FreeS/WAN IPSEC HowTo

Author:  Darrell May, Peter Schubert, Shad Lords
Contributor:
  Andy Worthington,
Steve Bush, Lloyd Keen

Release supported: SME >=5.6 only (!)
License: GPL
Last updated: Monday, Apr. 14, 2003 16:00



Problem:  You need to connect remote offices using a secure VPN
Solution:
  Implement FreeS/WAN following this HowTo


IPSEC VPN Overview

When establishing an IPSEC VPN you need to gather various TCP/IP information for the central vpn server and for all remote vpn client sites.  In addition each site will have a secret key that must be shared with the other.  This information is required for adding the local network parameters and for defining each VPN connection.

In the examples below I will use the following:

CENTRAL OFFICE REMOTE OFFICE
Server ID: site1.test Server ID: site2.test
External IP/Host Address: 28.77.228.251 or domain.site1.com External IP/Host Address: 204.182.35.116 or domain.site2.com
Internal IP Address: 192.168.1.1 Internal IP Address: 192.168.0.1
Internal Subnet Mask: 255.255.255.0 Internal Subnet Mask: 255.255.255.0

STEP 1: Download and install the freeswan rpms available here:

http://lordsfam.net/downloads/production/freeswan/

rpm -Uvh e-smith-packetfilter-1.13.0*.noarch.rpm   ### needed for all architectures (you may already have it)
rpm -Uvh freeswan-module-1.99_2.4.18_5*.{arch}.rpm   ### make sure you match your architecture (uname -m)
rpm -Uvh freeswan-1.99_2.4.18_5*.i386.rpm   ### needed for all architectures
rpm -Uvh devinfo-freeswan-1.99*.noarch.rpm  ### needed for all architectures
/sbin/e-smith/signal-event ipsec-install    ### for new installs

Remark:
The file layout has changed from 1.98b to 1.99. Running ipsec-install event will alter your public key !!! You will have to update the configuration at all partners site !!!!!
In order to get your VPN's to work you must:
   1. Delete and recreate all your VPN entrys that were created previously (ex. dmc-mitel-freeswan...)
   2. Remove remote networks from the Local networks panel. (these are autocreated as needed now.)

STEP 2: Visit the IPSEC VPN panel and e-mail your key and TCP/IP information to the remote administrator following these steps:

Add, modify or remove IPSEC VPNs

An IPSEC VPN allows traffic between two locations to travel across the Internet securely. For an IPSEC VPN to function, a server must be setup at each location to be involved in the network.

Click here to view the public encryption key for this server.

Click here to add an IPSEC VPN.

Click here to add an IPSEC VPN WINS server.

No IPSEC VPNs are on file.

Enter the IPSEC VPN panel and click to view the public encryption key for this server.  Next click to e-mail the key to admin.  This will e-mail the public key along with the other important information needed to setup a IPSEC VPN to the postmaster which by default will forward to the admin mailbox.  This info must be forwarded and used to configure the other end of the VPN tunnel.   Call to confirm receipt of the e-mail.  Here is an example of what the central office admin would send to remote office admin:

Admin <admin@domain.site1.com> said:

> Encryption Key:
0sAQPAA8Ju84bfh20GTm84D8c96CUzOD/lFiQHTYMaAQ/uyu46w2i5ohmRniQhx......

> Router ID: site1.test
> Router IP: 28.77.228.251
> Router Internal IP: 192.168.1.1
> Router Internal Subnet Mask: 255.255.255.0

STEP 3: Local Networks panel

For a network to gain access to your server you must define it as a local network.  This is done in the Server-Manager, Local Networks panel as follows:

CENTRAL OFFICE will add the REMOTE OFFICE REMOTE OFFICE will add the CENTRAL OFFICE
Network address: 192.168.0.0 Network address: 192.168.1.0
Subnet mask: 255.255.255.0 Subnet mask: 255.255.255.0
Router: Router:

STEP 4: Visit the IPSEC VPN panel and add your new IPSEC VPN

CENTRAL OFFICE will add the REMOTE OFFICE REMOTE OFFICE will add the CENTRAL OFFICE
Remote router's ID: site2.test Remote router's ID: site1.test
Remote router's external IP address or hostname: 204.182.35.116 or domain.site2.com Remote router's external IP address or hostname: 28.77.228.251 or domain.site1.com
Remote router's internal IP address: 192.168.0.1 Remote router's internal IP address: 192.168.1.1
Remote router's internal subnet mask: 255.255.255.0 Remote router's internal subnet mask: 255.255.255.0
Remote router's public encryption key: paste from e-mail.... Remote router's public encryption key: paste from e-mail....
Remote network NAT'ed: yes Remote network NAT'ed: yes
Encrypt Network to Network traffic: yes Encrypt Network to Network traffic: yes
Encrypt Gateway to Gateway traffic: yes Encrypt Gateway to Gateway traffic: yes
Encrypt Gateway to Network traffic: yes Encrypt Gateway to Network traffic: yes
Local machine acts as a: server Local machine acts as a: client

STEP 5: Visit the IPSEC VPN panel and assign your network WINS server.

IPSEC VPN WINS server

Windows Internet Name Server (WINS) is a service that keeps a database of computer name to IP address mappings. This permits accessing a computer using the NetBIOS computer name. This name is handed to the nearest WINS server which then returns an IP address.

By default, this server is set to act as the WINS server. However, if this server is a remote IPSEC VPN client, you must enter the internal IP address of the IPSEC VPN server below.

IPSEC VPN WINS server, internal IP address:

Central Office is the WINS server so will leave this entry blank.  Remote Office will enter 192.168.1.1 (the internal IP address of the central office server) and use the central office server as their WINS server.


STEP 6: Check and test the VPN

It may take a few minutes for the VPN tunnel to connect.  Try sending some pings to the other sides internal IP address. View the output of ifconfig and look for traffic on ipsec0: Also look at the output of ipsec eroute to verify that the tunnels were set up correctly.

# ifconfig

.....
ipsec0 Link encap:Ethernet HWaddr 00:48:54:88:64:A2
inet addr:204.182.35.116 Mask:255.255.254.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:127 errors:0 dropped:0 overruns:0 frame:0
TX packets:155 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:18281 (17.8 Kb) TX bytes:32136 (31.3 Kb)  <-- watch RX/TX for activity as you ping

# ipsec eroute
2 192.168.0.0/24 -> 28.77.228.251/32 => tun0x1004@28.77.228.251
0 192.168.0.0/24 -> 192.168.1.0/24 => tun0x100e@28.77.228.251
6 204.182.35.116/32 -> 28.77.228.251/32 => tun0x1006@28.77.228.251
0 204.182.35.116/32 -> 192.168.1.0/24 => tun0x1002@28.77.228.251