Hi All,
With all the ipsec questions floating around I figured I''d chime in
with a
working config (For me, YMMV, no Warranty, etc).
homenet<->[shorewall/router1/ipsecgw]<--->[router2/ipsecgw]<--->localnet2
192.168.101.0<---> (next line)
[101.1<>aaa.x.x.5]<--->aaa.x.x.1(the
internet)<----->(nextline)
ccc.x.x.1<-->[ccc.x.x.7<>99.1]<--->192.168.99.0
Note that shorewall in NOT running on router2, just on router 1.
Router2 (in my case) is specificly for IPSec stuff.
So as in the shorewall docs...(http://www.shorewall.net/IPSEC.htm)
Disabled Opportunistic Encryption (in /etc/ipsec.conf)
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Then created my /etc/shorewall/tunnels with:
# TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec net AAA.BBB.CCC.DDD vpn
#that is:
#kind ''o tunnel
#Zone tunnel is in
#remote gateway(router2) ip in the net zone
#the zone the gateway itself is in
NOTE: see the docs if you''re running shorewall on both ends of the
tunnel.
You will basicly have the same thing in the tunnels file on the remote
side but the gateway addr will be the public inet addr of router1.
Then Add the vpn to the /etc/shorewall/zones:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
vpn VPN VPN connection
Then add the ipsec interface in the vpn zone to the
/etc/shorewall/interfaces file:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
loc eth1 detect
vpn ipsec0
Then allow your local zone and the vpn zone to talk back and forth (i.e.
two new lines) in the /etc/shorewall/policy file:
#SOURCE DEST POLICY LOG
# LEVEL
loc vpn ACCEPT info
vpn loc ACCEPT info
NOTE: For making sure the connection is running and just getting it up, I
added the info log level, it helps b/c you can see when the zones are
talking & trying to get the connection up (or not)
restart shorewall:
shorewall restart
<lots of blah blah output about the firewall follows :-) >
OK... Now we can configure FreeSwan (/etc/ipsec.conf):
conn vpntolan
left=aaa.x.x.5
leftsubnet=192.168.101.0/24
leftnexthop=aaa.x.x.1
leftid=@useyournamehear
leftrsasigkey=0xxxxx(generated by ''ipsec showhostkey
--left'')
right=ccc.x.x.7
rightsubnet=192.168.99.0/24
rightid=@rightsidenamehere
rightrsasigkey=0xxxxxxx
rightnexthop=ccc.x.x.1
auto=add
ok
if your on redhat ''service ipsec start'' otherwise start ipsec
&load the
kernel mods
then:
ipsec auto --verbose --up vpntolan
and viola it should start up...
the thing that killed me in getting this setup is the interfaces, i missed
adding it in and kept getting stuck with weird connection problems. Also,
note, this is for 2.4 with freeswan packages installed seperately, not the
2.6 crypto api. Both of my gateways are rh9.0 stock boxes (with patches).
Hope this helps some.
--Donald
--
Donald Z. Cowart -- Senior System Administrator
Children''s Oncology Group -- Research Data Center
104 N. Main Street, Gainesville, Fl 32601
Email: dcowart@cog.ufl.edu (G)AIM: slackfive
http://www.cowart.info/
----
CONFIDENTIALITY NOTICE: The information contained in this electronic message
is legally privileged and confidential and intended only for the use of the
individual(s) or entity(ies) named above. If the reader of this message is
not the intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this email or any of it''s components is
strictly
prohibited. If you have received this email in error, please contact the
sender.
----