[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Freeswan Configuration

To: bofh@PIsoftware.com
Subject: Freeswan Configuration
From: Bradley Marshall <bmarshal@PIsoftware.com>
Date: Thu, 21 Mar 2002 14:27:02 +1000
User-agent: Mutt/1.3.27i

Hi all,

In the next exciting episode, I'll explain how to get a Freeswan VPN
up and running in a couple of different configurations.

1) Road Warrior

An ipsec.conf extract for a road warrior client follows:

conn road-warrior
    left=%defaultroute
	leftid=@muon.humbug.org.au
	leftrsasigkey=0sAQNaMn5LE8NFHUvwsfizhVyEQKTOH32zda3nJM0nJI+O4AsLzntTcOrwmtriLZHO9Z+zG3OIz8wheAoj5dS1SiBNkoW7py44DOUutbTMDwCkOay+0m5+qdP5sp2p/kWWD2j3PveOPgg3IVE/1saMTbQwfSwgPOyNWPvgVSLEWHp6mw==
	right=203.20.51.50
	rightid=@stallman.pisoftware.com
	rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
	rightsubnet=192.168.20.0/24
	rightnexthop=203.20.51.1
	authby=rsasig
	auto=add

For the gateway in a road warrior configuration:

conn vpn
	left=%any
	leftid=@muon.humbug.org.au
	leftrsasigkey=0sAQNaMn5LE8NFHUvwsfizhVyEQKTOH32zda3nJM0nJI+O4AsLzntTcOrwmtriLZHO9Z+zG3OIz8wheAoj5dS1SiBNkoW7py44DOUutbTMDwCkOay+0m5+qdP5sp2p/kWWD2j3PveOPgg3IVE/1saMTbQwfSwgPOyNWPvgVSLEWHp6mw==
	right=203.20.51.50
	rightid=@stallman.pisoftware.com
	rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
	rightsubnet=192.168.20.0/24
	rightnexthop=203.20.51.1
	authby=rsasig
	auto=add

2) Subnet to Subnet

For the client, the ipsec.conf extract looks like:

conn brad-home
    left=%defaultroute
    leftid=@eta.humbug.org.au
    leftrsasigkey=0sAQOZ15YIvHinzQmPHgA7AuW169aI4wIKgG0AJJ/jdqnniHPPC/uPDJnd1I9whtgc9F7NV+FcLqNzPyEwZNxQLulx7jY4U8QELQTgepnASTSH+mvgxOdm+3+CGoaee+ZrG43BDHrWsphK2hrK3US7x8bjQcW6kls3BCNPwwY2tQ0MujQ==
    leftsubnet=192.168.107.0/24
    right=203.20.51.50
    rightid=@stallman.pisoftware.com
    rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7+Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
    rightsubnet=192.168.20.0/24
    rightnexthop=203.20.51.1
    authby=rsasig
    auto=start

For the server, it looks like:

conn brad-home
    left=%any
    leftid=@eta.humbug.org.au
    leftrsasigkey=0sAQOZ15YIvHinzQmPHgA7AuW169aI4wIKgG0AJJ/jdqnniHPPC/uPDJnd1I9whtgc9F7NV+FcLqNzPyEwZNxQLulx7jY4U8QELQTgepnASTSHmvgxOdm+3+CGoaee+ZrG43BDHrWsphK2hrK3US7x8bjQcW6kls3BCNPwwY2tQ0MujQ==
    leftsubnet=192.168.107.0/24
    right=203.20.51.50
    rightid=@stallman.pisoftware.com
    rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
    rightsubnet=192.168.20.0/24
    rightnexthop=203.20.51.1
    authby=rsasig
    auto=add
    # we don't want to retry if IP connectivity is gone
    keyingtries=1
    keylife=30m
    ikelifetime=30m

These last 3 options are important - they're what drops the connection
on the server side after the VPN is taken down.

3) Firewall issues

To allow IPSec through a firewall, you need to have 3 things open.
Iptables commands to open the appropriate ports follow.

  # Allow udp port 500 from anywhere to the gateway
  /sbin/iptables -I INPUT -p udp -s 0/0 --sport 500 -d gw --dport 500 -j ACCEPT
  # Allow AH
  /sbin/iptables -A INPUT -p ah -s 0/0 -d gw -j ACCEPT
  /sbin/iptables -A INPUT -p ah -d 0/0 -s gw -j ACCEPT
  # Allow ESP
  /sbin/iptables -A INPUT -p esp -s 0/0 -d gw -j ACCEPT
  /sbin/iptables -A INPUT -p esp -d 0/0 -s gw -j ACCEPT

4) DNS issues

The best way to allow DNS resolution of machines in the office network
is to run a local name server, and add the following to
/etc/bind/named.conf.  This will make any requests for the office DNS
zones to be forwarded off to morris.  Note this will only work when
the VPN is up, for obvious reasons.

  zone "bne.pisoftware.com" {
	type forward;
	forward only;
	forwarders { 192.168.20.5; };
  };

  zone "20.168.192.in-addr.arpa" {
	type forward;
	forward only;
	forwarders { 192.168.20.5; };
  };

Thanks,
Brad
-- 
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|Brad Marshall                    |           Plugged In Software|
|Senior Systems Administrator     |     http://www.pisoftware.com|
|mailto:bmarshal@pisoftware.com   |  GPG Key Id: 47951BD0 / 1024b|
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
 Fingerprint:  BAE3 4794 E627 2EAF 7EC0  4763 7884 4BE8 4795 1BD0

Follow-Ups:
- Re: Freeswan Configuration
  - From: Bradley Marshall <bmarshal@PIsoftware.com>

Prev by Date: VPN overview
Next by Date: Tomcat user authentication.
Previous by thread: VPN overview
Next by thread: Re: Freeswan Configuration
Index(es):
- Date
- Thread