mdsh.com/wiki

VPN:IPsec:Openswan to Netgear DG834 @Mar 7, 2009 11:15:11 PM

I heartily recommend this book http://www.packtpub.com/openswan/book.


The background.

• I'm at West and the West router is running GNU/Linux with two ethernet ports.
• The other end is at East and the East router is a Netgear DG834G ADSL modem/router.

10.1.0.0/24 (West subnet)
|
10.1.0.1 (internal side of West router - eth1)
82.70.x.x (external side of West router - eth0)
|
|
Internet
|
|
82.69.x.x (external side of East ADSL Modem/router)
10.2.0.1 (internal side of East router)
|
10.2.0.0/24 (East subnet)

The requirement is to run a secure encrypted IPsec VPN connecting the two subnets behind ADSL routers.

West is running Fedora Core 3 kernel 2.6.12-1.1381_FC3, slightly old but I haven't the time just now to upgrade it. It's running a number of Internet services for me: Apache web server, Darwin streaming server, Openfire Jabber server, Asterisk VoIP server, etc; and it is the NAT firewall between me the Internet.

East is a Netgear DG834G firmware V3.01.38.

First off I installed Openswan daemon and tools from the openswan-2.4.4-0.FC3.1 RPM, and made sure the pluto daemon was running.

Added this file as /etc/ipsec.d/west-east.conf:

conn west-east
left=82.70.x.x
leftsubnet=10.1.0.0/24
leftsourceip=10.1.0.1
leftid=west@mdsh.com
right=82.69.x.x
rightsubnet=10.2.0.0/24
rightid=east@mdsh.com
type=tunnel
authby=secret
keyexchange=ike
auto=start
pfs=yes
ike=3des-sha1-modp1024
esp=3des-sha1

Added this file as /etc/ipsec.d/west-east.secret:

west@mdsh.com east@mdsh.com
82.70.x.x 82.69.x.x: PSK "insecure-change-me"

reloaded all of pluto's secrets:

# ipsec auto rereadsecrets}}}

load (or reload) the connection:

{{{# ipsec auto add west-east
OR
# ipsec auto replace west-east}}}

and bring the VPN up:

{{{# ipsec auto up east-west

Look in /var/log/secure and /var/log/messages to see how things break. I imagine at this point nothing will work because the iptables firewall will eat all the packets, so lets fix that.

We need to let in and out of the GNU/Linux firewall IKE (UDP port 500 - Internet Key Exchange), the encrypted ESP packets (protocol 50), make sure we can accept the IP addresses from the other end of the VPN, and make very sure we don't NAT packets between the two ends OR the ESP packets.

Essentially, these are the rules I added:

#
# MARK IPSEC packets when they are still encoded
# so we can accept the marked packets later after decoding
#
$IPT table mangle append PREROUTING in-interface $EXT0_IF protocol ESP jump MARK set-mark 50
#
# ACCEPT for INPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT table filter append INPUT protocol ESP destination $EXT0_IP in-interface $EXT0_IF jump ACCEPT
$IPT table filter append INPUT protocol AH destination $EXT0_IP in-interface $EXT0_IF jump ACCEPT
$IPT table filter append INPUT protocol UDP destination $EXT0_IP source-port 500 destination-port 500 in-interface $EXT0_IF jump ACCEPT
$IPT table filter append INPUT protocol UDP destination $EXT0_IP source-port 4500 destination-port 4500 in-interface $EXT0_IF jump ACCEPT
#
# ACCEPT for INPUT ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote LAN and to our LAN
#
$IPT table filter append INPUT in-interface $EXT0_IF match mark mark 50 source 10.2.0.0/24 destination 10.1.0.0/24 jump ACCEPT
#
# ACCEPT for OUTPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT table filter append OUTPUT protocol ESP source $EXT0_IP out-interface $EXT0_IF jump ACCEPT
$IPT table filter append OUTPUT protocol AH source $EXT0_IP out-interface $EXT0_IF jump ACCEPT
$IPT table filter append OUTPUT protocol UDP source $EXT0_IP source-port 500 destination-port 500 out-interface $EXT0_IF jump ACCEPT
$IPT table filter append OUTPUT protocol UDP source $EXT0_IP source-port 4500 destination-port 4500 out-interface $EXT0_IF jump ACCEPT
#
# ACCEPT for OUTPUT ALL packets from our LAN and to remote IPSEC LANs
#
$IPT table filter append OUTPUT source 10.1.0.0/24 destination 10.2.0.0/24 jump ACCEPT
#
# ACCEPT for FORWARD ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote IPSEC LAN and to our LAN
#
$IPT table filter append FORWARD in-interface $EXT0_IF match mark mark 50 source 10.2.0.0/24 destination 10.1.0.0/24 jump ACCEPT
#
# ACCEPT for FORWARD ALL packets from our LAN to remote IPSEC LAN
#
$IPT table filter append FORWARD source 10.1.0.0/24 destination 10.2.0.0/24 jump ACCEPT
#
# DO NOT SNAT onto VPN (put this before your postrouting SNAT catch-all)
#
$IPT table nat append POSTROUTING proto 50 jump ACCEPT

---

I heartily recommend this book http://www.packtpub.com/openswan/book. The background. *I'm at West and the West router is running GNU/Linux with two ethernet ports. *The other end is at East and the East router is a Netgear DG834G ADSL modem/router. {{{10.1.0.0/24 (West subnet) | 10.1.0.1 (internal side of West router - eth1) 82.70.x.x (external side of West router - eth0) | | Internet | | 82.69.x.x (external side of East ADSL Modem/router) 10.2.0.1 (internal side of East router) | 10.2.0.0/24 (East subnet)}}} The requirement is to run a secure encrypted IPsec VPN connecting the two subnets behind ADSL routers. West is running Fedora Core 3 kernel 2.6.12-1.1381_FC3, slightly old but I haven't the time just now to upgrade it. It's running a number of Internet services for me: Apache web server, Darwin streaming server, Openfire Jabber server, Asterisk VoIP server, etc; and it is the NAT firewall between me the Internet. East is a Netgear DG834G firmware V3.01.38. First off I installed Openswan daemon and tools from the openswan-2.4.4-0.FC3.1 RPM, and made sure the pluto daemon was running. Added this file as ''/etc/ipsec.d/west-east.conf'': {{{conn west-east left=82.70.x.x leftsubnet=10.1.0.0/24 leftsourceip=10.1.0.1 leftid=west@mdsh.com right=82.69.x.x rightsubnet=10.2.0.0/24 rightid=east@mdsh.com type=tunnel authby=secret keyexchange=ike auto=start pfs=yes ike=3des-sha1-modp1024 esp=3des-sha1}}} Added this file as ''/etc/ipsec.d/west-east.secret'': {{{west@mdsh.com east@mdsh.com 82.70.x.x 82.69.x.x: PSK "insecure-change-me"}}} reloaded all of pluto's secrets: {{{# ipsec auto --rereadsecrets}}} load (or reload) the connection: {{{# ipsec auto --add west-east OR # ipsec auto --replace west-east}}} and bring the VPN up: {{{# ipsec auto --up east-west}}} Look in ''/var/log/secure'' and ''/var/log/messages'' to see how things break. I imagine at this point nothing will work because the iptables firewall will eat all the packets, so lets fix that. We need to let in and out of the GNU/Linux firewall IKE (UDP port 500 - Internet Key Exchange), the encrypted ESP packets (protocol 50), make sure we can accept the IP addresses from the other end of the VPN, and make very sure we don't NAT packets between the two ends OR the ESP packets. Essentially, these are the rules I added: {{{# # MARK IPSEC packets when they are still encoded # so we can accept the marked packets later after decoding # $IPT --table mangle --append PREROUTING --in-interface $EXT0_IF --protocol ESP --jump MARK --set-mark 50 # # ACCEPT for INPUT ALL IPsec related packets # protocol ESP, protocol AH & UDP port 500 + 4500 # $IPT --table filter --append INPUT --protocol ESP --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append INPUT --protocol AH --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 500 --destination-port 500 --in-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 4500 --destination-port 4500 --in-interface $EXT0_IF --jump ACCEPT # # ACCEPT for INPUT ALL packets we marked in prerouting->mangle # that were IPSEC and are now decripted # AND are from remote LAN and to our LAN # $IPT --table filter --append INPUT --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT # # ACCEPT for OUTPUT ALL IPsec related packets # protocol ESP, protocol AH & UDP port 500 + 4500 # $IPT --table filter --append OUTPUT --protocol ESP --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append OUTPUT --protocol AH --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 500 --destination-port 500 --out-interface $EXT0_IF --jump ACCEPT $IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 4500 --destination-port 4500 --out-interface $EXT0_IF --jump ACCEPT # # ACCEPT for OUTPUT ALL packets from our LAN and to remote IPSEC LANs # $IPT --table filter --append OUTPUT --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT # # ACCEPT for FORWARD ALL packets we marked in prerouting->mangle # that were IPSEC and are now decripted # AND are from remote IPSEC LAN and to our LAN # $IPT --table filter --append FORWARD --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT # # ACCEPT for FORWARD ALL packets from our LAN to remote IPSEC LAN # $IPT --table filter --append FORWARD --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT # # DO NOT SNAT onto VPN (put this before your postrouting SNAT catch-all) # $IPT --table nat --append POSTROUTING --proto 50 --jump ACCEPT}}}