summaryrefslogtreecommitdiff
path: root/doc/config.html
blob: 4e9f0a513eac06114c9b2a8aa45211672abf676b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
--></STYLE>
</HEAD>
<BODY>
<A HREF="toc.html">Contents</A>
<A HREF="install.html">Previous</A>
<A HREF="background.html">Next</A>
<HR>
<H1><A NAME="config">How to configure FreeS/WAN</A></H1>
<P>This page will teach you how to configure a simple network-to-network
 link or a Road Warrior connection between two Linux FreeS/WAN boxes.</P>
<P>See also these related documents:</P>
<UL>
<LI>our<A HREF="quickstart.html#quickstart"> quickstart</A> guide to<A HREF="glossary.html#carpediem">
 opportunistic encryption</A></LI>
<LI>our guide to configuration with<A HREF="policygroups.html#policygroups">
 policy groups</A></LI>
<LI>our<A HREF="adv_config.html#adv_config"> advanced configuration</A>
 document</LI>
</UL>
<P> The network-to-network setup allows you to connect two office
 networks into one Virtual Private Network, while the Road Warrior
 connection secures a laptop's telecommute to work. Our examples also
 show the basic procedure on the Linux FreeS/WAN side where another
 IPsec peer is in play.</P>
<P> Shortcut to<A HREF="#config.netnet"> net-to-net</A>.
<BR> Shortcut to<A HREF="#config.rw"> Road Warrior</A>.</P>
<H2><A NAME="16_1">Requirements</A></H2>
<P>To configure the network-to-network connection you must have:</P>
<UL>
<LI>two Linux gateways with static IPs</LI>
<LI>a network behind each gate. Networks must have non-overlapping IP
 ranges.</LI>
<LI>Linux FreeS/WAN<A HREF="install.html#install"> installed</A> on both
 gateways</LI>
<LI><A HREF="http://www.tcpdump.org"><VAR>tcpdump</VAR></A> on the local
 gate, to test the connection</LI>
</UL>
<P>For the Road Warrior you need:</P>
<UL>
<LI>one Linux box with a static IP</LI>
<LI>a Linux laptop with a dynamic IP</LI>
<LI>Linux FreeS/WAN installed on both</LI>
<LI>for testing,<VAR> tcpdump</VAR> on your gateway or laptop</LI>
</UL>
<P>If both IPs are dynamic, your situation is a bit trickier. Your best
 bet is a variation on the<A HREF="#config.rw"> Road Warrior</A>, as
 described in<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00282.html">
 this mailing list message</A>.</P>
<H2><A name="config.netnet"></A>Net-to-Net connection</H2>
<H3><A name="netnet.info.ex">Gather information</A></H3>
<P>For each gateway, compile the following information:</P>
<UL>
<LI>gateway IP</LI>
<LI>IP range of the subnet you will be protecting. This doesn't have to
 be your whole physical subnet.</LI>
<LI>a name by which that gateway can identify itself for IPsec
 negotiations. Its form is a Fully Qualified Domain Name preceded by an
 @ sign, ie. @xy.example.com.
<BR> It does not need to be within a domain that you own. It can be a
 made-up name.</LI>
</UL>
<H4>Get your leftrsasigkey</H4>
<P>On your local Linux FreeS/WAN gateway, print your IPsec public key:</P>
<PRE>    ipsec showhostkey --left</PRE>
<P>The output should look like this (with the key shortened for easy
 reading):</P>
<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
    leftrsasigkey=0sAQOnwiBPt...</PRE>
<P>Don't have a key? Use<A HREF="manpage.d/ipsec_newhostkey.8.html"><VAR>
 ipsec newhostkey</VAR></A> to create one.</P>
<H4>...and your rightrsasigkey</H4>
<P>Get a console on the remote side:</P>
<PRE>    ssh2 ab.example.com</PRE>
<P>In that window, type:</P>
<PRE>    ipsec showhostkey --right</PRE>
<P>You'll see something like:</P>
<PRE>    # RSA 2192 bits   ab.example.com   Thu May 16 15:26:20 2002
    rightrsasigkey=0sAQOqH55O...</PRE>
<H3><A NAME="16_2_2">Edit<VAR> /etc/ipsec.conf</VAR></A></H3>
<P>Back on the local gate, copy our template to<VAR> /etc/ipsec.conf</VAR>
. (on Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
 information you've gathered for our example data.</P>
<PRE>conn net-to-net
    left=192.0.2.2                 # Local vitals
    leftsubnet=192.0.2.128/29      # 
    leftid=@xy.example.com         #   
    leftrsasigkey=0s1LgR7/oUM...   #
    leftnexthop=%defaultroute      # correct in many situations 
    right=192.0.2.9                # Remote vitals
    rightsubnet=10.0.0.0/24        #
    rightid=@ab.example.com        # 
    rightrsasigkey=0sAQOqH55O...   #
    rightnexthop=%defaultroute     # correct in many situations
    auto=add                       # authorizes but doesn't start this 
                                   # connection at startup</PRE>
<P> &quot;Left&quot; and &quot;right&quot; should represent the machines that have FreeS/WAN
 installed on them, and &quot;leftsubnet&quot; and &quot;rightsubnet&quot; machines that are
 being protected. /32 is assumed for left/right and left/rightsubnet
 parameters.</P>
<P>Copy<VAR> conn net-to-net</VAR> to the remote-side /etc/ipsec.conf.
 If you've made no other modifications to either<VAR> ipsec.conf</VAR>,
 simply:</P>
<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
<H3><A NAME="16_2_3">Start your connection</A></H3>
<P>Locally, type:</P>
<PRE>    ipsec auto --up net-to-net</PRE>
<P>You should see:</P>
<PRE>    104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
    106 &quot;net-net&quot; #223: STATE_MAIN_I2: sent MI2, expecting MR2
    108 &quot;net-net&quot; #223: STATE_MAIN_I3: sent MI3, expecting MR3
    004 &quot;net-net&quot; #223: STATE_MAIN_I4: ISAKMP SA established
    112 &quot;net-net&quot; #224: STATE_QUICK_I1: initiate
    004 &quot;net-net&quot; #224: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
<P>The important thing is<VAR> IPsec SA established</VAR>. If you're
 unsuccessful, see our<A HREF="trouble.html#trouble"> troubleshooting
 tips</A>.</P>
<H3><A NAME="16_2_4">Do not MASQ or NAT packets to be tunneled</A></H3>
<P>If you are using<A HREF="glossary.html#masq"> IP masquerade</A> or<A HREF="glossary.html#NAT.gloss">
 Network Address Translation (NAT)</A> on either gateway, you must now
 exempt the packets you wish to tunnel from this treatment. For example,
 if you have a rule like:</P>
<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
</PRE>
<P>change it to something like:</P>
<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
<P>This may be necessary on both gateways.</P>
<H3><A NAME="16_2_5">Test your connection</A></H3>
<P>Sit at one of your local subnet nodes (not the gateway), and ping a
 subnet node on the other (again, not the gateway).</P>
<PRE>    ping fileserver.toledo.example.com</PRE>
<P>While still pinging, go to the local gateway and snoop your outgoing
 interface, for example:</P>
<PRE>    tcpdump -i ppp0</PRE>
<P>You want to see ESP (Encapsulating Security Payload) packets moving<B>
 back and forth</B> between the two gateways at the same frequency as
 your pings:</P>
<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
<P>If you see this, congratulations are in order! You have a tunnel
 which will protect any IP data from one subnet to the other, as it
 passes between the two gates. If not, go and<A HREF="trouble.html#trouble">
 troubleshoot</A>.</P>
<P>Note: your new tunnel protects only net-net traffic, not
 gateway-gateway, or gateway-subnet. If you need this (for example, if
 machines on one net need to securely contact a fileserver on the IPsec
 gateway), you'll need to create<A HREF="adv_config.html#adv_config">
 extra connections</A>.</P>
<H3><A NAME="16_2_6">Finishing touches</A></H3>
<P>Now that your connection works, name it something sensible, like:</P>
<PRE>conn winstonnet-toledonet</PRE>
<P>To have the tunnel come up on-boot, replace</P>
<PRE>    auto=add</PRE>
<P>with:</P>
<PRE>    auto=start</PRE>
<P>Copy these changes to the other side, for example:</P>
<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
<P>Enjoy!</P>
<H2><A name="config.rw"></A>Road Warrior Configuration</H2>
<H3><A name="rw.info.ex">Gather information</A></H3>
<P>You'll need to know:</P>
<UL>
<LI>the gateway's static IP</LI>
<LI>the IP range of the subnet behind that gateway</LI>
<LI>a name by which each side can identify itself for IPsec
 negotiations. Its form is a Fully Qualified Domain Name preceded by an
 @ sign, ie. @road.example.com.
<BR> It does not need to be within a domain that you own. It can be a
 made-up name.</LI>
</UL>
<H4>Get your leftrsasigkey...</H4>
<P>On your laptop, print your IPsec public key:</P>
<PRE>    ipsec showhostkey --left</PRE>
<P>The output should look like this (with the key shortened for easy
 reading):</P>
<PRE>    # RSA 2192 bits   road.example.com   Sun Jun  9 02:45:02 2002
    leftrsasigkey=0sAQPIPN9uI...</PRE>
<P>Don't have a key? See<A HREF="old_config.html#genrsakey"> these
 instructions</A>.</P>
<H4>...and your rightrsasigkey</H4>
<P>Get a console on the gateway:</P>
<PRE>    ssh2 xy.example.com</PRE>
<P>View the gateway's public key with:</P>
<PRE>    ipsec showhostkey --right</PRE>
<P>This will yield something like</P>
<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
    rightrsasigkey=0sAQOnwiBPt...</PRE>
<H3><A NAME="16_3_2">Customize<VAR> /etc/ipsec.conf</VAR></A></H3>
<P>On your laptop, copy this template to<VAR> /etc/ipsec.conf</VAR>. (on
 Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
 information you've gathered for our example data.</P>
<PRE>conn road
    left=%defaultroute             # Picks up our dynamic IP 
    leftnexthop=%defaultroute      # 
    leftid=@road.example.com       # Local information
    leftrsasigkey=0sAQPIPN9uI...   #
    right=192.0.2.10               # Remote information
    rightsubnet=10.0.0.0/24        #
    rightid=@xy.example.com        # 
    rightrsasigkey=0sAQOnwiBPt...  #
    auto=add                       # authorizes but doesn't start this
                                   # connection at startup</PRE>
<P>The template for the gateway is different. Notice how it reverses<VAR>
 left</VAR> and<VAR> right</VAR>, in keeping with our convention that<STRONG>
 L</STRONG>eft is<STRONG> L</STRONG>ocal,<STRONG> R</STRONG>ight<STRONG>
 R</STRONG>emote. Be sure to switch your rsasigkeys in keeping with
 this.</P>
<PRE>    ssh2 xy.example.com
    vi /etc/ipsec.conf</PRE>
<P>and add:</P>
<PRE>conn road
    left=192.0.2.2                 # Gateway's information
    leftid=@xy.example.com         #
    leftsubnet=192.0.2.128/29      #
    leftrsasigkey=0sAQOnwiBPt...   #
    rightnexthop=%defaultroute     # correct in many situations
    right=%any                     # Wildcard: we don't know the laptop's IP
    rightid=@road.example.com      #
    rightrsasigkey=0sAQPIPN9uI...  #
    auto=add                       # authorizes but doesn't start this
                                   # connection at startup</PRE>
<H3><A NAME="16_3_3">Start your connection</A></H3>
<P>You must start the connection from the Road Warrior side. On your
 laptop, type:</P>
<PRE>    ipsec auto --start net-to-net</PRE>
<P>You should see:</P>
<PRE>104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
106 &quot;road&quot; #301: STATE_MAIN_I2: sent MI2, expecting MR2
108 &quot;road&quot; #301: STATE_MAIN_I3: sent MI3, expecting MR3
004 &quot;road&quot; #301: STATE_MAIN_I4: ISAKMP SA established
112 &quot;road&quot; #302: STATE_QUICK_I1: initiate
004 &quot;road&quot; #302: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
<P>Look for<VAR> IPsec SA established</VAR>. If you're unsuccessful, see
 our<A HREF="trouble.html#trouble"> troubleshooting tips</A>.</P>
<H3><A NAME="16_3_4">Do not MASQ or NAT packets to be tunneled</A></H3>
<P>If you are using<A HREF="glossary.html#masq"> IP masquerade</A> or<A HREF="glossary.html#NAT.gloss">
 Network Address Translation (NAT)</A> on either gateway, you must now
 exempt the packets you wish to tunnel from this treatment. For example,
 if you have a rule like:</P>
<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
</PRE>
<P>change it to something like:</P>
<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
<H3><A NAME="16_3_5">Test your connection</A></H3>
<P>From your laptop, ping a subnet node behind the remote gateway. Do
 not choose the gateway itself for this test.</P>
<PRE>    ping ns.winston.example.com</PRE>
<P>Snoop the packets exiting the laptop, with a command like:</P>
<PRE>    tcpdump -i wlan0</PRE>
<P>You have success if you see (Encapsulating Security Payload) packets
 travelling<B> in both directions</B>:</P>
<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
<P>If you do, great! Traffic between your Road Warrior and the net
 behind your gateway is protected. If not, see our<A HREF="trouble.html#trouble">
 troubleshooting hints</A>.</P>
<P>Your new tunnel protects only traffic addressed to the net, not to
 the IPsec gateway itself. If you need the latter, you'll want to make
 an<A HREF="adv_config.html#adv_config"> extra tunnel.</A>.</P>
<H3><A NAME="16_3_6">Finishing touches</A></H3>
<P>On both ends, name your connection wisely, like:</P>
<PRE>conn mike-to-office</PRE>
<P><B>On the laptop only,</B> replace</P>
<PRE>    auto=add</PRE>
<P>with:</P>
<PRE>    auto=start</PRE>
<P>so that you'll be connected on-boot.</P>
<P>Happy telecommuting!</P>
<H3><A NAME="16_3_7">Multiple Road Warriors</A></H3>
<P>If you're using RSA keys, as we did in this example, you can add as
 many Road Warriors as you like. The left/rightid parameter lets Linux
 FreeS/WAN distinguish between multiple Road Warrior peers, each with
 its own public key.</P>
<P>The situation is different for shared secrets (PSK). During a PSK
 negotiation, ID information is not available at the time Pluto is
 trying to determine which secret to use, so, effectively, you can only
 define one Roadwarrior connection. All your PSK road warriors must
 therefore share one secret.</P>
<H2><A NAME="16_4">What next?</A></H2>
<P>Using the principles illustrated here, you can try variations such
 as:</P>
<UL>
<LI>a telecommuter with a static IP</LI>
<LI>a road warrior with a subnet behind it</LI>
</UL>
<P>Or, look at some of our<A HREF="adv_config.html#adv_config"> more
 complex configuration examples.</A>.</P>
<HR>
<A HREF="toc.html">Contents</A>
<A HREF="install.html">Previous</A>
<A HREF="background.html">Next</A>
</BODY>
</HTML>