[TCLUG] Some IPsec questions..

Thu Jun 20 20:11:29 CDT 2002

On 20 Jun 2002, Mike Hicks wrote:
> I've been playing around with FreeS/WAN on a few of the Linux boxes I
> own or admin.  I was amazed when I actually got a connection or two to
> work.  I'm still having some problems, though, and I figured someone
> else has attacked the problem before.
>
> First off is the big problem of NAT boxes.  We have a wireless
> network, and a box firewalling it.  Does anyone have a good idea of
> what has to be done to get IPSec going through it (from a NATed client
> to a host elsewhere with a real IP)?  Is it just a few iptables rules,
> or more complicated than that?

Depends what you want. Do you want the NAT'd machine to be able to make
the IPSec connection out? If so, you'll need NAT Traversal patches on the
other end -- available through the X.509 patch version 0.9.12, or via a
separate patch. If you want to make the connection from the firewall, then
it's easy -- nothing special required.

> Working along a different tack, I just installed FreeS/WAN on the
> firewall itself.  It has a signed certificate from Thawte for the web
> sign-on page it uses, and I was wondering if it's possible to use that
> same cert for IPsec.  If it's possible, do I have to extract
> information from the certificate somehow, or can I just point to it in
> a configuration file somewhere?

Yeah, it's possible. But, it means each endpoint you connect to will need
to have a cert from that CA (for the simplest configuration). I really
recommend setting up your own CA for your VPN, check out:

http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509

It's really easy to set up a CA.

> Lastly, I thought I'd give a quick micro-howto on getting FreeS/WAN
> installed (though not configured) on Debian.  Here are the basic steps
> I've used:
*snip*
> dpkg -i kernel-image-2.4.18-fs1_20020620_i386.deb
>
> Make sure that LILO (or whatever bootloader you use) is happy, and
> reboot

FYI - this means you have both the ALG patches, and the X.509 patch
(version 0.9.10, IIRC, not new enough for the subnet stuff) insstalled.
I've built Debian packages for FreeS/WAN 1.97 with X.509 0.9.12 in it; if
you'd like them, let me know. (My packages are based off the main Debian
sources, just with more updated packages).

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500