So far it has only one entry.
From: Poltorak Serguei <poltorak@dataforce.net> Subject: [Users] Using FreeS/WAN Date: Tue, 16 Oct 2001 Hello. I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about it and I think it would be interesting for someone to see the result of my experiments and usage of FreeS/WAN. If you find a mistake in this file, please e-mail me. And excuse me for my english... I'm learning.. :) I'll talk about vary simple configuration: addresses prefix = 192.168 lan1 sgw1 .0.0/24 (Internet) sgw2 lan2 .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24 We need to let lan1 see lan2 across Internet like it is behind sgw1. The same for lan2. And we need to do IPX bridge for Novel Clients and NDS synchronization. my config: ------------------- ipsec.conf ------------------- conn lan1-lan2 type=tunnel compress=yes #------------------- left=192.168.0.1 leftsubnet=192.168.1.0/24 #------------------- right=192.168.0.10 rightsubnet=192.168.2.0/24 #------------------- auth=esp authby=secret --------------- end of ipsec.conf ---------------- ping .2.x from .1.y (y != 1) It works?? Fine. Let's continue... Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose the first IP (which is used to go to Internet) .0.1 and the packet won't go through IPsec tunnel :( But if do ping on .1.1 kernel will respond from that address (.1.1) and the packet will be tunneled. The same problem occurred then .2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1 sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach, but from his "natural" IP or .0.1 . So the error message won't be delivered! It's a big problem... Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the problem (if ipsec0 has .1.1 kernel will send packets correctly), but there are powerful and elegant iproute2 :) We simply need to change source address of packet that goes to other secure lan. This is done with ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1 Cool!! Now it works!! The second step. We want install firewall on sgw1 and sgw2. Encryption of traffic without security isn't a good idea. I don't use {left|right}firewall, because I'm running firewall from init scripts. We want IPsec data between lan1-lan2, some ICMP errors (destination unreachable, TTL exceeded, parameter problem and source quench), replying on pings from both lans and Internet, ipxtunnel data for IPX and of course SSH between sgw1 and sgw2 and from/to one specified host. I'm using ipchains. With iptables there are some changes. ---------------- rc.firewall --------------------- #!/bin/sh # # Firewall for IPsec lan1-lan2 # IPC=/sbin/ipchains ANY=0.0.0.0/0 # left SGW1_EXT=192.168.0.1 SGW1_INT=192.168.1.1 LAN1=192.168.1.0/24 # right SGW2_EXT=192.168.0.10 SGW2_INT=192.168.2.10 LAN2=192.168.2.0/24 # SSH from and to this host SSH_PEER_HOST=_SOME_HOST_ # this is for left. exchange these values for right. MY_EXT=$SGW1_EXT MY_INT=$SGW1_INT PEER_EXT=$SGW2_EXT PEER_INT=$SGW2_INT INT_IF=eth1 EXT_IF=eth0 IPSEC_IF=ipsec0 MY_LAN=$LAN1 PEER_LAN=$LAN2 $IPC -F $IPC -P input DENY $IPC -P forward DENY $IPC -P output DENY # Loopback traffic $IPC -A input -i lo -j ACCEPT $IPC -A output -i lo -j ACCEPT # for IPsec SGW1-SGW2 ## IKE $IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT $IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT ## ESP $IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT ### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT ## forward LAN1-LAN2 $IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT $IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT $IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT $IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT $IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT $IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT # ICMP # ## Dest unreachable ### from/to Internet $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT ### from/to Lan $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT ### from/to Peer Lan $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT # ## Source quench ### from/to Internet $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT ### from/to Lan $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT ### from/to Peer Lan $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT # ## Parameter problem ### from/to Internet $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT ### from/to Lan $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT ### from/to Peer Lan $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT # ## Time To Live exceeded ### from/to Internet $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT ### to Lan $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT ### to Peer Lan $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT # ICMP PINGs ## from Internet $IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT $IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT ## from LAN $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT ## from Peer LAN $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT # SSH ## from SSH_PEER_HOST $IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT ## to SSH_PEER_HOST $IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT ## from PEER $IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT ## to PEER $IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT $IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT # ipxtunnel $IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT $IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT ---------------- end of rc.firewall ---------------------- To understand this we need to look on this scheme: ++-----------------------<----------------------------+ || ipsec0 | \/ | eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+ ------>| INPUT |-->/ ?local? /----->/ ?IPsec? /----->| decrypt decapsulate | eth1 +--------+ /---------/ /---------/ +-----------------------+ || no || no \/ \/ +----------+ +---------+ +-------+ | routing | | local | | local | | decision | | deliver | | send | +----------+ +---------+ +-------+ || || \/ \/ +---------+ +----------+ | forward | | routing | +---------+ | decision | || +----------+ || || ++----------------<-----------------++ || \/ +--------+ eth0 | OUTPUT | eth1 +--------+ ipsec0 || \/ /---------/ yes +-----------------------+ / ?IPsec? /----->| encrypt encapsulate | /---------/ +-----------------------+ || no || || || || \/ eth0, eth1 ++-----------------------++--------------> This explain how a packet traverse TCP/IP stack in IPsec capable kernel. FIX ME, please, if there are any errors Test the new firewall now. Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel tipxd didn't send packets.. :( SIB and ipxtunnel worked fine :) With ipxtunnel there was a little problem. In sources there are an error. --------------------- in main.c ------------------------ < bytes += p.len; --- > bytes += len; -------------------------------------------------------- After this FIX everything goes right... ------------------- /etc/ipxtunnel.conf ---------------- port 2005 remote 192.168.101.97 2005 interface eth1 --------------- end of /etc/ipxtunnel.conf ------------- I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor authenticate encapsulated IPX packets, it is done with IPsec. If you don't wont to use iproute2 to change source IP you need to use SIB (it is able to bind local address) or establish tunnel between .0.1 and .0.10 (external IPs, you need to do encryption in the program, but it isn't strong). For now I'm using ipxtunnel. I think that's all for the moment. If there are any error, please e-mail me: poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in kernel and firewall example on FreeS/WAN's manual pages. PoltoS