I heartily recommend this book
http://www.packtpub.com/openswan/book.
The background.
- I'm at West and the West router is running GNU/Linux with two ethernet ports.
- The other end is at East and the East router is a Netgear DG834G ADSL modem/router.
10.1.0.0/24 (West subnet)
|
10.1.0.1 (internal side of West router - eth1)
82.70.x.x (external side of West router - eth0)
|
|
Internet
|
|
82.69.x.x (external side of East ADSL Modem/router)
10.2.0.1 (internal side of East router)
|
10.2.0.0/24 (East subnet)
The requirement is to run a secure encrypted IPsec VPN connecting the two subnets behind ADSL routers.
West is running Fedora Core 3 kernel 2.6.12-1.1381_FC3, slightly old but I haven't the time just now to upgrade it. It's running a number of Internet services for me: Apache web server, Darwin streaming server, Openfire Jabber server, Asterisk VoIP server, etc; and it is the NAT firewall between me the Internet.
East is a Netgear DG834G firmware V3.01.38.
First off I installed Openswan daemon and tools from the openswan-2.4.4-0.FC3.1 RPM, and made sure the pluto daemon was running.
Added this file as
/etc/ipsec.d/west-east.conf:
conn west-east
left=82.70.x.x
leftsubnet=10.1.0.0/24
leftsourceip=10.1.0.1
leftid=west@mdsh.com
right=82.69.x.x
rightsubnet=10.2.0.0/24
rightid=east@mdsh.com
type=tunnel
authby=secret
keyexchange=ike
auto=start
pfs=yes
ike=3des-sha1-modp1024
esp=3des-sha1
Added this file as
/etc/ipsec.d/west-east.secret:
west@mdsh.com east@mdsh.com
82.70.x.x 82.69.x.x: PSK "insecure-change-me"
reloaded all of pluto's secrets:
# ipsec auto --rereadsecrets
load (or reload) the connection:
# ipsec auto --add west-east
OR
# ipsec auto --replace west-east
and bring the VPN up:
# ipsec auto --up east-west
Look in
/var/log/secure and
/var/log/messages to see how things break.
I added a route to the Openswan server
# ip route add 10.2.0.0/24 via 82.70.x.x
I imagine at this point nothing will work because the iptables firewall will eat all the packets, so lets fix that.
We need to let in and out of the GNU/Linux firewall IKE (UDP port 500 - Internet Key Exchange), the encrypted ESP packets (protocol 50), make sure we can accept the IP addresses from the other end of the VPN, and make very sure we don't NAT packets between the two ends OR the ESP packets.
Essentially, these are the rules I added:
#
# MARK IPSEC packets when they are still encoded
# so we can accept the marked packets later after decoding
#
$IPT --table mangle --append PREROUTING --in-interface $EXT0_IF --protocol ESP --jump MARK --set-mark 50
#
# ACCEPT for INPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT --table filter --append INPUT --protocol ESP --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol AH --destination $EXT0_IP --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 500 --destination-port 500 --in-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append INPUT --protocol UDP --destination $EXT0_IP --source-port 4500 --destination-port 4500 --in-interface $EXT0_IF --jump ACCEPT
#
# ACCEPT for INPUT ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote LAN and to our LAN
#
$IPT --table filter --append INPUT --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT
#
# ACCEPT for OUTPUT ALL IPsec related packets
# protocol ESP, protocol AH & UDP port 500 + 4500
#
$IPT --table filter --append OUTPUT --protocol ESP --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol AH --source $EXT0_IP --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 500 --destination-port 500 --out-interface $EXT0_IF --jump ACCEPT
$IPT --table filter --append OUTPUT --protocol UDP --source $EXT0_IP --source-port 4500 --destination-port 4500 --out-interface $EXT0_IF --jump ACCEPT
#
# ACCEPT for OUTPUT ALL packets from our LAN and to remote IPSEC LANs
#
$IPT --table filter --append OUTPUT --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT
#
# ACCEPT for FORWARD ALL packets we marked in prerouting->mangle
# that were IPSEC and are now decripted
# AND are from remote IPSEC LAN and to our LAN
#
$IPT --table filter --append FORWARD --in-interface $EXT0_IF --match mark --mark 50 --source 10.2.0.0/24 --destination 10.1.0.0/24 --jump ACCEPT
#
# ACCEPT for FORWARD ALL packets from our LAN to remote IPSEC LAN
#
$IPT --table filter --append FORWARD --source 10.1.0.0/24 --destination 10.2.0.0/24 --jump ACCEPT
#
# DO NOT SNAT onto VPN (put this before your postrouting SNAT catch-all)
#
$IPT --table nat --append POSTROUTING --proto 50 --jump ACCEPT