Installing and running FreeS/WAN

1. Installing and running FreeS/WAN

2. What is FreeS/WAN • An implementation of IpSec for Linux • Can be found at www.freeswan.org • Helps setup encrypted and/or authenticated communications in • Network-Network • Host-network • Host-Host configurations

3. The tested FreeS/WAN Configuration (network-network) 128.198.60.129 (“leftnexthop”) 128.198.61.1 (“rightnexthop”) IpSec Tunnel 128.198.60.168 (eth1) 128.198.61.15 (eth1) alpha (“right”) lamar (“left”) 192.168.1.1 (eth0) 192.168.0.1 (eth0) “Left Subnet” “Right Subnet” 192.168.1.2 192.168.0.2 titan beta

4. How to get IPSec to work • Start with the physical setup of machines – identify the gateways, the subnets, the gateway interface on which the subnets exist. Identify (arbitrarily) which is “left” and which is “right”. • If Using private subnets, the Ids should not conflict. (Might have to use NAT if they have to conflict, but that is for another day). • Make the appropriate entries in the routing tables. • Download and build freeS/WAN per the instructions in chapter 6 of “Building Linux Virtual Private Networks” by Oleg Kolesnikov and Brian Hatch. • Generate keys on both gateways, using PSK or RSA. Store these keys in /etc/ipsec.secrets on each gateway. RSA was used in this case. Command used was “ipsec rsasigkey –verbose 2048 > rsakey.tmp”. Add the formatting information and copy into /etc/ipsec.secrets.

5. How to get IPSec to work (contd) • Enter details of the connection name, interface, left and right subnets, nexthops and gateways into /etc/ipsec.conf. Make sure all lines below the label line start with a tab. ( ! Even comments should start with a tab !). • For the network-network configuration, copy the same /etc/ipsec.conf file into both machines. (This means, ‘left’ is left and “right” is right. whatever gateway you are looking at). Note that this will not be the case for “host-network”. • Copy the ‘value of the #pubkey from both /etc/ipsec.secrets files into /etc/ipsec.conf files appropriately. • To establish connection, run ipsec auto --up connectName on both sides.

6. IpSec Header (AH or ESP) New IP Header Old IP Header Payload How an IPSec packet looks The IpSec module on the gateway encapsulates the original payload to look like the following when sending a packet out. When receiving a packet, the gateway reads the IpSec header, performs decryption etc which results in the original packet. Original payload, now encrypted

7. Routing table on alpha • Destination Gateway Genmask Flags Metric Ref Use Iface • 128.198.61.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1 • 128.198.61.0 0.0.0.0 255.255.255.128 U 0 0 0 ipsec0 • 192.168.1.0 128.198.61.1 255.255.255.0 UG 0 0 0 ipsec0 • 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 • 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo • 0.0.0.0 128.198.61.1 0.0.0.0 UG 0 0 0 eth1

8. Routing table on lamar • Destination Gateway Genmask Flags Metric Ref Use Iface • 128.198.60.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 • 128.198.60.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 • 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 • 192.168.0.0 128.198.60.129 255.255.255.0 UG 0 0 0 ipsec0 • 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo • 0.0.0.0 128.198.60.129 0.0.0.0 UG 0 0 0 eth1

9. Firewall rules on lamar • iptables -F • echo "Setting ip_forward to 1..." • echo 1 > /proc/sys/net/ipv4/ip_forward • echo "Setting rp_filter's to 0..." • for i in `find /proc/sys/net/ipv4/conf -name rp_filter` • do • echo 0 > $i • done • /sbin/iptables -P FORWARD ACCEPT • /sbin/iptables -P FORWARD DROP • # Only allow ipsec traffic, ESP and AH from and to the Internet • /sbin/iptables -A FORWARD -p udp -d 128.198.60.168/24 --dport 500 -j ACCEPT ### Suggestion: "-o IF-of-128.198.60.168/32".

10. Firewall rules on lamar (contd) • /sbin/iptables -A FORWARD -p 50 -d 128.198.60.168/24 -j ACCEPT ### Suggestion: "-o IF-of-128.198.60.168/32". • /sbin/iptables -A FORWARD -p 51 -d 128.198.60.168/24 -j ACCEPT ### Suggestion: "-o IF-of-128.198.60.168/32". • # Allows internal subnet access • /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT ### Suggestion: "-i IF-of-192.168.1.0/24". • # Allows traffic from and to internal LANs • /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT ### Suggestion: "-o IF-of-192.168.2.0/24". Suggestion: "-i IF-of-192.168.1.0/24". • /sbin/iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.0.0/24 -j ACCEPT ### Suggestion: "-o IF-of-192.168.2.0/24". Suggestion: "-i IF-of-192.168.1.0/24". • # Default input policy back to DROP • /sbin/iptables -P FORWARD DROP • The firwall rules for alpha are the mirror image of these.

11. The /etc/ipsec.conf used - 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file • # More elaborate and more varied sample configurations can be found • # in FreeS/WAN's doc/examples file, and in the HTML documentation. • # basic configuration • config setup • # THIS SETTING MUST BE CORRECT or almost nothing will work; • # %defaultroute is okay for most simple cases. • interfaces="ipsec0=eth1" • # Debug-logging controls: "none" for (almost) none, "all" for lots. • klipsdebug=all • plutodebug=all • # Use auto= parameters in conn descriptions to control startup actions. • plutoload=%search • plutostart=%search • # Close down old connection when new one using same ID shows up. • # uniqueids=yes

12. The /etc/ipsec.conf used - 2 • #conn %default • conn a2l • keyingtries=0 • # sample VPN connection • # Left security gateway, subnet behind it, next hop toward right. • left=128.198.60.168 • leftsubnet=192.168.1.0/24 • leftnexthop=128.198.60.129 • # Right security gateway, subnet behind it, next hop toward left. • right=128.198.61.15 • rightsubnet=192.168.0.0/24 • rightnexthop=128.198.61.1 • # To authorize this connection, but not actually start it, at startup, • # uncomment this. • auto=start • authby=rsasig • leftid=@lamar.uccs.edu • rightid=@alpha.uccs.edu • leftrsasigkey=0sAQOSxZRaWBqt.. • rightrsasigkey=0sAQNvPwFQ…

13. Evidence of IPSec tunnel • ifconfig (on titan) • eth1 Link encap:Ethernet HWaddr 00:A0:24:0B:2C:05 • inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 • UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 • RX packets:11748 errors:0 dropped:0 overruns:0 frame:0 • TX packets:11669 errors:0 dropped:0 overruns:0 carrier:1 • collisions:1 txqueuelen:100 • RX bytes:2490129 (2.3 Mb) TX bytes:3407195 (3.2 Mb) • Interrupt:10 Base address:0x1020 • [root@titan root]# ping 192.168.0.2 • PING 192.168.0.2 (192.168.0.2) from 192.168.1.2 : 56(84) bytes of data. • 64 bytes from 192.168.0.2: icmp_seq=1 ttl=62 time=4.17 ms • 64 bytes from 192.168.0.2: icmp_seq=2 ttl=62 time=3.98 ms • 64 bytes from 192.168.0.2: icmp_seq=3 ttl=62 time=4.12 ms • 64 bytes from 192.168.0.2: icmp_seq=4 ttl=62 time=4.14 ms • 64 bytes from 192.168.0.2: icmp_seq=5 ttl=62 time=4.14 ms • 64 bytes from 192.168.0.2: icmp_seq=6 ttl=62 time=3.99 ms

14. Evidence of IPSec tunnel (contd) • Ifconfig (on beta) • eth0 Link encap:Ethernet HWaddr 00:60:B0:A2:81:D5 • inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 • UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 • RX packets:37808 errors:0 dropped:0 overruns:0 frame:0 • TX packets:12890 errors:0 dropped:0 overruns:0 carrier:0 • collisions:0 txqueuelen:100 • RX bytes:5914487 (5.6 Mb) TX bytes:1335261 (1.2 Mb) • Interrupt:9 Base address:0xfcc0 • [root@beta root]# ping 192.168.1.2 • PING 192.168.1.2 (192.168.1.2) from 192.168.0.2 : 56(84) bytes of data. • 64 bytes from 192.168.1.2: icmp_seq=1 ttl=62 time=3.85 ms • 64 bytes from 192.168.1.2: icmp_seq=2 ttl=62 time=3.88 ms • 64 bytes from 192.168.1.2: icmp_seq=3 ttl=62 time=3.85 ms • 64 bytes from 192.168.1.2: icmp_seq=4 ttl=62 time=3.88 ms • 64 bytes from 192.168.1.2: icmp_seq=5 ttl=62 time=3.87 ms