Betr.: VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi there,  yes it was with a Nortel contivity on a few occassions and 
the other times with a Cisco pix. interstingly enough the Cisco VPNs 
often required updates to the IOS to make them 3Des compliant,

As its late here in the UK (past midnight GMT+1)  here is a very quick 
and dirty freeswan guide.

Needless to say the things that cause the biggest headache for most 
users is the use of RSA keys and opportunistic encryption.  Since this 
is NOT what 99.9% of the masses need or want then there is a quick and 
simple and just as secure alternative setup, but its not that well 
documented.  Opportunistic encryption came in versions 2 and above of 
freeswan by default, this has the effect of clobbering the network 
default route and replacing it down the ipsec interface (what you want 
if you want to encrypt everything, but not really any great use in the 
real world).  Most people want to do site <-> site vpns and these are 
best achieved without opportunistic encryption and by the use of 
preshared keys.

1)Make sure you get a version of freeswan suitable for your kernel, if 
you can't find one go to somewhere like rpms.pbone.net and find a kernel 
for which there is a freeswan version.  Many people try and hunt a 
freeswan version to match their kernel,  I do it the otherway round, 
find the latest freeswan compatible kernel you can for your 
architecture, you can always compile it from source but why my life 
harder for yourself.
2)get the freeswan module for the kernel you found, and the same 
freeswan-userland version as well. then proceed as follows: after you 
have installed the [from rpm]


Typically to kill opportunistic encryption add these lines to your 
ipsec.conf file: after the config setup section near the top,

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

Doing this stops all the crap you get when ipsec starts and then kicks 
you off the system about 60 seconds later if you're connected remotely 
as this kills the opportunistic setup feature.   Do the same at the 
other end as well.
Then start the service.

Then add a section for each tunnel you want to set up.  if you have 
multiple subnets at each site which can't be encapsulated in a single 
subnet declaration, you will need to add a new tunnel defintion for 
each.  Here is an example :

conn site1-site2                       #this is the connection name 
[tunnel] identifier
        left=21.21.100.10              #This is the ip address of the 
first linux box
        leftnexthop=21.21.100.9        #This is usually set to the 
defualt gateway for the first linux box
        leftsubnet=10.11.2.0/24        #This is the LAN subnet behind 
the first linux box
        right=21.21.100.178            #This is the IP address of the 
second linux box at the other end of the tunnel
        rightsubnet=10.11.4.0/24       #This is the LAN subnet behind 
the second linux box
        rightnexthop=21.21.100.177     #This is the IP address of the 
default gateway setting of the other linux box
        authby=secret                  #We are going to use a "password" 
or secret to encrypt/auth the link
        pfs=no                         #Turn off perfect forward 
security, this makes it faster and easier but less secure
        auto=add                       #Authorise but don't start
        esp=3des-md5-96                #encapsulating security payload 
setting, encryption used for auth and data


Now cut and paste this and add it to the ipsec.conf file on the second 
machine completely as is, unmodified.

Then in you /etc/ipsec.secrets file on each machine you will need to add 
a password [secret] for each each of the tunnels you have specified, in 
the above example we would have:

21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"

Add this to the very top of the ipsec secrets file, one entry for each 
pair of machines in this format

leftmachineip   rightmachineip : PSK "password"

Then do a service ipsec restart on each machine, bring the link up with 
this command, it only needs to be invoked from either one of the ends

ipsec auto --up site1-site2

You should get output like this if you did it right:
ipsec auto --up site1-site2
104 "site1-site2" #2086: STATE_MAIN_I1: initiate
106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
112 "site1-site2" #2087: STATE_QUICK_I1: initiate
004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA established

Remember you will need to allow the ipsec interface in your firewall and 
you will need to add lines like this:

# Accept udp connections to port 500 for ipsec
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

This is just about the quickest way to set up a VPN tunnel with 
Freeswan, it takes minutes.  If you want to make if more secure, you can 
tune the config once you get it running this way!

Remember the only machines that can't see the full extent of the other 
LAN network are the linux boxes creating the tunnel.  So the left linux 
box will not be able to ping stuff on 10.11.4.0/24 network and the right 
linux box will not be able to ping stuff on 10.11.2.0/24 network - don't 
forget this.... its commonly mistaken by some to mean the tunnel isn't 
working, to truly test it end to end you need hosts on the LANs at each 
end to ping each other.

If you want to make it work through NATing gateways you will need to 
port forward the udp 500 setting above on your firewall.

Enjoy!

Pete












Kennedy Clark wrote:

>Any chance of getting a quick HOW-TO posted to the group for that? 
>;-)  Sounds interesting.
>
>I saw your post about using it with Cisco & Nortel equipment -- I work
>with both a lot at my current customer.  What types of equipment have
>you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
>Nortel = Contivity)?
>
>Thanks!!
>Kennedy
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20050524/08100c29/attachment.htm

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux