano /etc/ipsec.confAdd or modify a connection entry to include authby=secret. Here’s an example:
conn myconnection
left=192.168.1.10
right=192.168.1.20
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!
authby=secret
keyexchange=ikev2
- Replace
myconnectionwith a descriptive name for your connection. - Replace
leftandrightwith the IP addresses of your two endpoints. - Adjust
ikeandespto match your security requirements (encryption and hashing algorithms). The ‘!’ forces negotiation, which is generally recommended.
Add a line in your ipsec.conf file defining the pre-shared key:
secret = your_secret_key_here- Replace
your_secret_key_herewith a strong, randomly generated password. - This line *must* be outside of any connection block.
Restart the IPsec service to apply the changes.
sudo systemctl restart ipsec(or use your distribution’s equivalent command, e.g., service ipsec restart)
Attempt to initiate a connection from one of the endpoints.
sudo ipsec up myconnectionCheck the IPsec logs for errors. Use commands like ipsec statusall or examine system logs (e.g., /var/log/syslog) to confirm that the connection is established.
Important Considerations
- Security: Again, this method is insecure for production use.
- Firewall Rules: Ensure your firewall allows IPsec traffic (UDP ports 500 and 4500).
- Key Management: Securely manage the pre-shared key if you must use this approach.