There are some considerations you must ensure are correct before running FreeS/WAN software. These considerations are important if you don't want to receive error messages during start up of your VPN. The following
are required:
You will need to enable TCP/IP forwarding on the both gateway servers. In Red Hat Linux, this is accomplished by changing or adding the following line, depending on the Red Hat version you use:
Edit the
network file,
vi /etc/sysconfig/network, and change the following line:
To read:
You must restart your network for the change to take effect:
[root@deep] /# /etc/rc.d/init.d/network restart
|
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
|
To enable IPv4 forwarding on your RH 6.2 system, use the following command:
Edit the /etc/sysctl.conf file and add the following line:
# Enable packet forwarding
net.ipv4.ip_forward = 1
|
You must restart your network for the change to take effect. The command to restart the network is the following:
[root@deep] /# /etc/rc.d/init.d/network restart
|
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
|
Recall that automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The pluto daemon will start up, try to connect to the Pluto daemon at the other end of the tunnel, and establish a
connection. For this reason, an IPSEC gateway should have packet filters rules in the firewall script file permitting the following protocols to traverse the gateway when talking to other IPSEC gateway:
UDP port 500 for IKE implemented by the Pluto daemon
Protocol 50 for ESP encryption and/or authentication
Protocol 51 for AH packet-level authentication
Edit the firewall script file, vi /etc/rc.d/init.d/firewall on both gateway machines, and add/check the following lines to allow IPSEC packets
to traverse the remote network gateway to your network gateway and vice versa:
# FreeS/WAN IPSec VPN
# -------------------
# If you are using the FreeSWAN IPSec VPN, you will need to fill in the
# addresses of the gateways in the IPSECSG and the virtual interfaces for
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
# this firewall script rules file to set the parameters.
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
# implementation. Only include those that are actually used.
# Allow IPSEC protocol from remote gateways on external interface
# IPSEC uses three main types of packet:
# IKE uses the UDP protocol and port 500,
# ESP use the protocol number 50, and
# AH use the protocol number 51
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
-d $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
ipchains -A input -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
ipchains -A output -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
ipchains -A forward -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
|
where
- EXTERNAL_INTERFACE="eth0"
You external interface to the Internet.
- ANYWHERE="any/0"
Mean everywhere 0.0.0.0/0.
- IPSECSG=208.164.186.2
Space separated list of remote VPN gateways.
- FREESWANVI=ipsec0
Space separated list of virtual interfaces for FreeS/Wan.
:
See Networking Firewall, for more information. Dont forget to add/check these firewall rules in the other gateway as well.
The rp_filter subsystem related to IP spoofing protection must be turned off on both gateways for IPSEC to work properly. This is accomplished by checking if the value 0 (off) is set in
the /proc/sys/net/ipv4/conf/ipsec0/rp_filter and /proc/sys/net/ipv4/conf/eth0/rp_filter files respectively:
To check if the value 0 (off) is set in the rp_filter files, use the commands:
[root@deep] /# cat /proc/sys/net/ipv4/conf/ipsec0/rp_filter
|
[root@deep] /# cat /proc/sys/net/ipv4/conf/eth0/rp_filter
|
:
The subdirectory ipsec0 in our example will be created only after the reboot of your system. So you may check the value of the rp_filter file in the ipsec0
directory after your system has been restarted.
To set the value 0 (off) in the both rp_filter files manually, use the command:
[root@deep] /# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
[root@deep] /# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
|
:
Also you can put lines like the following in your firewall script files /etc/rc.d/init.d/firewall on the both gateways to automatically set these values to 0 (off) and avoid making them manually:
# Disable IP spoofing protection to allow IPSEC to work properly
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
|
:
In the example of the firewall script file above, we assume that eth0 is the interface you use for your connection. Of course if you use eth1 you must change eth0 to eth1, and so on.
If you forget this step you will receive error messages on your terminal such as the following during the start up of FreeSWAN IPSEC:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
|
It's important to note that any masquerading rules for internal networks that use IPSEC must come after the rules allowing IPSEC related traffic (The step 2 and 3 above), or the machine will try to masquerade the packets, instead of
them being passed over to IPSEC.
Edit the firewall script file, vi /etc/rc.d/init.d/firewall on both gateway machines and add/check the following lines to allow masqueraded packets to traverse the
remote network gateway to your network gateway and vice versa:
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
|
Where
- EXTERNAL_INTERFACE="eth0"
You external interface to the Internet.
- LOCALNET_1=" 192.168.1.0/24"
whatever private range you use.
Now, you can reboot your system, and the machines on Gateway A should be able to talk to the machines on Gateway B with no problems.