Setting up a VPN Gateway

How to install and run an IPSec-based VPN gateway with a firewall using a single bootable Linux diskettedistribution.
Interoperability Example

This example shows an MS Windows 9x/2000 client point-to-site using SSH Communications Security Sentinel 1.1 (Public Beta 3). FreeS/WAN is interoperable with a wide range of IPSec implementations. The ease of implementation and computability will vary depending on the product. Many IPSec products that support 3DES/MD5 encryption through IKE are interoperable with FreeS/WAN. However, I found that legally obtaining fully functional IPSec implementations that support strong encryption can be arduous, especially if you live outside of the United States.

Many vendors offer only limited capabilities in their freely available IPSec implementations. For example, a product may only support weak encryption (DES) or may limit VPN capabilities to transport mode only. It is important to distinguish between the two VPN modes that are offered through IPSec: transport mode and tunnel mode. Transport mode encrypts and authenticates traffic between two fixed end points. Tunnel mode is more useful for connecting subnets and allows tunneling through firewall and router parameters into different subnets. Basically, transport mode restricts traffic to point-to-point communication. Tunnel mode also allows point-to-site (point-to-subnet) or site-to-site communications. At least one vendor does not seem to allow its implementation of IPSec to run over a connection using a static IP address.

The SSH Communications Security Sentinel product (www.ipsec.com) does not seem to suffer from any of these problems, possibly due to the fact that the company is based outside of the US. I downloaded and tested the 30-day trial beta 3 release of Sentinel 1.1 and found it to be very easy to configure on a Windows 98 desktop PC. The Sentinel documentation provides configuration examples for interconnectivity with a FreeS/WAN VPN gateway.

Here is a summary of a roadwarrior configuration that allows remote users with dynamically assigned IP addresses to connect transparently to a LAN behind a firewall. You will need to open ports 50, 51 (TCP) and port 500 (UDP) to the dynamic IP address or the ISP's DHCP address range. Figure 1 shows the basic setup. You will need to edit /etc/network.conf on the DUCLING FreeS/WAN firewall (go into lrcfg, choose 1), then 1) and set

eth0_IP_SPOOF=NO

to disable the blocking of tunneled packets. The bundled documentation contains the detailed instructions on how to do these tasks.

Figure 1. A Roadwarrior-to-Site Configuration

The contents of the FreeS/WAN ipsec.conf file are given in Listing 1. The corresponding ipsec.secrets file contains the entry

1.2.3.4 0.0.0.0: PSK "Put your roadwarrior secret
string here"

where the phrase in quotes is a shared-secret string. The IP address 0.0.0.0 denotes any IP address, so remember to choose a secure shared-secret string. The rightsubnet and rightnexthop parameters are left blank and imply that the connection is a point-to-subnet connection.

Listing 1. The FreeS/WAN conn Listing for the Setup Shown in Figure 1.

To set up the Sentinel IPSec service:

  1. Download SSH Sentinel from www.ipsec.com and install, following the instructions.

  2. Go into the Sentinel Policy Manager (Figure 2).

    Figure 2. Sentinel Policy Manager

  3. Choose the Key Management tab, Authentication Keys and select Add (Figure 3).

    Figure 3. Adding a New Key

  4. Select Create a new preshared key then Next (Figure 4).

    Figure 4. Configuring Preshared Key

  5. Type in your preshared key. It must be identical to the shared-secret string you have inserted in /etc/ipsec.conf (without the quotes). (See Figure 5.)

    Figure 5. Typing in Shared Secret

  6. Press Finish.

  7. On the main console of SSH Sentinel Policy Manager, in the Security Policy pane, select VPN connections®Add.

  8. Enter in the IP/hostname of the remote VPN gateway; for our example, it is 1.2.3.4, and choose the preshared secret that you created in step 5 as the Authentication key (Figure 6).

    Figure 6. Entering Key and UP Information

  9. Select 3DES encryption, Main Mode and MODP 1024 for IKE Mode and IKE Group, respectively. The Advanced pane generally can be left with the defaults.

  10. Set the IKE SA lifetime (i.e., the interval between rekeying) to the same value as in the ipsec.conf file, typically 480 minutes (eight hours).

Save all settings and try to ping an internal node behind the firewall (try the internal interface, 192.168.x.254). You should be connected. Try running Sentinel's diagnostics to make sure you are connected. I have found that Sentinel's diagnostic mode can hang the FreeS/WAN-Windows connections sometimes. If this happens, go to the FreeS/WAN gateway and do a restart of IPSec and then bring up the various connections.

Figure 7. The VPN Connection Properties Tab

Once again, if you need to restart the connection, log in to the LRP box and type

#/etc/initd.d/ipsec restart

to restart the IPSec components.

I also found in Windows 2000 Professional (but not Windows 98) that I had to add the routing manually to the shared subnet 192.168.0.0/24 from the DOS console:

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

(refer to the documentation for the Microsoft route command).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

setting up our vpn

Chris Delcambre's picture

ok we are using a star network topology. we are connecting with ADSL using 2 24 port hubs w/ a 2wire router, which is a firewall, vpn, and router. I would like to know how i need to setup a vpn server and if i can use the vpn on our router to access the network from a remote location. I would like to be able to access our network from home so i can do alot of my work from my house. Im not sure if this is possible or feasable. Please give me details if you can, like whether i need a static ip, dynamic ip, csyco routers, etc.
Thanks,
Chris Delcambre

Re: Setting up a VPN Gateway

Guran's picture

I found the article intresting but I'm a bit confused: None of the suggested LRP Distributions had any drivers for 3Com 90x cards (3c90x.o). I did try to add the driver but it didn

Re: Setting up a VPN Gateway

Anonymous's picture

Will this work over NAT? I have two firewalls and would like to position my Linux VPN gateway behind one of my firewalls..
for example. (PIX FIREWALL) -- (LINUX VPN) -- (INTERNAL Clients)
will this work ?

Re: Setting up a VPN Gateway

Anonymous's picture

I almost have this working - I can make an SA to the DUCLING VPN Gateway, and can ping the eth1 (internal DUCLING LAN interface), but cannot ping any of the internal LAN IPs. The SSH Sentinel Diagnostics indicate that I can make an "IPSec protected connection to the remote host". Here's what I had to do to get this far:

-------------------------

In the network.conf file, to allow port 500 from any external IP address (roadwarrior), I added the line:

EXTERN_UDP_PORTS="0/0_500"

-------------------------

In the ipfilter.conf file, to allow ports 50 and 51 from any IP address that had made an SA, I uncommented and modified lines:

$IPCH -A input -j ACCEPT -i eth0 -p 50 -s 0/0 -d 0/0

$IPCH -A input -j ACCEPT -i eth0 -p 51 -s 0/0 -d 0/0

------------------------

Where do I go from here? There must be something I'm missing since Duncan was able to use the exact same disto w/o problems?

Thanks for any help.

David W.

Re: Setting up a VPN Gateway - SOLUTION

Anonymous's picture

I encountered the exact same problem, and found a quick-and-dirty solution.

SOLUTION

------------------------------------------------

Log into your LRP machine, exit lrcfg, and edit the file

/usr/local/lib/ipsec/_updown

You can use the edit command here. Scroll down a little bit and you will see the uproute and downroute functions. Remember where these are because you will need to add some stuff here.

Scroll down further and find up-client:ipfwadm) and down-client:ipfwadm) case blocks. Copy the lines:

ipchains -I forward -j ACCEPT -b

-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK

-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK

ipchains -D forward -j ACCEPT -b ...

and insert those into uproute and downroute functions respectively. They can go before the "route add" and "route del" or after, it doesn't matter.

Save the file. You will need to save it to a different filename such as updown, and then rename it _updown after you get out of the editor. You can rename the old file first to keep a backup.

Get back to lrcfg and backup the disk. Reboot, and everything should work now.

THOUGHTS

-------------------------------------------------

The cause of the problem is that IPSec can't automatically insert the necessary forwarding rules after a connection is established, even though it can add and delete the new routes without problem. That's why when you set up subnet-to-subnet VPN, you had to manually insert the forwarding rules into ipfilter.conf:

ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 192.168.1.0/24

...

Of course with a Roadwarrior, you don't know its IP beforehand so you can't add these rules. By inserting these rules into uproute and downroute, IPSec will do it for you, automatically. If you also run subnet-to-subnet VPN with the same gateway, you can now take the manual forwarding rules out.

Apparently this problem doesn't come up with a full install of FreeS/WAN and a complete distro. With LRP, the case block up-client:ipfwadm) never gets called for some reason.

Re: Setting up a VPN Gateway

Anonymous's picture

Okay, here's my setup:

I have the DUCLING software installed on my 486 firewall and all I want to do is connect up to my company's VPN adapter to access my workstation files from home through the DUCLING interface. I have Microsoft's VPN software installed for Windows ME and Windows NT (two individual workstations) so they aren't Linux or UNIX workstations. If I remove the DUCLING firewall, I can connect each workstation to the company's VPN fine so I'm having trouble configuring DUCLING to pass through the VPN traffic when it is 'in circuit' (Microsoft's VPN adapter doesn't have any pluto configuration files that I can identify so this step doesn't seem to apply)

Can anyone help this clueless newbie? (I'm not *too* clueless because other than VPN traffic, I can connect to other Internet resources fine :-)

Thanks,

Fred van West

fredvw@hotmail.com

Pinging internal LANs ...

Anonymous's picture

Hi,

The only LAN that you can ping from an IPSec gateway is the immediate LAN (the one hanging off eth1 in your case). The gateways simply pass IPSec traffic, they are not part of the LAN/s. This is a security feature too. Someone who has access to your gateways still does not have access to your complete WAN (other than the local eth1 LAN)s.

The true test is to make sure that all your LANs can see each other (from within the LANs).

Unable to find the ducling tarballs

Anonymous's picture

The ftp site for downloading the ducling files is not servicing connections. Does anyone have the required files available so that I can obtain a copy?

Ta

steve.rodgers@ts-associates.com

DUCLING Files now available at LEAF site

Anonymous's picture

The distributions are now available at

http://sourceforge.net/project/showfiles.php?group_id=13751

under DUCLING.

Re: Unable to find the ducling tarballs

Anonymous's picture

I'm having the same trouble as Mr. Rodgers. If anybody has a .zip copy for dynamic routing,

I'd appreciate a copy, too.

Another thing, has anybody a solution to configuring

a PC with an ISDN card or external ISDN modem and one NIC as router?

So long,

baard@bergersen.nu

Re: Unable to find the ducling tarballs

Anonymous's picture

isdn.lrp packages are now available for LEAF

Install the appropriate isdn.lrp package just like any other lrp package.

Koon Wong's site seemed to have the packages a while ago before other sites, but his site doesn't seem to exist any more. Now the sourcforge site has plenty of information for all available packages from a variety of developers. Nilo has the most current 2.4.x packages

ISDN for linux homepage:

http://www.isdn4linux.de/

ISDN for LEAF:

http://leaf.sourceforge.net/devel/ericw/

Re: Setting up a VPN Gateway

Anonymous's picture

An alternate tool that could be suitable for use in the client side, would be the PGP freeware, which includes the PGPNet component, a VPN client (among other things). I have not tried this one personally, but it could be an alternative to the SSH sentinel tool. The actual PGP freeware could be downloaded from http://www.pgpi.org

Just my $0.02

PGPNet is crippleware outside of the US ...

Anonymous's picture

at least the last time I looked. The free client only supports transport mode (not the more useful tunnel mode), and I don't think you can buy 3DES the encryption version unless you are in the US. FreeS/WAN doesn't support the DES standard (which nobody uses anyway).

tracks? sectors?

Anonymous's picture

"you can create diskettes that have 80 sectors and 24 tracks per sector, giving 1,920KB per floppy. Floppies having 1,680KB (80/21 sector/tracks per sector) are used regularly for LRP distributions and seem to have a reliable track record"

Hmmm?

Re: tracks? sectors?

Anonymous's picture

I use 1680 kb floppies in production LRP environments. The odd floppy drive chokes on them, but the overwhelming majority that don't have been runing floppies of this format flawlessly.

Re: tracks? sectors?

Anonymous's picture

I am not sure about the numbers given here, but I know this is regularly the case with floppies using the LEAF versions of Linux (http://leaf.sourceforge.net). I have personally used bootable floppies formatted up to 1722KB with no mayor issues. Not every floppy drive can format or recognize the higher up formats ( e.g. 1920KB ) and I have not succeeded in creating bootable floppies greater than 1722KB.

Re: Setting up a VPN Gateway

Anonymous's picture

If you would like assistance with your configuration, please post a message to the leaf-user mailing list at: leaf-user@lists.sourceforge.net

--

Mike Noyes

FAQs sec00: LEAF SourceForge Site Answers "How do I request help?"

http://sourceforge.net/docman/display_doc.php?docid=1891&group_id=13751

Re: Setting up a VPN Gateway

goettsd's picture

I can't get the command

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

to work in my configuration. Windows 2000 gives me an error about the gateway not being on the same network as the interface. Any ideas? I am of course changing the subnet and the gateway to match my configuration...

Thanks,

sg

Re: Setting up a VPN Gateway

Anonymous's picture

I've figured this out.

It does work if your gateway is on the same network

as your sentinel box - I tried it and it works fine.

But on completey different networks on the internet,

the route fails and hence the tunnel never connects.

Haven't found a workaround for this yet.

Re: Setting up a VPN Gateway

Anonymous's picture

I get exactly the same error.

Has anyone managed to get this working?

Steve Rodgers

Re: Problems with Listing 1, also road warrior

Anonymous's picture

I found that the bundled instructions referred to in the piece were appropriate for setting up a tunnelled connection to another server with a known IP address but did not cover at all how to set up IPsec and IPchains for a road warrior configuration.

I also found that the "right=0.0.0.0" line in Listing 1 produced an error message when I issued the command: "/usr/local/sbin/ipsec manual --up test_connection"

The error message read:

"test_connection: tunnel destination address invalid or not specified for SA:tun0x200@0.0.0.0.

test_connection: warning -- del option 'dst' is 0.0.0.0. If the was not intentional, then a name lookup failed."

I presume that you may not specify "right=0.0.0.0" when building a road warrior configuration but I have not idea what you should specify.

If anyone can help I sure would appreciate it!

This is a great article for beginners like me. Unfortunately issues like the above are complete showstopper for beginners like me!

Thanks

Lee

Re: Problems with Listing 1, also road warrior

Anonymous's picture

If you are using roadwarrior config, you cannot initiate the connection from freeswan, as freeswan needs to know the ip of the other side if it has to initiate the connection.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

The roadwarrior configuration is best handled with RSA keys. However, with FreeS/WAN 1.5, there are some bugs in the implementation (eg if the IPSec server goes down, the roadwarrior client needs to be restarted). Also, look at FreeS/WAN 1.91 for the new Dachstein LEP distribution at

http://lrp.steinkuehler.net

http://lrp.steinkuehler.net/DiskImages/Dachstein.htm

http://lrp.steinkuehler.net/Packages/ipsec1.91.htm

It is much more stable for roadwarrior configs.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

Hi,

Thanks for that. I'm a big fan of LRP, having had good results with EigersteinBeta2.

I do find that there is a gap in the documentation covering building IPsec stuff on LRP. There's lots on LRP and lots on IPsec but relatively little covering how to troubleshoot the combination of IPchains, /etc/network.conf settings and package operations involved with running IPsec on LRP.

You do seem to need to be a bit more knowledgeable about Linux than I am to stride across that gap ;-)

But I'll keep trying!

Lee

Re: Setting up a VPN Gateway

Anonymous's picture

Remeber that there is no need to add routes every time. Try replace command:

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

with:

route -p ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

Route goes up automaticaly when you dial-up. Persistent routes are stored in registers.

NOTE: Don't work on W95, they not support persistent routes. Adding persistent route is possible only if connection is up.

Re: Setting up a VPN Gateway

Anonymous's picture

not

Re: Setting up a VPN Gateway

rank's picture

Thanks for your counsel, i will try it out.

I found a problem from this article :)

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah).

F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

With ipchains:

ipchains -A input -p 50 -j ACCEPT

ipchains -A input -p 51 -j ACCEPT

Re: I found a problem from this article :)

Anonymous's picture

Actually, if everything is working properly, the __updown script should punch these holes through the firewall to suit the connection IP's - no need to do this manually!

Re: Setting up a VPN Gateway

rank's picture

Now i can boot up with eth0 and eth1,but i can not ping the others ip addresses in the subnet.why?

when i boot up, it said that:"no resource on eth0"

what is this mean?

thx.

Re: Setting up a VPN Gateway

Anonymous's picture

You need to copy over the drivers for your network cards over. See the section "RUNNING LRP" in the readme.

Re: Setting up a VPN Gateway

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah). F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

Help

Anonymous's picture

I can´t get ducling,when i get inside of the ftp to download
it, them ask mi to write a name and a password and i don´t know
how to do
tanks

I NEED THE DUCLING TOO..

Anonymous's picture

i am also looking for the ducling, if you find it let me know.

thanks,

i will keep on checking. if you found out please post the link

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState