Installing%20and%20running%20FreeS/WAN

1
Installing and running FreeS/WAN
2
What is FreeS/WAN

• An implementation of IpSec for Linux
• Can be found at www.freeswan.org
• Helps setup encrypted and/or authenticated
  communications in
• Network-Network
• Host-network
• Host-Host configurations

3
The tested FreeS/WAN Configuration
(network-network)
128.198.60.129 (leftnexthop)
128.198.61.1 (rightnexthop)
IpSec Tunnel
alpha (right)
128.198.61.15 (eth1)
128.198.60.168 (eth1)
lamar (left)
192.168.0.1 (eth0)
192.168.1.1 (eth0)
Left Subnet
Right Subnet
192.168.0.2
192.168.1.2
beta
titan
4
How to get IPSec to work

• Start with the physical setup of machines
  identify the gateways, the subnets, the gateway
  interface on which the subnets exist. Identify
  (arbitrarily) which is left and which is
  right.
• If Using private subnets, the Ids should not
  conflict.
• (Might have to use NAT if they have to conflict,
  but that is for another day).
• Make the appropriate entries in the routing
  tables.
• Download and build freeS/WAN per the instructions
  in chapter 6 of Building Linux Virtual Private
  Networks by Oleg Kolesnikov and Brian Hatch.
• Generate keys on both gateways, using PSK or RSA.
  Store these keys in /etc/ipsec.secrets on each
  gateway. RSA was used in this case. Command used
  was ipsec rsasigkey verbose 2048 gt rsakey.tmp.
  Add the formatting information and copy into
  /etc/ipsec.secrets.

5
How to get IPSec to work (contd)

• Enter details of the connection name, interface,
  left and right subnets, nexthops and gateways
  into /etc/ipsec.conf. Make sure all lines below
  the label line start with a tab. ( ! Even
  comments should start with a tab !).
• For the network-network configuration, copy the
  same /etc/ipsec.conf file into both machines.
  (This means, left is left and right is right.
  whatever gateway you are looking at). Note that
  this will not be the case for host-network.
• Copy the value of the pubkey from both
  /etc/ipsec.secrets files into /etc/ipsec.conf
  files appropriately.
• To establish connection, run
• ipsec auto --up connectName
• on both sides.

6
How an IPSec packet looks

• The IpSec module on the gateway encapsulates the
  original payload to look like the following when
  sending a packet out. When receiving a packet,
  the gateway reads the IpSec header, performs
  decryption etc which results in the original
  packet.

Original payload, now encrypted
7
Routing table on alpha

• Destination Gateway Genmask
  Flags Metric Ref Use Iface
• 128.198.61.0 0.0.0.0 255.255.255.128 U
  0 0 0 eth1
• 128.198.61.0 0.0.0.0 255.255.255.128 U
  0 0 0 ipsec0
• 192.168.1.0 128.198.61.1 255.255.255.0
  UG 0 0 0 ipsec0
• 192.168.0.0 0.0.0.0 255.255.255.0 U
  0 0 0 eth0
• 127.0.0.0 0.0.0.0 255.0.0.0 U
  0 0 0 lo
• 0.0.0.0 128.198.61.1 0.0.0.0
  UG 0 0 0 eth1

8
Routing table on lamar

• Destination Gateway Genmask
  Flags Metric Ref Use Iface
• 128.198.60.0 0.0.0.0 255.255.255.0 U
  0 0 0 eth1
• 128.198.60.0 0.0.0.0 255.255.255.0 U
  0 0 0 ipsec0
• 192.168.1.0 0.0.0.0 255.255.255.0 U
  0 0 0 eth0
• 192.168.0.0 128.198.60.129 255.255.255.0
  UG 0 0 0 ipsec0
• 127.0.0.0 0.0.0.0 255.0.0.0 U
  0 0 0 lo
• 0.0.0.0 128.198.60.129 0.0.0.0
  UG 0 0 0 eth1

9
Firewall rules on lamar

• iptables -F
• echo "Setting ip_forward to 1..."
• echo 1 gt /proc/sys/net/ipv4/ip_forward
• echo "Setting rp_filter's to 0..."
• for i in find /proc/sys/net/ipv4/conf -name
  rp_filter
• do
• echo 0 gt i
• done
• /sbin/iptables -P FORWARD ACCEPT
• /sbin/iptables -P FORWARD DROP
• Only allow ipsec traffic, ESP and AH from and
  to the Internet
• /sbin/iptables -A FORWARD -p udp -d
  128.198.60.168/24 --dport 500 -j ACCEPT
  Suggestion "-o IF-of-128.198.60.168/32".

10
Firewall rules on lamar (contd)

• /sbin/iptables -A FORWARD -p 50 -d
  128.198.60.168/24 -j ACCEPT Suggestion "-o
  IF-of-128.198.60.168/32".
• /sbin/iptables -A FORWARD -p 51 -d
  128.198.60.168/24 -j ACCEPT Suggestion "-o
  IF-of-128.198.60.168/32".
• Allows internal subnet access
• /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j
  ACCEPT Suggestion "-i IF-of-192.168.1.0/24".
• Allows traffic from and to internal LANs
• /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d
  192.168.0.0/24 -j ACCEPT Suggestion "-o
  IF-of-192.168.2.0/24". Suggestion "-i
  IF-of-192.168.1.0/24".
• /sbin/iptables -A FORWARD -d 192.168.1.0/24 -s
  192.168.0.0/24 -j ACCEPT Suggestion "-o
  IF-of-192.168.2.0/24". Suggestion "-i
  IF-of-192.168.1.0/24".
• Default input policy back to DROP
• /sbin/iptables -P FORWARD DROP
• The firwall rules for alpha are the mirror image
  of these.

11
The /etc/ipsec.conf used - 1

• /etc/ipsec.conf - FreeS/WAN IPsec configuration
  file
• More elaborate and more varied sample
  configurations can be found
• in FreeS/WAN's doc/examples file, and in the
  HTML documentation.
• basic configuration
• config setup
• THIS SETTING MUST BE CORRECT or almost
  nothing will work
• defaultroute is okay for most simple
  cases.
• interfaces"ipsec0eth1"
• Debug-logging controls "none" for
  (almost) none, "all" for lots.
• klipsdebugall
• plutodebugall
• Use auto parameters in conn
  descriptions to control startup actions.
• plutoloadsearch
• plutostartsearch
• Close down old connection when new one
  using same ID shows up.
• uniqueidsyes

12
The /etc/ipsec.conf used - 2

• conn default
• conn a2l
• keyingtries0
• sample VPN connection
• Left security gateway, subnet behind
  it, next hop toward right.
• left128.198.60.168
• leftsubnet192.168.1.0/24
• leftnexthop128.198.60.129
• Right security gateway, subnet behind
  it, next hop toward left.
• right128.198.61.15
• rightsubnet192.168.0.0/24
• rightnexthop128.198.61.1
• To authorize this connection, but not
  actually start it, at startup,
• uncomment this.
• autostart
• authbyrsasig
• leftid_at_lamar.uccs.edu
• rightid_at_alpha.uccs.edu
• leftrsasigkey0sAQOSxZRaWBqt..

13
Evidence of IPSec tunnel

• ifconfig (on titan)
• eth1 Link encapEthernet HWaddr
  00A0240B2C05
• inet addr192.168.1.2
  Bcast192.168.1.255 Mask255.255.255.0
• UP BROADCAST RUNNING MULTICAST
  MTU1500 Metric1
• RX packets11748 errors0 dropped0
  overruns0 frame0
• TX packets11669 errors0 dropped0
  overruns0 carrier1
• collisions1 txqueuelen100
• RX bytes2490129 (2.3 Mb) TX
  bytes3407195 (3.2 Mb)
• Interrupt10 Base address0x1020
• root_at_titan root ping 192.168.0.2
• PING 192.168.0.2 (192.168.0.2) from 192.168.1.2
  56(84) bytes of data.
• 64 bytes from 192.168.0.2 icmp_seq1 ttl62
  time4.17 ms
• 64 bytes from 192.168.0.2 icmp_seq2 ttl62
  time3.98 ms
• 64 bytes from 192.168.0.2 icmp_seq3 ttl62
  time4.12 ms
• 64 bytes from 192.168.0.2 icmp_seq4 ttl62
  time4.14 ms
• 64 bytes from 192.168.0.2 icmp_seq5 ttl62
  time4.14 ms
• 64 bytes from 192.168.0.2 icmp_seq6 ttl62
  time3.99 ms

14
Evidence of IPSec tunnel (contd)

• Ifconfig (on beta)
• eth0 Link encapEthernet HWaddr
  0060B0A281D5
• inet addr192.168.0.2
  Bcast192.168.0.255 Mask255.255.255.0
• UP BROADCAST RUNNING MULTICAST
  MTU1500 Metric1
• RX packets37808 errors0 dropped0
  overruns0 frame0
• TX packets12890 errors0 dropped0
  overruns0 carrier0
• collisions0 txqueuelen100
• RX bytes5914487 (5.6 Mb) TX
  bytes1335261 (1.2 Mb)
• Interrupt9 Base address0xfcc0
• root_at_beta root ping 192.168.1.2
• PING 192.168.1.2 (192.168.1.2) from 192.168.0.2
  56(84) bytes of data.
• 64 bytes from 192.168.1.2 icmp_seq1 ttl62
  time3.85 ms
• 64 bytes from 192.168.1.2 icmp_seq2 ttl62
  time3.88 ms
• 64 bytes from 192.168.1.2 icmp_seq3 ttl62
  time3.85 ms
• 64 bytes from 192.168.1.2 icmp_seq4 ttl62
  time3.88 ms
• 64 bytes from 192.168.1.2 icmp_seq5 ttl62
  time3.87 ms