Ipsec

From PTAGISWiki

Jump to: navigation, search

6/28/04 IPSec setup OpenS/WAN is the current package that implements IPSec on Linux, but it seems to demand a 2.6 kernel and I currently run 2.4. (It claims to work on the 2.4 kernel, but I couldn't figure out how to make it happen.) Redhat ELW 3.0 includes an IPSec config tool that makes it as easy as clicking three buttons to set up. But I don't want to install Enterprise linux at home and have to do lots of reconfiguring to get all my services back into working order. So I settled on FreeS/WAN which supports 2.4 kernels and installs with these two packages: freeswan-userland-2.06_2.4.20_6-0 freeswan-module-2.06_2.4.20_6-0 Those packages have to match the version of the currently running kernel which, in my case, is 2.4.20-6 I followed the documentation at: http://www.freeswan.org http://www.siliconvalleyccie.com/linux-adv/vpn-linux.htm I built a config file (/etc/ipsec.conf) that looks like this: conn net-to-net left=24.21.143.6 # public IP address leftsubnet=10.0.0.0/24 # private subnet leftid=@weasel.finninday.net # RSA 3536 bits weasel.finninday.net Tue Jun 8 14:49:49 2004 leftrsasigkey=0sAQN3aP5LX+xbX0Uq/TG4tM8FWQosuPCdrdmazgZuWMkNmlSvuYy5zPqKhYYshzez4sT4FwTJ/Z9c794LjkphoZLzZ7KK7codJWNTEifxhT/jgRGCZihXYV7/+uEgl8ZeKdHvo7O3SEpWnVzSsZGG1gxS3kgttVPLUyEUlXISsko5wnEPL7qs7/2QgZiW8VUSP9JCU2MCr+UqszpxECPhoxtvQQqvSOpMTBu436XG8yzx1L6D4It7GYQgDCO9x6i6sIzwS8JsjsuFHLeut62fHUCIymdKQeZYyamev05K2kyDmsF8LWhKRHdnAukM/jTOSV52UeFplvAPrZOYdws0r+7me+VX6y3Ct8M4SscnOLDLZaSeSQnu96JGYIXCmd2wSU6caFX21CODj691VHtJnBMoaNzZFS8drjThgI1yjpUk16JJr3Ahfp/BX0Gw3rxEkWh1CPo6lcu+4FjC08CAb5RnHtjcGWF1rmzUie1NCiBt4WZfRsi6gMKHk4BWNRhkfn24tKNBHlhoNDl80eqJpLFhF/hiGXKk0R7iL4T3EMvO1BL8McRiXXaGY0JWuV3asbBYf4mszKP1tyID leftnexthop=%defaultroute right=199.170.103.119 rightsubnet=10.0.20.0/24 rightid=@snapper.psmfc.org rightrsasigkey= rightnexthop=%defaultroute auto=add My home machine has these interfaces when ipsec is turned off: eth0 24.21.143.6 (connected to internet via comcast cable modem) eth1 10.0.0.3 (local subnet) At the moment, when I turn on ipsec, I get another interface that looks like this: ipsec0 24.21.143.6 At this point, my server still acts as a gateway for established connections, but dns queries now fail because there is no valid route either to or from the dns servers. When I turn off ipsec, all is well again. I made these changes to the iptables firewall config: [0:0] -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT [0:0] -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT [0:0] -A INPUT -p 50 -j ACCEPT [0:0] -A OUTPUT -p 50 -j ACCEPT I believe there are some other changes I need to make to the NAT config to make that work nicely with ipsec. Here is my NAT config in iptables: [1:186] -A POSTROUTING -o eth0 -j SNAT --to-source 24.21.143.6 This NAT config allows the four machines on the local network (10.0.0.0/24) to have internet access. Questions: 1) what subnet should I assign to ipsec for it to live on locally? a) 10.0.0.0/24 (the existing local subnet) b) 10.0.10.0/24 (an unused local subnet) c) 24.21.143.6/32 (my gateway machine, weasel.finninday.net) 2) is this routing table correct? [root@weasel sysconfig]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.21.143.0 * 255.255.255.128 U 0 0 0 eth0 24.21.143.0 * 255.255.255.128 U 0 0 0 ipsec0 10.0.0.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 24.21.143.1 128.0.0.0 UG 0 0 0 ipsec0 128.0.0.0 24.21.143.1 128.0.0.0 UG 0 0 0 ipsec0 default 24.21.143.1 0.0.0.0 UG 0 0 0 eth0 It has two defaults and it looks like all traffic is trying to go over ipsec0 device, which goes nowhere. Which would definitely cause the DNS problems I'mseeing.

3) Is this ifconfig entry correct? ipsec0 Link encap:Ethernet HWaddr 00:60:08:11:B5:9E 

         inet addr:24.21.143.6  Mask:255.255.255.128
         UP RUNNING NOARP  MTU:16260  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:10
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

4) Here is the log entry of a dropped dns query: Jun 28 14:42:16 weasel kernel: IN= OUT=ipsec0 SRC=24.21.143.6 DST=204.127.198.4 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=12295 DF PROTO=UDP SPT=37767 DPT=53 LEN=50

Why are dns queries trying to go out over ipsec0? That's dumb.

5) I don't want to disrupt exist routes and traffic from local machines on the 10.0.0.0/24 net. That is, I don't want ipsec0 to be a default route. I just want it to be an additional route on the gateway. How do I do this? ipsec0 comes up as a default route without any special instructions from me.

07/08/04

After working with Todd and setting up the Firebox config at work, I've determined that I need to try to match this configuration:

Gateway: isakmp ip 24.21.143.6 shared key: rynofinn Phase 1: auth: SHA1-HMAC or MD5-HMAC enc: DES-CBC or 3DEC-CBC diffie hellman group 1 or 2 Tunnel: Phase 2: type: ESP or AH Auth: SHA1 Enc: 3DES

Routing Policy: w: 199.170.103.0/24 h: 10.0.0.0/24 psmfc-fw = 205.230.28.3


Now to compare that to the abilities of freeswan, I find this: (reference urls http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/faq.html http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/glossary.html)

  • freeswan doesn't support single DES as it is considered insecure so I need

have Todd use 3DES

  • freeswan no longer supports AH, so ESP must be the protocol
  • freeswan supports MD5 and SHA hashed message authentication codes, but I

haven't figured out how to specify one or the other in the config

Retrieved from "http://php.ptagis.org/wiki/index.php/Ipsec"
Personal tools