Betr.: [CentOS] VPN

Tue May 24 13:19:50 UTC 2005
Peter Farrow <peter at farrows.org>

This might be useful too:

http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html


simone wrote:

>Hi there. Installed openswan, and followed the instructions :) . It
>looks like tunnel is estabilished now:
>
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main Mode
>May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
>connection ---> is this bad....
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I1 to state STATE_MAIN_I2
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [XAUTH]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [Dead Peer Detection]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [Cisco-Unity]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
>Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
>certificate because I do not have one.
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I2 to state STATE_MAIN_I3
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID is
>ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
>cisco pix 525
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I3 to state STATE_MAIN_I4
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
>established
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
>Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
>informational payload, type IPSEC_INITIAL_CONTACT
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and ignored
>informational message
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
>informational payload, type IPSEC_RESPONDER_LIFETIME
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
>state STATE_QUICK_I1 to state STATE_QUICK_I2
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
>established {ESP=>0x6xxx23f <0x07xxxx7}
>
>000 "milan":
>192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; unrouted; eroute owner: #0
>
>192.168.10.3 internal linux box ip (and default gateway for the natted
>workstations)
>192.168.100.2 internal cisco pix ip (and default gateway for the natted
>workstations)
>
>conn milan                       
>        left=xxx.xxx.xxx.90    public ip linux box         
>        leftnexthop=xxx.xxx.xxx.65    default gateway linux   
>        leftsubnet=192.168.10.0/24       
>        right=xxx.xxx.xxx.130      public ip cisco 
>        rightsubnet=192.168.100.0/24    network behind cisco  
>        rightnexthop=xxx.xxx.xxx.129    default gateway cisco
>        authby=secret                 
>        pfs=no                         
>        auto=add                       
>        esp=3des-md5-96                
>
>The firewall on the linuxbox is natting the 192.168.10.x network and
>accepting anything coming from 192.168.100.x, I added udp port 500 to
>INPUT and OUTPUT chains in iptables, but still cannot ping (even from
>other workstations) or reach a web page on the other network. Anything
>else I am missing or should be looking for? 
>
>  
>
>>Remember you will need to allow the ipsec interface in your firewall
>>    
>>
>How do I do this? 
>
>Thanks for all your help, really appreciate this. 
>
>Simone
>
>
>
>
>On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
>  
>
>>Hi there,  yes it was with a Nortel contivity on a few occassions and
>>the other times with a Cisco pix. interstingly enough the Cisco VPNs
>>often required updates to the IOS to make them 3Des compliant, 
>>
>>As its late here in the UK (past midnight GMT+1)  here is a very quick
>>and dirty freeswan guide.
>>
>>Needless to say the things that cause the biggest headache for most
>>users is the use of RSA keys and opportunistic encryption.  Since this
>>is NOT what 99.9% of the masses need or want then there is a quick and
>>simple and just as secure alternative setup, but its not that well
>>documented.  Opportunistic encryption came in versions 2 and above of
>>freeswan by default, this has the effect of clobbering the network
>>default route and replacing it down the ipsec interface (what you want
>>if you want to encrypt everything, but not really any great use in the
>>real world).  Most people want to do site <-> site vpns and these are
>>best achieved without opportunistic encryption and by the use of
>>preshared keys.
>>
>>1)Make sure you get a version of freeswan suitable for your kernel, if
>>you can't find one go to somewhere like rpms.pbone.net and find a
>>kernel for which there is a freeswan version.  Many people try and
>>hunt a freeswan version to match their kernel,  I do it the otherway
>>round, find the latest freeswan compatible kernel you can for your
>>architecture, you can always compile it from source but why my life
>>harder for yourself.
>>2)get the freeswan module for the kernel you found, and the same
>>freeswan-userland version as well. then proceed as follows: after you
>>have installed the [from rpm]
>>
>>
>>Typically to kill opportunistic encryption add these lines to your
>>ipsec.conf file: after the config setup section near the top,
>>
>>conn block
>>    auto=ignore
>>
>>conn private
>>    auto=ignore
>>
>>conn private-or-clear
>>    auto=ignore
>>
>>conn clear-or-private
>>    auto=ignore
>>
>>conn clear
>>    auto=ignore
>>
>>conn packetdefault
>>    auto=ignore
>>
>>Doing this stops all the crap you get when ipsec starts and then kicks
>>you off the system about 60 seconds later if you're connected remotely
>>as this kills the opportunistic setup feature.   Do the same at the
>>other end as well.
>>Then start the service.
>>
>>Then add a section for each tunnel you want to set up.  if you have
>>multiple subnets at each site which can't be encapsulated in a single
>>subnet declaration, you will need to add a new tunnel defintion for
>>each.  Here is an example :
>>
>>conn site1-site2                       #this is the connection name
>>[tunnel] identifier
>>        left=21.21.100.10              #This is the ip address of the
>>first linux box
>>        leftnexthop=21.21.100.9        #This is usually set to the
>>defualt gateway for the first linux box
>>        leftsubnet=10.11.2.0/24        #This is the LAN subnet behind
>>the first linux box
>>        right=21.21.100.178            #This is the IP address of the
>>second linux box at the other end of the tunnel
>>        rightsubnet=10.11.4.0/24       #This is the LAN subnet behind
>>the second linux box
>>        rightnexthop=21.21.100.177     #This is the IP address of the
>>default gateway setting of the other linux box
>>        authby=secret                  #We are going to use a
>>"password" or secret to encrypt/auth the link
>>        pfs=no                         #Turn off perfect forward
>>security, this makes it faster and easier but less secure
>>        auto=add                       #Authorise but don't start
>>        esp=3des-md5-96                #encapsulating security payload
>>setting, encryption used for auth and data
>>
>>
>>Now cut and paste this and add it to the ipsec.conf file on the second
>>machine completely as is, unmodified.
>>
>>Then in you /etc/ipsec.secrets file on each machine you will need to
>>add a password [secret] for each each of the tunnels you have
>>specified, in the above example we would have:
>>
>>21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
>>
>>Add this to the very top of the ipsec secrets file, one entry for each
>>pair of machines in this format
>>
>>leftmachineip   rightmachineip : PSK "password"
>>
>>Then do a service ipsec restart on each machine, bring the link up
>>with this command, it only needs to be invoked from either one of the
>>ends
>>
>>ipsec auto --up site1-site2
>>
>>You should get output like this if you did it right:
>>ipsec auto --up site1-site2
>>104 "site1-site2" #2086: STATE_MAIN_I1: initiate
>>106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
>>108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
>>004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
>>112 "site1-site2" #2087: STATE_QUICK_I1: initiate
>>004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
>>established
>>
>>Remember you will need to allow the ipsec interface in your firewall
>>and you will need to add lines like this:
>>
>># Accept udp connections to port 500 for ipsec
>>$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>
>>This is just about the quickest way to set up a VPN tunnel with
>>Freeswan, it takes minutes.  If you want to make if more secure, you
>>can tune the config once you get it running this way!
>>
>>Remember the only machines that can't see the full extent of the other
>>LAN network are the linux boxes creating the tunnel.  So the left
>>linux box will not be able to ping stuff on 10.11.4.0/24 network and
>>the right linux box will not be able to ping stuff on 10.11.2.0/24
>>network - don't forget this.... its commonly mistaken by some to mean
>>the tunnel isn't working, to truly test it end to end you need hosts
>>on the LANs at each end to ping each other.
>>
>>If you want to make it work through NATing gateways you will need to
>>port forward the udp 500 setting above on your firewall.
>>
>>Enjoy!
>>
>>Pete
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Kennedy Clark wrote:
>>    
>>
>>>Any chance of getting a quick HOW-TO posted to the group for that? 
>>>;-)  Sounds interesting.
>>>
>>>I saw your post about using it with Cisco & Nortel equipment -- I work
>>>with both a lot at my current customer.  What types of equipment have
>>>you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
>>>Nortel = Contivity)?
>>>
>>>Thanks!!
>>>Kennedy
>>>  
>>>      
>>>
>>______________________________________________________________________
>>_______________________________________________
>>CentOS mailing list
>>CentOS at centos.org
>>http://lists.centos.org/mailman/listinfo/centos
>>    
>>
>
> 
> 
> --
> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
> 
> Sponsor:
> Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 EUR a casa tua
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20050524/3528b5fd/attachment-0005.html>