Betr.: [CentOS] VPN

Tue May 24 15:07:01 UTC 2005
Peter Farrow <peter at farrows.org>

Hi there,

the "RESTRICT..." is one of my own iptables rules, which is called from 
the INPUT and FORWARD chains which provides a nice convenient point to 
add it all in in one go.

You should see routes like this if your tunnels are up

192.168.12.0    ch-rtr.farrows. 255.255.255.0   UG    0      0        0 
ipsec0

issue the route command and see what you get

Don't worry about having long conversations about this: its tricky if 
you have not done it before and I will help as long as it takes

Pete


Simone wrote:

> Here again, I don't think I understand what 
> "RESTRICT_EXTERNAL_CONNECTIONS" means. I think I enabled the firewall 
> to accept anything that comes from the external pix IP, the pix 
> gateway IP and the cisco internal lan, so to be sure it is not dropped 
> (not really a iptables guru so I could be wrong). Some strange 
> behaviour include tha fact I can ping from linux to cisco on the 
> public IP but not vice versa, while from another site I can ping the 
> public linux box ip (so it looks like it is not dropped by the 
> firewall config).
> I am sorry if this is going far too long. Something that's not clear 
> to me is if a device called ipsec0 or whatever I call the connection, 
> should show up somewhere and if a route should be provided to reach 
> the cisco internal network from the linux internal network. Anything 
> could help to figure this out? Firewall rules?
>
> Thanks, have a nice day
>
> Peter Farrow wrote:
>
>> If your seeing the communication like this its not being dumped or 
>> dropped by your firewall, you could add an accept rule for all 
>> protocols from the far end Ips at each site, just for debugging 
>> purposes and to rule out the firewall itself..
>>
>> This is almost there now, make sure that you have lines like this in 
>> your firewall:
>>
>> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state 
>> ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state NEW 
>> --in-interface ! $EXT_IFACE -j ACCEPT
>>
>> $IPTABLES -A INPUT -j RESTRICT_EXTERNAL_CONNECTIONS
>> $IPTABLES -A FORWARD -j RESTRICT_EXTERNAL_CONNECTIONS
>>
>> Notice I accept all new interfaces on anything that's not the 
>> external network card, this automatically includes lo, internet 
>> ethernet and all ipsec interfaces you will of course need to change 
>> these to suit your firewall config....
>>
>> Becareful (dont use it unmodified) using a rule like this if you have 
>> more than one external [untrusted] interface....
>>
>>
>> P.
>>
>>
>> simone wrote:
>>
>>> Hi there. Installed openswan, and followed the instructions :) . It
>>> looks like tunnel is estabilished now:
>>>
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main 
>>> Mode
>>> May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
>>> connection ---> is this bad....
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>>> state STATE_MAIN_I1 to state STATE_MAIN_I2
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>>> payload [XAUTH]
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>>> payload [Dead Peer Detection]
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>>> payload [Cisco-Unity]
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
>>> Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
>>> certificate because I do not have one.
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>>> state STATE_MAIN_I2 to state STATE_MAIN_I3
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer 
>>> ID is
>>> ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
>>> cisco pix 525
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>>> state STATE_MAIN_I3 to state STATE_MAIN_I4
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
>>> established
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
>>> Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
>>> informational payload, type IPSEC_INITIAL_CONTACT
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and 
>>> ignored
>>> informational message
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
>>> informational payload, type IPSEC_RESPONDER_LIFETIME
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
>>> state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
>>> established {ESP=>0x6xxx23f <0x07xxxx7}
>>>
>>> 000 "milan":
>>> 192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; 
>>> unrouted; eroute owner: #0
>>>
>>> 192.168.10.3 internal linux box ip (and default gateway for the natted
>>> workstations)
>>> 192.168.100.2 internal cisco pix ip (and default gateway for the natted
>>> workstations)
>>>
>>> conn milan                              left=xxx.xxx.xxx.90    
>>> public ip linux box                leftnexthop=xxx.xxx.xxx.65    
>>> default gateway linux          leftsubnet=192.168.10.0/24       
>>>        right=xxx.xxx.xxx.130      public ip cisco        
>>> rightsubnet=192.168.100.0/24    network behind cisco         
>>> rightnexthop=xxx.xxx.xxx.129    default gateway cisco
>>>        authby=secret                        
>>> pfs=no                                auto=add                       
>>>        esp=3des-md5-96               
>>> The firewall on the linuxbox is natting the 192.168.10.x network and
>>> accepting anything coming from 192.168.100.x, I added udp port 500 to
>>> INPUT and OUTPUT chains in iptables, but still cannot ping (even from
>>> other workstations) or reach a web page on the other network. Anything
>>> else I am missing or should be looking for?
>>>  
>>>
>>>> Remember you will need to allow the ipsec interface in your firewall
>>>>   
>>>
>>> How do I do this?
>>> Thanks for all your help, really appreciate this.
>>> Simone
>>>
>>>
>>>
>>>
>>> On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
>>>  
>>>
>>>> Hi there,  yes it was with a Nortel contivity on a few occassions and
>>>> the other times with a Cisco pix. interstingly enough the Cisco VPNs
>>>> often required updates to the IOS to make them 3Des compliant,
>>>> As its late here in the UK (past midnight GMT+1)  here is a very quick
>>>> and dirty freeswan guide.
>>>>
>>>> Needless to say the things that cause the biggest headache for most
>>>> users is the use of RSA keys and opportunistic encryption.  Since this
>>>> is NOT what 99.9% of the masses need or want then there is a quick and
>>>> simple and just as secure alternative setup, but its not that well
>>>> documented.  Opportunistic encryption came in versions 2 and above of
>>>> freeswan by default, this has the effect of clobbering the network
>>>> default route and replacing it down the ipsec interface (what you want
>>>> if you want to encrypt everything, but not really any great use in the
>>>> real world).  Most people want to do site <-> site vpns and these are
>>>> best achieved without opportunistic encryption and by the use of
>>>> preshared keys.
>>>>
>>>> 1)Make sure you get a version of freeswan suitable for your kernel, if
>>>> you can't find one go to somewhere like rpms.pbone.net and find a
>>>> kernel for which there is a freeswan version.  Many people try and
>>>> hunt a freeswan version to match their kernel,  I do it the otherway
>>>> round, find the latest freeswan compatible kernel you can for your
>>>> architecture, you can always compile it from source but why my life
>>>> harder for yourself.
>>>> 2)get the freeswan module for the kernel you found, and the same
>>>> freeswan-userland version as well. then proceed as follows: after you
>>>> have installed the [from rpm]
>>>>
>>>>
>>>> Typically to kill opportunistic encryption add these lines to your
>>>> ipsec.conf file: after the config setup section near the top,
>>>>
>>>> conn block
>>>>    auto=ignore
>>>>
>>>> conn private
>>>>    auto=ignore
>>>>
>>>> conn private-or-clear
>>>>    auto=ignore
>>>>
>>>> conn clear-or-private
>>>>    auto=ignore
>>>>
>>>> conn clear
>>>>    auto=ignore
>>>>
>>>> conn packetdefault
>>>>    auto=ignore
>>>>
>>>> Doing this stops all the crap you get when ipsec starts and then kicks
>>>> you off the system about 60 seconds later if you're connected remotely
>>>> as this kills the opportunistic setup feature.   Do the same at the
>>>> other end as well.
>>>> Then start the service.
>>>>
>>>> Then add a section for each tunnel you want to set up.  if you have
>>>> multiple subnets at each site which can't be encapsulated in a single
>>>> subnet declaration, you will need to add a new tunnel defintion for
>>>> each.  Here is an example :
>>>>
>>>> conn site1-site2                       #this is the connection name
>>>> [tunnel] identifier
>>>>        left=21.21.100.10              #This is the ip address of the
>>>> first linux box
>>>>        leftnexthop=21.21.100.9        #This is usually set to the
>>>> defualt gateway for the first linux box
>>>>        leftsubnet=10.11.2.0/24        #This is the LAN subnet behind
>>>> the first linux box
>>>>        right=21.21.100.178            #This is the IP address of the
>>>> second linux box at the other end of the tunnel
>>>>        rightsubnet=10.11.4.0/24       #This is the LAN subnet behind
>>>> the second linux box
>>>>        rightnexthop=21.21.100.177     #This is the IP address of the
>>>> default gateway setting of the other linux box
>>>>        authby=secret                  #We are going to use a
>>>> "password" or secret to encrypt/auth the link
>>>>        pfs=no                         #Turn off perfect forward
>>>> security, this makes it faster and easier but less secure
>>>>        auto=add                       #Authorise but don't start
>>>>        esp=3des-md5-96                #encapsulating security payload
>>>> setting, encryption used for auth and data
>>>>
>>>>
>>>> Now cut and paste this and add it to the ipsec.conf file on the second
>>>> machine completely as is, unmodified.
>>>>
>>>> Then in you /etc/ipsec.secrets file on each machine you will need to
>>>> add a password [secret] for each each of the tunnels you have
>>>> specified, in the above example we would have:
>>>>
>>>> 21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
>>>>
>>>> Add this to the very top of the ipsec secrets file, one entry for each
>>>> pair of machines in this format
>>>>
>>>> leftmachineip   rightmachineip : PSK "password"
>>>>
>>>> Then do a service ipsec restart on each machine, bring the link up
>>>> with this command, it only needs to be invoked from either one of the
>>>> ends
>>>>
>>>> ipsec auto --up site1-site2
>>>>
>>>> You should get output like this if you did it right:
>>>> ipsec auto --up site1-site2
>>>> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate
>>>> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
>>>> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
>>>> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
>>>> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate
>>>> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
>>>> established
>>>>
>>>> Remember you will need to allow the ipsec interface in your firewall
>>>> and you will need to add lines like this:
>>>>
>>>> # Accept udp connections to port 500 for ipsec
>>>> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>>> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>>>
>>>> This is just about the quickest way to set up a VPN tunnel with
>>>> Freeswan, it takes minutes.  If you want to make if more secure, you
>>>> can tune the config once you get it running this way!
>>>>
>>>> Remember the only machines that can't see the full extent of the other
>>>> LAN network are the linux boxes creating the tunnel.  So the left
>>>> linux box will not be able to ping stuff on 10.11.4.0/24 network and
>>>> the right linux box will not be able to ping stuff on 10.11.2.0/24
>>>> network - don't forget this.... its commonly mistaken by some to mean
>>>> the tunnel isn't working, to truly test it end to end you need hosts
>>>> on the LANs at each end to ping each other.
>>>>
>>>> If you want to make it work through NATing gateways you will need to
>>>> port forward the udp 500 setting above on your firewall.
>>>>
>>>> Enjoy!
>>>>
>>>> Pete
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Kennedy Clark wrote:
>>>>   
>>>>
>>>>> Any chance of getting a quick HOW-TO posted to the group for that? 
>>>>> ;-)  Sounds interesting.
>>>>>
>>>>> I saw your post about using it with Cisco & Nortel equipment -- I 
>>>>> work
>>>>> with both a lot at my current customer.  What types of equipment have
>>>>> you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
>>>>> Nortel = Contivity)?
>>>>>
>>>>> Thanks!!
>>>>> Kennedy
>>>>>  
>>>>>     
>>>>
>>>> ______________________________________________________________________
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>   
>>>
>>>
>>>
>>>
>>> -- 
>>> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>>>
>>> Sponsor:
>>> Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 € a 
>>> casa tua
>>> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>  
>>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>  
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos