Installing and running FreeS/WAN

What is FreeS/WAN An implementation of IpSec for Linux –Can be found at Helps setup encrypted and/or authenticated communications in –Network-Network –Host-network –Host-Host configurations

The tested FreeS/WAN Configuration (network-network) (eth0) beta alpha (“right”) (“ rightnexthop ”) (eth1) titan lamar (“left”) (“ leftnexthop ”) (eth1) (eth0) “Left Subnet” “Right Subnet” IpSec Tunnel

How to get IPSec to work Start with the physical setup of machines – identify the gateways, the subnets, the gateway interface on which the subnets exist. Identify (arbitrarily) which is “left” and which is “right”. If Using private subnets, the Ids should not conflict. (Might have to use NAT if they have to conflict, but that is for another day). Make the appropriate entries in the routing tables. Download and build freeS/WAN per the instructions in chapter 6 of “Building Linux Virtual Private Networks” by Oleg Kolesnikov and Brian Hatch. Generate keys on both gateways, using PSK or RSA. Store these keys in /etc/ipsec.secrets on each gateway. RSA was used in this case. Command used was “ipsec rsasigkey –verbose 2048 > rsakey.tmp”. Add the formatting information and copy into /etc/ipsec.secrets.

How to get IPSec to work (contd) Enter details of the connection name, interface, left and right subnets, nexthops and gateways into /etc/ipsec.conf. Make sure all lines below the label line start with a tab. ( ! Even comments should start with a tab !). For the network-network configuration, copy the same /etc/ipsec.conf file into both machines. (This means, ‘left’ is left and “right” is right. whatever gateway you are looking at). Note that this will not be the case for “host-network”. Copy the ‘value of the #pubkey from both /etc/ipsec.secrets files into /etc/ipsec.conf files appropriately. To establish connection, run ipsec auto --up connectName on both sides.

How an IPSec packet looks The IpSec module on the gateway encapsulates the original payload to look like the following when sending a packet out. When receiving a packet, the gateway reads the IpSec header, performs decryption etc which results in the original packet. New IP Header IpSec Header (AH or ESP) Old IP HeaderPayload Original payload, now encrypted

Routing table on alpha Destination Gateway Genmask Flags Metric Ref Use Iface U eth U ipsec UG ipsec U eth U lo UG eth1

Routing table on lamar Destination Gateway Genmask Flags Metric Ref Use Iface U eth U ipsec U eth UG ipsec U lo UG eth1

Firewall rules on lamar iptables -F echo "Setting ip_forward to 1..." echo 1 > /proc/sys/net/ipv4/ip_forward echo "Setting rp_filter's to 0..." for i in `find /proc/sys/net/ipv4/conf -name rp_filter` do echo 0 > $i done /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P FORWARD DROP # Only allow ipsec traffic, ESP and AH from and to the Internet /sbin/iptables -A FORWARD -p udp -d /24 --dport 500 -j ACCEPT ### Suggestion: "-o IF-of /32".

Firewall rules on lamar (contd) /sbin/iptables -A FORWARD -p 50 -d /24 -j ACCEPT ### Suggestion: "-o IF-of /32". /sbin/iptables -A FORWARD -p 51 -d /24 -j ACCEPT ### Suggestion: "-o IF-of /32". # Allows internal subnet access /sbin/iptables -A FORWARD -s /24 -j ACCEPT ### Suggestion: "-i IF-of /24". # Allows traffic from and to internal LANs /sbin/iptables -A FORWARD -s /24 -d /24 -j ACCEPT ### Suggestion: "-o IF-of /24". Suggestion: "-i IF-of /24". /sbin/iptables -A FORWARD -d /24 -s /24 -j ACCEPT ### Suggestion: "-o IF-of /24". Suggestion: "-i IF-of /24". # Default input policy back to DROP /sbin/iptables -P FORWARD DROP The firwall rules for alpha are the mirror image of these.

The /etc/ipsec.conf used - 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=eth1" # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=all plutodebug=all # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. # uniqueids=yes

The /etc/ipsec.conf used - 2 #conn %default conn a2l keyingtries=0 # sample VPN connection # Left security gateway, subnet behind it, next hop toward right. left= leftsubnet= /24 leftnexthop= # Right security gateway, subnet behind it, next hop toward left. right= rightsubnet= /24 rightnexthop= # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=start authby=rsasig leftrsasigkey=0sAQOSxZRaWBqt.. rightrsasigkey=0sAQNvPwFQ…

Evidence of IPSec tunnel ifconfig (on titan) eth1 Link encap:Ethernet HWaddr 00:A0:24:0B:2C:05 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11748 errors:0 dropped:0 overruns:0 frame:0 TX packets:11669 errors:0 dropped:0 overruns:0 carrier:1 collisions:1 txqueuelen:100 RX bytes: (2.3 Mb) TX bytes: (3.2 Mb) Interrupt:10 Base address:0x1020 root]# ping PING ( ) from : 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=62 time=4.17 ms 64 bytes from : icmp_seq=2 ttl=62 time=3.98 ms 64 bytes from : icmp_seq=3 ttl=62 time=4.12 ms 64 bytes from : icmp_seq=4 ttl=62 time=4.14 ms 64 bytes from : icmp_seq=5 ttl=62 time=4.14 ms 64 bytes from : icmp_seq=6 ttl=62 time=3.99 ms

Evidence of IPSec tunnel (contd) Ifconfig (on beta) eth0 Link encap:Ethernet HWaddr 00:60:B0:A2:81:D5 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:37808 errors:0 dropped:0 overruns:0 frame:0 TX packets:12890 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes: (5.6 Mb) TX bytes: (1.2 Mb) Interrupt:9 Base address:0xfcc0 root]# ping PING ( ) from : 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=62 time=3.85 ms 64 bytes from : icmp_seq=2 ttl=62 time=3.88 ms 64 bytes from : icmp_seq=3 ttl=62 time=3.85 ms 64 bytes from : icmp_seq=4 ttl=62 time=3.88 ms 64 bytes from : icmp_seq=5 ttl=62 time=3.87 ms