How to set up IPSEC VPN
=======================
install freeswan ipsec with x.509 patch on both boxes:
------------------------------------------------------
[root@igloo root]# uname -a
Linux igloo 2.4.18-18.8.0smp #1 SMP Wed Nov 13 23:11:20 EST 2002 i686 i686 i386
GNU/Linux
[root@igloo root]# rpm -qa|grep freeswan
freeswan-module-1.99_x509_0.9.15_2.4.18_18.8.0-0
freeswan-1.99_x509_0.9.15_2.4.18_18.8.0-0
[root@roadwarrior root]# uname -a
Linux roadwarrior 2.4.18-24.8.0 #1 Fri Jan 31 06:51:30 EST 2003 i686 i686 i386 GNU/Linux
[root@roadwarrior root]# rpm -qa|grep freeswan
freeswan-module-1.99_x509_0.9.15_2.4.18_24.8.0-0
freeswan-1.99_x509_0.9.15_2.4.18_24.8.0-0
Set up FreeSWAN ipsec on gateway box igloo:
-------------------------------------------
[root@igloo root]# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
keylife=1h
rekey=no
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#leftid=@xxxxxxxxxxxxxxxxxxxxxx
# uncomment this next line to enable it
#auto=route
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add
conn roadwarrior-net
# leftsubnet=137.111.20.128/25
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=myCert.pem
auto=add
pfs=yes
[root@igloo root]# cat /etc/ipsec.secrets
: RSA /etc/ipsec.d/private/myKey.pem "NoWay4U"
install some your and CA certificates and your private key files:
[root@igloo root]# ls -al /etc/ipsec.d/cacerts/myCAcert.pem
-rw-r--r-- 1 root root 1224 Feb 14 12:15 /etc/ipsec.d/cacerts/myCAcert.pem
[root@igloo root]# cat /etc/ipsec.d/cacerts/myCAcert.pem
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUx
...
AfterGZ+z7HzhNpXAmKFr7OPD6vW7QcVSz8QrInrp3jXURW5i676L0j5EtLUGiN3nBd
-----END CERTIFICATE-----
[root@igloo root]# ls -al /etc/ipsec.d/crls/myCrl.pem
-rw-r--r-- 1 root root 499 Feb 14 12:15 /etc/ipsec.d/crls/myCrl.pem
[root@igloo root]# cat /etc/ipsec.d/crls/myCrl.pem
-----BEGIN X509 CRL-----
MIIBRzCBsTANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUxJDAiBgNVBAoT
...
1U+Bv66Dc8H7aRG3K5o8dHTXc9Stv/MJHeIAhRYPeBxmdXX5G35XN3kzQQ==
-----END X509 CRL-----
[root@igloo root]# ls -al /etc/ipsec.d/private/myKey.pem
-rw------- 1 root root 963 Feb 11 20:15 /etc/ipsec.d/private/myKey.pem
[root@igloo root]# cat /etc/ipsec.d/private/myKey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,856A3403176DE7DB
vEcn8p45y8VYkOkR1Ql6+DCpwPBBWlPOITBRXgRBYprBiQzVuLQefsX9rviT1g8b
...
wUp6jIC4fewy54qy2JVj5x7/KjeLiaUULC5dDZGJyohlOF8VUXctSQ==
-----END RSA PRIVATE KEY-----
[root@igloo root]# ls -al /etc/ipsec.d/myCert.pem
-rw-r--r-- 1 root root 1281 Feb 11 22:42 /etc/ipsec.d/myCert.pem
[root@igloo root]# cat /etc/ipsec.d/myCert.pem
-----BEGIN CERTIFICATE-----
MIIDhTCCAu6gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUx
...
NCFbkao4SNOx14c6xaX/OHDpJvRkneDNq8Vvk5jQKXXT1+1nzibyE9Y=
-----END CERTIFICATE-----
[root@igloo root]# cat /proc/sys/net/ipv4/conf/eth0/rp_filter
0
[root@igloo root]# cat /proc/sys/net/ipv4/ip_forward
1
[root@igloo root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
137.111.20.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 137.111.20.129 0.0.0.0 UG 0 0 0 eth0
[root@igloo root]# /etc/rc.d/init.d/ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/2.4.18-18.8.0smp/kernel/net/ipsec/ipsec.o
[root@igloo root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
137.111.20.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
137.111.20.128 0.0.0.0 255.255.255.128 U 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 137.111.20.129 0.0.0.0 UG 0 0 0 eth0
Set up firewall rules on gateway (igloo) side, suppose ip address
of client box roadwarrior is from 137.111.139.0/24 subnet:
[root@igloo root]# iptables -t nat -A POSTROUTING -s 137.111.139.0/24 -o eth0 -j MASQUERADE
[root@igloo root]# iptables -A FORWARD -i ipsec+ -o eth0 -j ACCEPT
[root@igloo root]# iptables -A FORWARD -i eth0 -o ipsec+ -j ACCEPT
[root@igloo root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Set up FreeSWAN ipsec on client box roadwarrior:
------------------------------------------------
[root@roadwarrior root]# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
keylife=1h
rekey=no
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#leftid=@xxxxxxxxxxxxxxxxxxxxxx
# uncomment this next line to enable it
#auto=route
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add
conn roadwarrior-net
# leftsubnet=137.111.20.128/25
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=137.111.20.252
leftcert=igloo.pem
right=%defaultroute
rightcert=terrence.pem
# auto=add
auto=start
pfs=yes
[root@roadwarrior root]# cat /etc/ipsec.secrets
: RSA /etc/ipsec.d/private/terrence.key "IdontellU"
install some your and CA certificates and your private key files:
[root@roadwarrior root]# ls -al /etc/ipsec.d/cacerts/myCAcert.pem
-rw-r--r-- 1 root root 1224 Feb 14 12:15 /etc/ipsec.d/cacerts/myCAcert.pem
[root@roadwarrior root]# cat /etc/ipsec.d/cacerts/myCAcert.pem
-----BEGIN CERTIFICATE-----
MIIDXDCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUx
...
AfterGZ+z7HzhNpXAmKFr7OPD6vW7QcVSz8QrInrp3jXURW5i676L0j5EtLUGiN3nBd
-----END CERTIFICATE-----
[root@roadwarrior root]# ls -al /etc/ipsec.d/crls/myCrl.pem
-rw-r--r-- 1 root root 499 Feb 14 12:15 /etc/ipsec.d/crls/myCrl.pem
[root@roadwarrior root]# cat /etc/ipsec.d/crls/myCrl.pem
-----BEGIN X509 CRL-----
MIIBRzCBsTANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUxJDAiBgNVBAoT
...
1U+Bv66Dc8H7aRG3K5o8dHTXc9Stv/MJHeIAhRYPeBxmdXX5G35XN3kzQQ==
-----END X509 CRL-----
[root@roadwarrior root]# ls -al /etc/ipsec.d/private/terrence.key
-rw------- 1 root root 2167 Feb 14 12:15 /etc/ipsec.d/private/terrence.key
[root@roadwarrior root]# cat /etc/ipsec.d/private/terrence.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,94C5488E95776EA1
erlftzy+eO2dPvgnoquu3Vfyw2YBwzHh1o8v1S8nQ5FlYduN5yHRpw1tVHfz0sDQ
...
v1LmkxNMj00WZSES8freTpxD2m7e73uYa2d1bevlPF8xOMCjKNcw==
-----END RSA PRIVATE KEY-----
[root@roadwarrior root]# ls -al /etc/ipsec.d/igloo.pem
-rw-r--r-- 1 root root 1281 Feb 14 12:16 /etc/ipsec.d/igloo.pem
[root@roadwarrior root]# cat /etc/ipsec.d/igloo.pem
-----BEGIN CERTIFICATE-----
MIIDhTCCAu6gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUx
...
NCFbkao4SNOx14c6xaX/OHDpJvRkneDNq8Vvk5jQKXXT1+1nzibyE9Y=
-----END CERTIFICATE-----
[root@roadwarrior root]# ls -al /etc/ipsec.d/terrence.pem
-rw-r--r-- 1 root root 1281 Feb 14 12:16 /etc/ipsec.d/terrence.pem
[root@roadwarrior root]# cat /etc/ipsec.d/terrence.pem
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQVUx
...
VPBuDGgxGcIUaJ6gr6P6vgq2W0qCYrAeBsMSy7uOFbi6pkB1BJT3Jw==
-----END CERTIFICATE-----
After you dial up to the Terminal Server network, you get something like:
[root@roadwarrior root]# ifconfig -a
...
ppp0 Link encap:Point-to-Point Protocol
inet addr:137.111.139.172 P-t-P:137.111.139.126 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6496 errors:1 dropped:0 overruns:0 frame:0
TX packets:8326 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3587752 (3.4 Mb) TX bytes:876729 (856.1 Kb)
[root@roadwarrior root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
137.111.139.126 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
0.0.0.0 137.111.139.126 0.0.0.0 UG 0 0 0 ppp0
Start ipsec tunnel:
[root@roadwarrior root]# echo 0 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
[root@roadwarrior root]# /etc/rc.d/init.d/ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/2.4.18-24.8.0/kernel/net/ipsec/ipsec.o
Routing table on roadwarrior:
[root@roadwarrior root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
137.111.139.126 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
137.111.139.126 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
137.111.20.252 137.111.139.126 255.255.255.255 UGH 0 0 0 ipsec0
0.0.0.0 137.111.139.126 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 137.111.139.126 128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 137.111.139.126 0.0.0.0 UG 0 0 0 ppp0
Routing table on igloo:
[root@igloo root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
137.111.139.172 137.111.20.129 255.255.255.255 UGH 0 0 0 ipsec0
137.111.20.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
137.111.20.128 0.0.0.0 255.255.255.128 U 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 137.111.20.129 0.0.0.0 UG 0 0 0 eth0
All the network traffic of your browser, streaming video/audio, Yahoo
messenger will through this "ipsec" tunnel.
Reference
=========
FreeS/WAN Documentation: <http://www.freeswan.org/>
X.509 Patch Documentation: <http://www.strongsec.com/freeswan/>
FreeS/WAN with X.509 <-> FreeS/WAN or WinXP Howto: <http://www.natecarlson.com/linux/ipsec-x509.php>
reeS/WAN IPSec Interoperability Guide: <http://www.ssh.com/documents/31/ssh_sentinel_14_freeswan.pdf>
|