I heartily recommend this book
http://www.packtpub.com/openswan/book.
The background.
- I'm at West and the West router is running GNU/Linux with two ethernet ports.
- The other end is at East and the East router is a Netgear DG834G ADSL modem/router.
10.1.0.0/24 (West subnet)
|
10.1.0.1 (internal side of West router - eth1)
82.70.x.x (external side of West router - eth0)
|
|
Internet
|
|
82.69.x.x (external side of East ADSL Modem/router)
10.2.0.1 (internal side of East router)
|
10.2.0.0/24 (East subnet)
The requirement is to run a secure encrypted IPsec VPN connecting
the two subnets behind ADSL routers.
West is running Fedora Core 3 kernel 2.6.12-1.1381_FC3, slightly old but I haven't
the time just now to upgrade it. It's running a number of Internet services for me: Apache web server, Darwin streaming server, Openfire Jabber server, Asterisk VoIP server, etc; and it is
the NAT firewall between me
the Internet.
East is a Netgear DG834G firmware V3.01.38.
First off I installed Openswan daemon and tools from
the openswan-2.4.4-0.FC3.1 RPM, and made sure
the pluto daemon was running.
Added this file as
/etc/ipsec.d/west-east.conf:
conn west-east
left=82.70.x.x
leftsubnet=10.1.0.0/24
leftsourceip=10.1.0.1
leftid=west@mdsh.com
right=82.69.x.x
rightsubnet=10.2.0.0/24
rightid=east@mdsh.com
type=tunnel
authby=secret
keyexchange=ike
auto=start
pfs=yes
ike=3des-sha1-modp1024
esp=3des-sha1
Added this file as
/etc/ipsec.d/west-east.secret:
west@mdsh.com east@mdsh.com
82.70.x.x 82.69.x.x: PSK "insecure-change-me"
reloaded all of pluto's secrets:
# ipsec auto --rereadsecrets
load (or reload)
the connection:
# ipsec auto --add west-east
OR
# ipsec auto --replace west-east
and bring
the VPN up:
# ipsec auto --up east-west
Look in
/var/log/secure and
/var/log/messages to see how things break.
I added a route to
the Openswan server
# ip route add 10.2.0.0/24 via 82.70.x.x
I imagine at this point nothing will work because
the iptables firewall will eat all
the packets, so lets fix that.
We need to let in and out of
the GNU/Linux firewall IKE (UDP port 500 - Internet Key Exchange),
the encrypted ESP packets (protocol 50), make sure we can accept
the IP addresses from
the o
ther end of
the VPN, and make very sure we don't NAT packets between
the two ends OR
the ESP packets.
Essentially,
these are
the rules I added:
#
# MARK IPSEC packets when they are still encoded
# so we can accept the marked packets later after decoding
#
$IPT --table mangle --append PREROUTING --in-interface $EXT0_IF --protocol ESP --jump MARK --set-mark 50
#
# ACCEPT for INPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT --table filter --append INPUT --protocol ESP --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol AH --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 500 --destination-port 500 --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 4500 --destination-port 4500 --in-interface $EXT0_IF --jump ACCEPT
#
# ACCEPT for INPUT ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote LAN and to our LAN
#
$IPT --table filter --append INPUT --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT
#
# ACCEPT for OUTPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT --table filter --append OUTPUT --protocol ESP --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol AH --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 500 --destination-port 500 --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 4500 --destination-port 4500 --out-interface $EXT0_IF --jump ACCEPT
#
# ACCEPT for OUTPUT ALL packets from our LAN and to remote IPSEC LANs
#
$IPT --table filter --append OUTPUT --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT
#
# ACCEPT for FORWARD ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote IPSEC LAN and to our LAN
#
$IPT --table filter --append FORWARD --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT
#
# ACCEPT for FORWARD ALL packets from our LAN to remote IPSEC LAN
#
$IPT --table filter --append FORWARD --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT
#
# DO NOT SNAT onto VPN (put this before your postrouting SNAT catch-all)
#
$IPT --table nat --append POSTROUTING --proto 50 --jump ACCEPT
VPN:IPsec:Openswan to Netgear DG834 is mentioned on: VPN:IPsec