----- Forwarded message from -----
Date: Sat, 16 Mar 2002 15:19:29 -0800
To: [EMAIL PROTECTED]
Subject: bering + dachstein ipsec monster
Mail-Followup-To: [EMAIL PROTECTED]
User-Agent: Mutt/1.2.5i
I have now been successful at building an ipsec kernel for bering (2.4.17) and
using the utilities from dachstein to connect a Win2k client through my
firewall. I may run into problems later, however, but I figure if a couple of
people out there do what I have done, we'll hit the problems quicker. Attached
are some very sloppily compiled instructions, but don't hesitate to post back
questions and I will clarify if I have munged something up.
My next step is to get it working with x.509 certificates, then package openCA
and put it on there for certificate management. Let me know if you are
interested in that effort and I will keep the list posted.
Thanks for all your help the other day. This is a great list.
--
---------------------------------------------------------------------------
Chad Carr [EMAIL PROTECTED]
---------------------------------------------------------------------------
Installing Bering LEAF on compact flash for the Soekris net4501 router platform
1) download floppy image and mount using
mount -t msdos bering-1680-b4.bin /mnt/image -o loop
2) make msdos filesystem on compact flash
mkdosfs /dev/hde1
3) mount compact flash
mount -t msdos /dev/hde1 /mnt/cf
4) copy all files from floppy image to mounted compact flash
5) delete unneeded files and remove references from syslinux.cfg ("LRP=" line)
keyboard.lrp - not needed for english keyboards
ppp.lrp, pppoe.lrp - not needed for ethernet router
bridge.lrp - not needed for ethernet router
pump.lrp - not needed for static addressed router
syslinux.dpy - not needed for serial boot
6) copy ide disk modules to initrd.lrp
a) gunzip -S .lrp initrd.lrp
b) mount -t minix initrd /mnt/initrd -o loop
c) edit boot/etc/modules to load the following modules:
ide-mod
ide-disk
ide-probe-mod
d) download the modules from leaf.sf.net/devel/jnilo/bering/latest/
e) copy to boot/lib/modules
f) umount /mnt/initrd
g) gzip -S .lrp -n initrd
7) compile kernel with serial support (serial console requires non-modular)
a) get config file from leaf.sf.net/devel/jnilo/bering/latest/
b) make menuconfig; change serial support from M to *
c) make bzImage modules
d) cp arch/i386/boot/bzImage /mnt/cf/linux
8) make modifications to etc.lrp to support console on serial terminal
a) cd /scratch; tar xzvf /mnt/cf/etc.lrp
b) modify etc/inittab; comment out gettys on tty1 and tty2
c) uncomment getty on ttyS0
d) copy terminfo dir from dachstein (for vim) *
e) edit etc/securetty to add ttyS0
f) tar czvf /mnt/cf/etc.lrp etc var
9) make modifications to syslinux.cfg to support serial console
a) change device in boot= and PKGPATH= to hda1
b) add the following line
append console=ttyS0,19200
c) remove "display syslinux.dpy" if you removed the file above
d) remove modules from lrp line that were removed above
SYSTEM SHOULD NOW BOOT, SHOWING MESSAGES ON SERIAL CONSOLE!
10) change root ramdisk to 8 megs (from 6 megs) before continuing
a) boot bering
b) edit /linuxrc; change value of SYSTSIZE variable to 8M (default 6M)
c) backup initrd package to compact flash
11) add bash, lncurses, lrdline2, vim packages from dachstein; add relevant
items to syslinux.cfg file
12) add network driver (natsemi.o)
a) copy natsemi.o module from leaf.sf.net/devel/jnilo/bering/latest to
/mnt/cf/lib/modules
b) boot onto compact flash
c) mount -t msdos /dev/hda1 /mnt
d) cp /mnt/lib/modules/natsemi.o /lib/modules
e) edit /etc/modules; uncomment natsemi line
f) backup modules package to compact flash
g) rm /mnt/lib/modules/natsemi.o
13) set editor to vim
a) modify /bin/edit as follows:
#!/bin/sh
. /etc/profile
EDITOR=${EDITOR:=/bin/e3}
eval $EDITOR "$@"
b) add line to /etc/profile
export EDITOR=vi
c) backup root and etc packages to compact flash
14) add ipsec support
a) copy the following dachstein packages to /mnt/cf
ipsec.lrp
ipsec509.lrp
certools.tgx (change name to .lrp)
ifconfig.lrp
mawk.lrp
b) steal netstat binary from dachstein root.lrp
i) tar xzvf /dachstein/root.lrp bin/netstat
ii) cd /scratch; tar xzvf /mnt/cf/root.lrp
iii) cp /dachstein/bin/netstat /scratch/bin/
iv) tar czvf /mnt/cf/root.lrp *
c) get freeswan tarball from ftp://ftp.xs4all.nl/pub/crypto/freeswan
d) get x.509 freeswan patch from http://www.strongsec.com/freeswan
e) tar xzvf freeswan-<version>.tar.gz
f) tar xzvf x509patch-<version>-freeswan-<version>.tar.gz
g) cp x509patch-<version>-freeswan-<version>/freeswan.diff freeswan-<version>/
h) cd freeswan-<version>; patch -p1 < freeswan.diff
i) compile against kernel above using make oldgo
# j) strip pluto/pluto; strip pluto/whack
# k) tar xzvf /mnt/cf/ipsec509.lrp -C /scratch
# l) cp pluto/pluto pluto/whack utils/auto /scratch/usr/local/lib/ipsec
# m) cd /scratch; tar czvf /mnt/cf/ipsec509.lrp *
n) cd /usr/src/linux/; cp arch/i386/boot/bzImage /mnt/cf/linux
o) cp net/ipsec/ipsec.o /mnt/cf/lib/modules
p) boot onto compact flash
q) mount -t msdos /dev/hda1 /mnt
r) cp /mnt/lib/modules/ipsec.o /lib/modules
s) backup modules package to compact flash
t) rm /mnt/lib/modules/ipsec.o
now I know my ABCs...
15)
IPSec Configuration instructions for Win2K to Bering/Dachstein FreeS/WAN
1) download and install win2k service pack 2 (you MUST have this to get Triple
DES encryption; FreeS/WAN will apparently not negotiate Single DES).
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp
2) configure win2k client as follows:
a) load ipsec admin applet - add new
Security Policy - control panel - administrative tools - local security policy
b) click on ipsec security policies in left pane
c) action - create IP security policy
d) next, choose name (Win2k to FreeS/WAN), uncheck default response rule, check
edit properties, finish
e) add IP security rule
f) next, tunnel endpoint (192.168.3.1), lan connection, preshared
key(unsecure)
g) add both ip filter lists for inbound and outbound traffic
h) add ip filter list, name: "outbound traffic", add filter
i) next, src: my ip address, dest: any ip address, any proto, finish
i) add another filter list, name "inbound traffic", add filter
j) next, src: any ip address, dest: my ip address, any proto, finish
k) select the outbound traffic filter list
l) add filter action to encrypt and authenticate with freeswan
m) next, name "freeswan compatible", negotiate, do not communicate non-ipsec,
custom (MD5, 3DES), edit properties
n) uncheck allow unsecured but always respond..., check perfect forward
security
o) select the freeswan compatible filter action
p) uncheck edit properties, finish
q) add another IP security rule
r) next, tunnel endpoint (192.168.3.10), lan connection, preshared key
(unsecure), inbound traffic, freeswan compatible, finish
s) general tab, advanced, check master key perfect forward security
t) you are ipsec-ing on win2k
3) configure FreeS/WAN to respond to client properly
a) ipsec.secrets
%any 192.168.3.1: PSK "unsecure"
b) ipsec.conf
config setup
interfaces="ipsec0=eth0"
conn win2k
left=192.168.3.1
leftsubnet=0.0.0.0/0
right=%any
authby=secret
pfs=yes
auto=add
4) ping from 192.168.3.10 to 192.168.3.1, second ping should succeed
Using x.509 certificates
1) create new Trusted RootCA on wlanfw
a) generate root certificate
----- End forwarded message -----
--
---------------------------------------------------------------------------
Chad Carr [EMAIL PROTECTED]
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
