Hack 67 Set Up IPsec Under Linux

Secure your traffic in Linux with FreeS/WAN.

The most popular way of configuring IPsec connections under Linux is to use the FreeS/WAN (http://www.freeswan.org) package. FreeS/WAN is made up of two components, KerneL IP Security (KLIPS) and pluto. KLIPS is the kernel-level code that actually encrypts and decrypts the data; it also manages the Security Policy Database (SPD). pluto is a user-land daemon that controls IKE negotiation.

The FreeS/WAN build process builds a new kernel and the required management utilities. Download the latest FreeS/WAN source from the project's web site and unpack the source tree in /usr/src. The documentation that comes with FreeS/WAN is very extensive and can help you tailor the installation to suit your needs. The kernel component can be either installed as a kernel-loadable module or statically compiled directly into your kernel. In order to compile FreeS/WAN, the kernel source must be installed on your machine. During the compilation process, the kernel configuration utility will launch. This is normal. Compile FreeS/WAN using your kernel configuration method of choice (such the menu-based or X11-based options). Once the compilation is complete, install the kernel and user-land tools per the FreeS/WAN documentation (typically a make install will suffice).

FreeS/WAN configuration is controlled by two configuration files: /etc/ipsec.conf and /etc/ipsec.secrets. The examples given in this hack are very limited in scope and apply only to a wireless network. The manpages for both files are quite informative and useful for more complicated connection requirements. Another excellent resource for more information is the book Building Linux Virtual Private Networks (VPNs), by Oleg Kolesnikov and Brian Hatch (New Riders).

The ipsec.conf file breaks a VPN connection into right- and lefthand segments. This difference is merely a logical division. The lefthand side can be either the internal or external network; this allows the same configuration file to be used for both ends of a VPN network-to-network tunnel. Unfortunately, in our case, there will be differences between the client and gateway configurations.

The file is broken up into a configuration section (config) and a connection section (conn). The config section specifies basic parameters for Ipsec, such as available interfaces and specific directives to be passed to pluto. The conn section describes the various connections that are available to the VPN. There is a global conn section (conn %default) where you can specify values that are common to all connections, such as the lifetime of a key and the method of key exchange.

The following ipsec.conf encrypts all information to the Internet with a VPN endpoint on your gateway:

# /etc/ipsec.conf # Set configuration options config setup      interfaces=%defaultroute      # Debug parameters.  Set either to "all" for more info      klipsdebug=none      plutodebug=none      # standard Pluto configuration      plutoload=%search      plutostart=%search      # make sure there are no PMTU Discovery problems      overridemtu=1443 # default configuration settings conn %default      # Be aggressive in rekeying attempts      keyingtries=0      # use IKE      keyexchange=ike      keylife=12h      # use shared secrets      authby=secret # setup the VPN to the Internet conn wireless_connection1      type=tunnel      # left is the client side      left=192.168.0.104      # right is the internet gateway      right=192.168.0.1      rightsubnet=0.0.0.0/0      # automatically start the connection      auto=start

Now add the shared secret to ipsec.secrets:

192.168.0.104 192.168.0.1: PSK "supersecret"

That's it. Once your gateway is configured, try to ping your default gateway. pluto will launch automatically and the connection should come up. If you have a problem reaching the gateway, check the syslog messages on both the client and gateway.

The gateway configuration is largely the same as the client configuration. Given the intelligence of the ipsec.conf file, very few changes need to be made. Since your gateway has more than one Ethernet interface, you should hard-set the IPsec configuration to use the right interface:

# assume internal ethernet interface is eth0 interfaces="ipsec0=eth0"

You will then need to add a connection for each internal client. This can be handled in different ways as your network scales, but the following configuration should work for a reasonable number of clients:

... conn wireless_connection2      type=tunnel      left=192.168.0.105      right=192.168.0.1      rightsubnet=0.0.0.0/0      auto=start conn wireless_connection3      type=tunnel      left=192.168.0.106      right=192.168.0.1      rightsubnet=0.0.0.0/0      auto=start ... Finally, add the shared secrets for all the clients to ipsec.secrets: 192.168.0.105 192.168.0.1: PSK "evenmoresecret" 192.168.0.106 192.168.0.1: PSK "notsosecret"

Clients should now be connecting to the Internet via a VPN tunnel to the gateway. Check the log files or turn up the debug level if the tunnel does not come up.