Ok great! The setup is pretty straightforward. Please let me know if this
helped you out.
Here are some commented configs. :) I hope they are clear enough. Let me
know if you need some points laid out better.
First off, you need the following modules and packages: ipsec.lrp, libm.lrp,
lpthread.lrp, mawk.lrp, ipsec.o. If you want to get a little more fancy, you
can use an algorithm like aes (they can be found
here:2.4.26\kernel\net\ipsec\alg make sure and download the modules
package). Be warned both sides have to use the same algorithms or it will
crash ipsec. Also, be aware that you will require two floppies to run ipsec.
I am assuming that you know how to add modules and packages to Bering
Uclibc.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
esp=aes # [only use this if you load the ipsec_aes.o module}
right= #{local Gateway machine's external ip address}
rightsubnet=10.10.34.0/24 #{the local subnet address}
rightnexthop= #{the default gateway for the local Gateway machines
external ip address}
pfs=yes
conn example # -to start connection type "ipsec whack --initiate --name
(name here)
left= #{the remote Gateway machine's external ip address}
leftsubnet=192.168.0.0/16 #{subnet address of the remote network,
different than the right's subnet. If you have multiple subnets, you can
just use a subnet mask that encompasses all of your subnets. For example, if
you have subnets between 192.168.20.0/24 and 192.168.30.0/24, you can use
192.168.0.0/16 as your "left subnet" declaration. This will allow ALL hosts
to be connected to the 10.10.34.0/24 network and visa-versa}
leftnexthop= #{default gateway for the remote Gateway machine}
esp=aes
auto=start
conn block #these are just for security
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Now the Pluto shared secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
#: RSA {
# # -- Create your own RSA key with "ipsec rsasigkey"
# }
# do not change the indenting of that "}"
149.158.267.17{this is your external IP -eth0} 137.165.207.162 {this is the
external IP of the remote router you are connecting to} : PSK "
0xdbf32da2_2c79331f_d4abd93b_9a291810_0864bb26_aa9840eb_e0 " {make sure you
hit enter at the end of this line or you will get errors when you try to
connect. It requires a "end of line" carriage return.
####To make a Pre-shared key, install freeswan IPSEC on a Linux box and run
this command: "ipsec ranbits --bytes 25"
Ok Now you have to do some stuff in shorewall. You have to make some entries
in shorewall tunnels;rules;interface and policy files.
Policy file needs to have this:
loc vpn ACCEPT
vpn loc ACCEPT
Rules file needs to have this:
#IPSEC RULES
ACCEPT net vpn udp 500
ACCEPT net vpn 50 -
ACCEPT net vpn 51 -
Interface file needs to have this:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,tcpflags,norfc1918
{These are optional, I just included them for the hell of it. Just make sure
you have the last line}
loc eth1 detect
vpn ipsec0
Tunnels file needs to have this:
ipsec net 137.165.207.162 {remote routers IP.)
Ok now you are ready to rock! All you need to do is initiate the connection.
(It will do this at boot but you may want to do it manually to test.
First do this: 'ipsec setup restart' {this will reload the ipsec.conf and
Pluto shared secrets file}
Now type: 'shorewall restart'
Ok I like to do a terminate statement first. : 'ipsec whack -terminate -name
example' { I always do this first just incase there is an existing tunnel}
Then try bring up the tunnel: 'ipsec whack -initiate -name example' {Those
are double dashes incase they come out garbled on your end}
If it worked you should see an output something like this:
002 " example" #32: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
122 " example" #32: STATE_QUICK_I1: initiate
002 " example" #32: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
002 " example" #32: sent QI2, IPsec SA established
004 " example" #32: STATE_QUICK_I2: sent QI2, IPsec SA established
Troy
-----Original Message-----
From: Scott A. Young [mailto:[EMAIL PROTECTED]
Sent: Sunday, October 31, 2004 7:14 PM
To: Troy Aden
Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn
That would be perfect... Pre-shared-keys is where I'm starting as well.
Thanks,
Scott.
-----
Scott Young
Network Integration Solutions Inc.
Phone: 780-461-3371
Fax: 780-465-7270
email: [EMAIL PROTECTED]
> -----Original Message-----
> From: Troy Aden [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 31, 2004 5:21 PM
> To: Scott A. Young
> Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn
>
> I think I can help you out. I have a working config using
> pre-shared keys..
> Are you interested in this? If so, I will send it on.
>
> Troy
> -----Original Message-----
> From: Scott A. Young [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 31, 2004 5:49 PM
> To: [EMAIL PROTECTED]
> Subject: [leaf-user] ipsec subnet-to-subnet vpn
>
> Hi All,
>
> First of all, thanks to everyone involved with this project.
> The support from the mailing list archives is great!
>
> I've been trying to get an ipsec vpn between two
> bering-uclibc v2.2.1 routers going.
>
> Before boring everyone with the details, I'm wondering if there is a
> definitive example of subet-to-subnet ipsec setup with
> shorewall. I will
> post full deatils, as per instructions, but at this point, I
> think I just need a good example to work from.
>
> Both routers are the same, with the following .lrp's loaded:
> Name Version Description
> ===============-==============-===============================
> ==============
> =
> initrd V2.2.1 uClibc- LEAF Bering-uClibc initial
> filesystem
> root V2.2.1 uClibc- Core LEAF Bering-uClibc
> package
> config 0.4 Core config and backup system
> package
> etc V2.2.1 uClibc-
>
> local V2.2.1 uClibc- LEAF Bering local package
>
> iptables 1.2.11 IP packet filter
> administration tools for
> 2.4.
> shorwall
>
> ulogd 1.02 The Netfilter Userspace
> Logging Daemon
> dropbear 0.43 Rev 2 Dropbear SSH 2 server and scp
> client
> ntpdate 4.1.0-8 client for setting system time from NTP
> server
> ntpsimpl 4.1.0-8 NTP v4 daemon for simple
> systems from Debian
> sh-httpd 1.2.5 Rev 3 Small shell-based web server
>
> weblet 1.0.0 Rev 4 http-server content
>
> lpthread 0.9.20 The libpthread library
>
> mawk 1.3.3-9 Mawk is an interpreter for the AWK
> Programming
> libm 0.9.20 The libm library
>
> modules V2.2.1 uClibc- Define & contain your LEAF
> Bering modules
> ipsec 1.0.7 Openswan IPSEC
>
> dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy
> to configure DNS
>
>
> TIA,
> Scott.
>
> ---
> Scott Young
> Network Integration Solutions Inc.
> Phone: 780-461-3371
> Fax: 780-465-7270
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_idU88&alloc_id�065&op=click
> --------------------------------------------------------------
> ----------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>
>
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
