Replacing FreeS/WAN with a 2.6-kernel-friendly VPN server
I currently have a Debian Woody machine acting as a head-end IPSEC server to three sites with Cisco 837 ADSL routers. Woody is no longer maintained and I would like to upgrade the machine, and get it onto a 2.6 kernel. The IPSEC driver used by FreeS/WAN on 2.4 is klips. FreeS/WAN is no longer maintained, and has forked into OpenSwan and StrongSwan. The 2.6 kernel has its own implementation of IPSEC, called NETKEY, and klips requires a patched kernel, which I would rather not have to maintain, as there is a good IPSEC implementation in the mainline. The standard 2.6 kernel IPSEC model, using the ipsec-tools, lets you do all sorts of things with policies. In the past, I've had an ipsec0 interface, which has been given IP addresses and been able to connect routes to, and hang firewall rules off. I believe NETKEY doesn't give that. The remote sites can be considered 'trusted' insomuch as machines on their LAN are currently routed such they may as well be on the local LAN, and so it wouldn't matter too much that I couldn't apply specific firewall rules. Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :) Any suggestions? Michal, are you still around, and is this right in your area of expertise? :) Craig
Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :)
I think you might be the guy that writes it as the official Wiki for Linux networking (http://linux-net.osdl.org) is pretty bad on security right now!
Any suggestions? Michal, are you still around, and is this right in your area of expertise? :)
One thing I do suspect you will need is a very recent kernel as things necessary for this such as connection tracking only really got much attention in 2.6.17. Apart from that I can't offer much help. -- Ian McDonald Web: http://wand.net.nz/~iam4 Blog: http://imcdnzl.blogspot.com WAND Network Research Group Department of Computer Science University of Waikato New Zealand
Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :)
I think you might be the guy that writes it as the official Wiki for Linux networking (http://linux-net.osdl.org) is pretty bad on security right now!
That site is probably a bit low-level; http://www.ipsec-howto.org/ is also missing useful information.
Any suggestions? Michal, are you still around, and is this right in your area of expertise? :)
One thing I do suspect you will need is a very recent kernel as things necessary for this such as connection tracking only really got much attention in 2.6.17. Apart from that I can't offer much help.
If I was going to use a kernel that recent I'd just patch klips in. :) As it is the end point, I shouldn't need to use connection tracking. Will see though. Thanks for the headsup. Craig
Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :)
Disclaimer: I've RTFM'd before, this is all from memory, and I've never actually had a chance to actually experiment with this. On the flipside I got openswan working for you when you set that up the first time, and I hadn't played with that much either. <grin> To my knowledge there is no good single resource saying how to configure IPsec using 2.6, and what there is is mostly freebsd specific. with 26sec there are several ways to configure it. The obvious way is to use "racoon". racoon is a daemon that runs and uses IKE to setup and maintain connections, updating the kernels tables as necessary. You'd configure it with something like: (192.168.0.1 has 10.1.0.0/16 behind it, 192.168.0.2 has 10.2.0.0/16 behind it, this is the config for 192.168.0.1 ) remote 192.168.0.2 { proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group 2; } } sainfo address 10.1.0.0/16 any address 10.2.0.0/16 { authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 12 hour; pfs_group 2; } then set up routing such that ip route add 10.2.0.0/16 via 192.168.0.2 YMMV. The other approach is to use setkey(8) directly to modify the kernels ideas of what's going on. man setkey(8) for help. This is perhaps preferably for static tunnel configuration (rather than roadwarrier style approaches) "Firewalling" is done by the kernels policy database which is configured with racoon's security associations, or by using setkey's -P to set policy.
participants (4)
-
Craig Box -
Craig Box -
Ian McDonald -
Perry Lorier