IPsec Host-To-Host

About

This is a minimal configuration example of an IPsec tunnel in a Host-To-Host scenario.

Introduction

In this minimal setup, host-2-host communication is enabled. In Figure 1 Alice is the responder, while Bob is the initiator. Both peers configure their respective local and peer IP addresses. Since neither of them exposes a subnet behind their addresses, only traffic between the two hosts will be secured and allowed through the tunnel. They use a pre shared key chosen randomly with sufficient entropy.

                      .--.-.
                     ( (    )__
                    (_,  \ ) ,_)  Internet/Public Network
                      '-'--`--'
                       |    |
    .------------------'    '--------------------.
    |                                            |
    |Public IP:                                  |Public IP:
    |192.168.0.1                                 |192.168.0.2
.---+----.                                   .---+----.
|        |           IPsec Tunnel            |        |
| Alice  |===================================|  Bob   |
|        | Responder               Initiator |        |
'--------'                                   '--------'

Figure 1: Host-To-Host tunnel using IPsec.

Responder Setup

alice:/#> config
alice:/config/#> tunnel 
alice:/config/tunnel/#> ipsec 10
alice:/config/tunnel/ipsec-1/#> description "Alice to Bob"
alice:/config/tunnel/ipsec-1/#> local-address 192.168.0.1
alice:/config/tunnel/ipsec-1/#> peer 192.168.0.2
alice:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d

Initiator Setup

bob:/#> config
bob:/config/#> tunnel 
bob:/config/tunnel/#> ipsec 10
bob:/config/tunnel/ipsec-1/#> description "Bob to Alice"
bob:/config/tunnel/ipsec-1/#> initiator
bob:/config/tunnel/ipsec-1/#> local-address 192.168.0.2
bob:/config/tunnel/ipsec-1/#> peer 192.168.0.1
bob:/config/tunnel/ipsec-1/#> secret This_is_a_strong_sec$%,^@d

Verification

Both Alice and Bob omitted configuring IKE identities, resulting in the substitution of local and remote IDs with the local address and peer address, respectively. Additionally, a default subnet of /32 is employed for traffic selection.

alice:/#> show tunnel ipsec 10
ipsec10: #4, ESTABLISHED, IKEv2, 618dc5c4c64236d1_i 6c49004532aa5a19_r*
  local  '192.168.1.1' @ 192.168.1.1[500]
  remote '192.168.1.2' @ 192.168.1.2[500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 438s ago, rekeying in 13906s
  tunnel1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 438s ago, rekeying in 2840s, expires in 3522s
    in  c2b90c74,    504 bytes,     6 packets,   150s ago
    out c7a1a224,    504 bytes,     6 packets,   150s ago
    local  192.168.1.1/32
    remote 192.168.1.2/32