IPsec Host-To-Host

About

This is a minimal configuration example of an IPsec tunnel in a Host-To-Host scenario. It demonstrates how to securely connect two individual hosts over an untrusted network using a pre-shared key. This setup is ideal for environments where only direct communication between two endpoints is required, without exposing additional subnets or devices.

Introduction

In this minimal setup, host-2-host communication is enabled. In Figure 1 Alice is the responder, while Bob is the initiator. Both peers configure their respective local and peer IP addresses. Since neither of them exposes a subnet behind their addresses, only traffic between the two hosts will be secured and allowed through the tunnel. They use a pre shared key chosen randomly with sufficient entropy.

                      .--.-.
                     ( (    )__
                    (_,  \ ) ,_)  Internet/Public Network
                      '-'--`--'
                       |    |
    .------------------'    '--------------------.
    |                                            |
    |Public IP:                                  |Public IP:
    |192.168.0.1                                 |192.168.0.2
.---+----.                                   .---+----.
|        |           IPsec Tunnel            |        |
| Alice  |===================================|  Bob   |
|        | Responder               Initiator |        |
'--------'                                   '--------'

Figure 1: Host-To-Host tunnel using IPsec.

Responder Setup

alice:/#> config
alice:/config/#> tunnel 
alice:/config/tunnel/#> ipsec 10
alice:/config/tunnel/ipsec-1/#> description "Alice to Bob"
alice:/config/tunnel/ipsec-1/#> local-address 192.168.0.1
alice:/config/tunnel/ipsec-1/#> peer 192.168.0.2
alice:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d

Initiator Setup

bob:/#> config
bob:/config/#> tunnel 
bob:/config/tunnel/#> ipsec 10
bob:/config/tunnel/ipsec-1/#> description "Bob to Alice"
bob:/config/tunnel/ipsec-1/#> initiator
bob:/config/tunnel/ipsec-1/#> local-address 192.168.0.2
bob:/config/tunnel/ipsec-1/#> peer 192.168.0.1
bob:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d

Verification

Both Alice and Bob omitted configuring IKE identities, resulting in the substitution of local and remote IDs with the local address and peer address, respectively. Additionally, a default subnet of /32 is employed for traffic selection.

alice:/#> show tunnel ipsec 10
Current state for tunnel ipsec10 is UP(Installed).

Security-Association(SA) details:
ipsec10: #6, ESTABLISHED, IKEv2, 20759114c78bf131_i* 4fb9e973f3067b48_r
  local  'alice' @ 192.168.0.1[500]
  remote 'bob' @ 192.168.0.2[500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 5s ago, rekeying in 14304s
  tunnel1: #5, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 5s ago, rekeying in 3267s, expires in 3955s
    in  c2032981,      0 bytes,     0 packets
    out cc173955,      0 bytes,     0 packets
    local  192.168.0.1/32
    remote 192.168.0.2/32

Loaded configuration for the connection:
ipsec10: IKEv2, no reauthentication, rekeying every 14400s, dpd delay 30s
  local:  192.168.0.1
  remote: 192.168.0.2
  local pre-shared key authentication:
    id: alice
  remote pre-shared key authentication:
    id: bob
  tunnel1: TUNNEL, rekeying every 3600s, dpd action is start
    local:  dynamic
    remote: dynamic