| FreeS/WAN IPSEC HowTo
Author: Darrell May,
Peter Schubert, Shad Lords |
|
|
|
|
|
Problem: You need to
connect remote offices using a secure VPN |
|
|
|
|
IPSEC VPN Overview
When establishing an IPSEC VPN you need to gather various TCP/IP information for the central vpn server and for all remote vpn client sites. In addition each site will have a secret key that must be shared with the other. This information is required for adding the local network parameters and for defining each VPN connection.
In the examples below I will use the following:
| CENTRAL OFFICE | REMOTE OFFICE | ||
| Server ID: | site1.test | Server ID: | site2.test |
| External IP/Host Address: | 28.77.228.251 or domain.site1.com | External IP/Host Address: | 204.182.35.116 or domain.site2.com |
| Internal IP Address: | 192.168.1.1 | Internal IP Address: | 192.168.0.1 |
| Internal Subnet Mask: | 255.255.255.0 | Internal Subnet Mask: | 255.255.255.0 |
STEP 1: Download and install the freeswan rpms available here:
http://lordsfam.net/downloads/production/freeswan/
|
rpm -Uvh e-smith-packetfilter-1.13.0*.noarch.rpm ### needed for all architectures (you may already have it) rpm -Uvh freeswan-module-1.99_2.4.18_5*.{arch}.rpm ### make sure you match your architecture (uname -m) rpm -Uvh freeswan-1.99_2.4.18_5*.i386.rpm ### needed for all architectures rpm -Uvh devinfo-freeswan-1.99*.noarch.rpm ### needed for all architectures /sbin/e-smith/signal-event ipsec-install ### for new installs Remark: The file layout has changed from 1.98b to 1.99. Running ipsec-install event will alter your public key !!! You will have to update the configuration at all partners site !!!!! In order to get your VPN's to work you must: 1. Delete and recreate all your VPN entrys that were created previously (ex. dmc-mitel-freeswan...) 2. Remove remote networks from the Local networks panel. (these are autocreated as needed now.) |
STEP 2: Visit the IPSEC VPN panel and e-mail your key and TCP/IP information to the remote administrator following these steps:
Add, modify or remove IPSEC VPNsAn IPSEC VPN allows traffic between two locations to travel across the Internet securely. For an IPSEC VPN to function, a server must be setup at each location to be involved in the network. Click here to view the public encryption key for this server. Click here to add an IPSEC VPN. Click here to add an IPSEC VPN WINS server. No IPSEC VPNs are on file. |
Enter the IPSEC VPN panel and click to view the public encryption key for this server. Next click to e-mail the key to admin. This will e-mail the public key along with the other important information needed to setup a IPSEC VPN to the postmaster which by default will forward to the admin mailbox. This info must be forwarded and used to configure the other end of the VPN tunnel. Call to confirm receipt of the e-mail. Here is an example of what the central office admin would send to remote office admin:
| Admin <admin@domain.site1.com> said: > Encryption Key: 0sAQPAA8Ju84bfh20GTm84D8c96CUzOD/lFiQHTYMaAQ/uyu46w2i5ohmRniQhx...... > > Router ID: site1.test > Router IP: 28.77.228.251 > Router Internal IP: 192.168.1.1 > Router Internal Subnet Mask: 255.255.255.0 |
STEP 3: Local Networks panel
For a network to gain access to your server you must define it as a local network. This is done in the Server-Manager, Local Networks panel as follows:
| CENTRAL OFFICE will add the REMOTE OFFICE | REMOTE OFFICE will add the CENTRAL OFFICE | ||
| Network address: | 192.168.0.0 | Network address: | 192.168.1.0 |
| Subnet mask: | 255.255.255.0 | Subnet mask: | 255.255.255.0 |
| Router: | Router: | ||
STEP 4: Visit the IPSEC VPN panel and add your new IPSEC VPN
| CENTRAL OFFICE will add the REMOTE OFFICE | REMOTE OFFICE will add the CENTRAL OFFICE | ||
| Remote router's ID: | site2.test | Remote router's ID: | site1.test |
| Remote router's external IP address or hostname: | 204.182.35.116 or domain.site2.com | Remote router's external IP address or hostname: | 28.77.228.251 or domain.site1.com |
| Remote router's internal IP address: | 192.168.0.1 | Remote router's internal IP address: | 192.168.1.1 |
| Remote router's internal subnet mask: | 255.255.255.0 | Remote router's internal subnet mask: | 255.255.255.0 |
| Remote router's public encryption key: | paste from e-mail.... | Remote router's public encryption key: | paste from e-mail.... |
| Remote network NAT'ed: | yes | Remote network NAT'ed: | yes |
| Encrypt Network to Network traffic: | yes | Encrypt Network to Network traffic: | yes |
| Encrypt Gateway to Gateway traffic: | yes | Encrypt Gateway to Gateway traffic: | yes |
| Encrypt Gateway to Network traffic: | yes | Encrypt Gateway to Network traffic: | yes |
| Local machine acts as a: | server | Local machine acts as a: | client |
STEP 5: Visit the IPSEC VPN panel and assign your network WINS server.
IPSEC VPN WINS server |
Central Office is the WINS server so will leave this entry blank. Remote Office will enter 192.168.1.1 (the internal IP address of the central office server) and use the central office server as their WINS server.
STEP 6: Check and test the VPN
It may take a few minutes for the VPN tunnel to connect. Try sending some pings to the other sides internal IP address. View the output of ifconfig and look for traffic on ipsec0: Also look at the output of ipsec eroute to verify that the tunnels were set up correctly.
| # ifconfig
..... 2 192.168.0.0/24 -> 28.77.228.251/32 => tun0x1004@28.77.228.251 0 192.168.0.0/24 -> 192.168.1.0/24 => tun0x100e@28.77.228.251 6 204.182.35.116/32 -> 28.77.228.251/32 => tun0x1006@28.77.228.251 0 204.182.35.116/32 -> 192.168.1.0/24 => tun0x1002@28.77.228.251 |