3 <meta http-equiv=
"Content-Type" content=
"text/html">
4 <title>FreeS/WAN configuration
</title>
6 content=
"Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
9 Written by Claudia Schmeing for the Linux FreeS/WAN project
10 Freely distributable under the GNU General Public License
12 More information at www.freeswan.org
13 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: config.html,v 1.1 2004/03/15 20:35:24 as Exp $
17 Last changed: $Date: 2004/03/15 20:35:24 $
18 Revision number: $Revision: 1.1 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
24 <H1><A NAME=
"config">How to configure FreeS/WAN
</A></H1>
26 <P>This page will teach you how to configure a simple network-to-network
27 link or a Road Warrior connection between two Linux FreeS/WAN boxes.
30 <P>See also these related documents:
</P>
32 <LI>our
<A HREF=
"quickstart.html#quickstart">quickstart
</A> guide
33 to
<A HREF=
"glossary.html#carpediem">opportunistic encryption
</A></LI>
34 <LI>our guide to configuration with
35 <A HREF=
"policygroups.html#policygroups">policy groups
</A></LI>
37 <A HREF=
"adv_config.html#adv_config">advanced configuration
</A>
41 The network-to-network setup allows you to connect two office
42 networks into one Virtual Private Network, while the Road Warrior
43 connection secures a laptop's telecommute to work.
44 Our examples also show the basic procedure on the Linux FreeS/WAN side where
45 another IPsec peer is in play.
</P>
48 Shortcut to
<A HREF=
"#config.netnet">net-to-net
</A>.
<BR>
49 Shortcut to
<A HREF=
"#config.rw">Road Warrior
</A>.
54 <P>To configure the network-to-network connection you must have:
</P>
56 <LI>two Linux gateways with static IPs
</LI>
57 <LI>a network behind each gate. Networks must have non-overlapping IP ranges.
</LI>
58 <LI>Linux FreeS/WAN
<A HREF=
"install.html#install">installed
</A>
60 <LI><A HREF=
"http://www.tcpdump.org"><VAR>tcpdump
</VAR></A> on the local gate,
61 to test the connection
</LI>
63 <P>For the Road Warrior you need:
</P>
65 <LI>one Linux box with a static IP
</LI>
66 <LI>a Linux laptop with a dynamic IP
</LI>
67 <LI>Linux FreeS/WAN installed on both
</LI>
68 <LI>for testing,
<VAR>tcpdump
</VAR> on your gateway or laptop
</LI>
71 <P>If both IPs are dynamic, your situation is a bit trickier. Your best bet
72 is a variation on the
<A HREF=
"#config.rw">Road Warrior
</A>, as described
73 in
<A HREF=
"http://lists.freeswan.org/archives/users/2003-October/msg00282.html">this mailing list message
</A>.
75 <H2><A name=
"config.netnet"></A>Net-to-Net connection
</H2>
78 <H3><A name=
"netnet.info.ex">Gather information
</A></H3>
80 <P>For each gateway, compile the following information:
</P>
83 <LI>IP range of the subnet you will be protecting. This doesn't have to
84 be your whole physical subnet.
</LI>
85 <LI>a name by which that gateway can identify itself for IPsec
86 negotiations. Its form is a Fully Qualified Domain Name preceded by
87 an @ sign, ie. @xy.example.com.
88 <BR>It does not need to be within a domain that you own. It can be a made-up
93 <H4>Get your leftrsasigkey
</H4>
94 <P>On your local Linux FreeS/WAN gateway, print your IPsec public key:
</P>
95 <PRE> ipsec showhostkey --left
</PRE>
96 <P>The output should look like this (with the key shortened for easy
98 <PRE> # RSA
2048 bits xy.example.com Fri Apr
26 15:
01:
41 2002
99 leftrsasigkey=
0sAQOnwiBPt...
</PRE>
101 <P>Don't have a key? Use
102 <A HREF=
"manpage.d/ipsec_newhostkey.8.html"><VAR>ipsec newhostkey
</VAR></A>
105 <H4>...and your rightrsasigkey
</H4>
106 <P>Get a console on the remote side:
</P>
107 <PRE> ssh2 ab.example.com
</PRE>
108 <P>In that window, type:
</P>
109 <PRE> ipsec showhostkey --right
</PRE>
110 <P>You'll see something like:
</P>
111 <PRE> # RSA
2192 bits ab.example.com Thu May
16 15:
26:
20 2002
112 rightrsasigkey=
0sAQOqH55O...
</PRE>
114 <H3>Edit
<VAR>/etc/ipsec.conf
</VAR></H3>
116 <P>Back on the local gate, copy our template to
<VAR>/etc/ipsec.conf
</VAR>.
117 (on Mandrake,
<VAR>/etc/freeswan/ipsec.conf
</VAR>).
118 Substitute the information you've gathered for our example data.
</P>
120 left=
192.0.2.2 # Local vitals
121 leftsubnet=
192.0.2.128/
29 #
122 leftid=@xy.example.com #
123 leftrsasigkey=
0s1LgR7/oUM... #
124 leftnexthop=%defaultroute # correct in many situations
125 right=
192.0.2.9 # Remote vitals
126 rightsubnet=
10.0.0.0/
24 #
127 rightid=@ab.example.com #
128 rightrsasigkey=
0sAQOqH55O... #
129 rightnexthop=%defaultroute # correct in many situations
130 auto=add # authorizes but doesn't start this
131 # connection at startup
</PRE>
134 "Left" and
"right" should represent the machines that have FreeS/WAN installed
135 on them, and
"leftsubnet" and
"rightsubnet" machines that are being protected.
136 /
32 is assumed for left/right and left/rightsubnet parameters.
139 <P>Copy
<VAR>conn net-to-net
</VAR> to the remote-side /etc/ipsec.conf.
140 If you've made no other modifications to either
<VAR>ipsec.conf
</VAR>,
142 <PRE> scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf
</PRE>
144 <H3>Start your connection
</H3>
146 <P>Locally, type:
</P>
147 <PRE> ipsec auto --up net-to-net
</PRE>
149 <P>You should see:
</P>
150 <PRE> 104 "net-net" #
223: STATE_MAIN_I1: initiate
151 106 "net-net" #
223: STATE_MAIN_I2: sent MI2, expecting MR2
152 108 "net-net" #
223: STATE_MAIN_I3: sent MI3, expecting MR3
153 004 "net-net" #
223: STATE_MAIN_I4: ISAKMP SA established
154 112 "net-net" #
224: STATE_QUICK_I1: initiate
155 004 "net-net" #
224: STATE_QUICK_I2: sent QI2, IPsec SA established
</PRE>
157 <P>The important thing is
<VAR>IPsec SA established
</VAR>. If you're
158 unsuccessful, see our
159 <A HREF=
"trouble.html#trouble">troubleshooting tips
</A>.
</P>
162 <H3>Do not MASQ or NAT packets to be tunneled
</H3>
164 <P>If you are using
<A HREF=
"glossary.html#masq">IP masquerade
</A> or
165 <A HREF=
"glossary.html#NAT.gloss">Network Address Translation (NAT)
</A>
167 you must now exempt the packets you wish to tunnel from this treatment.
168 For example, if you have a rule like:
</P>
170 <PRE>iptables -t nat -A POSTROUTING -o eth0 -s
10.0.0.0/
24 -j MASQUERADE
173 <P>change it to something like:
</P>
174 <PRE>iptables -t nat -A POSTROUTING -o eth0 -s
10.0.0.0/
24 -d \!
192.0.2.128/
29 -j MASQUERADE
</PRE>
176 <P>This may be necessary on both gateways.
</P>
179 <H3>Test your connection
</H3>
181 <P>Sit at one of your local subnet nodes (not the gateway), and ping a subnet
182 node on the other (again, not the gateway).
</P>
184 <PRE> ping fileserver.toledo.example.com
</PRE>
186 <P>While still pinging, go to the local gateway and snoop your outgoing
187 interface, for example:
</P>
188 <PRE> tcpdump -i ppp0
</PRE>
189 <P>You want to see ESP (Encapsulating Security Payload) packets moving
190 <B>back and forth
</B> between the two gateways at the same frequency as
192 <PRE> 19:
16:
32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=
0x3be6c4dc,seq=
0x3)
193 19:
16:
32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=
0x5fdd1cf8,seq=
0x6)
</PRE>
195 <P>If you see this, congratulations are in order! You have a tunnel which
196 will protect any IP data from one subnet
197 to the other, as it passes between the two gates.
198 If not, go and
<A HREF=
"trouble.html#trouble">troubleshoot
</A>.
</P>
200 <P>Note: your new tunnel protects only net-net traffic, not
201 gateway-gateway, or gateway-subnet. If you need this (for example, if
202 machines on one net need to securely contact a fileserver on the
203 IPsec gateway), you'll need to create
204 <A HREF=
"adv_config.html#adv_config">extra connections
</A>.
</P>
207 <H3>Finishing touches
</H3>
209 <P>Now that your connection works, name it something sensible, like:
</P>
210 <PRE>conn winstonnet-toledonet
</PRE>
211 <P>To have the tunnel come up on-boot, replace
</P>
214 <PRE> auto=start
</PRE>
215 <P>Copy these changes to the other side, for example:
</P>
216 <PRE> scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf
</PRE>
221 <H2><A name=
"config.rw"></A>Road Warrior Configuration
</H2>
223 <H3><A name=
"rw.info.ex">Gather information
</A></H3>
225 <P>You'll need to know:
</P>
227 <LI>the gateway's static IP
</LI>
228 <LI>the IP range of the subnet behind that gateway
</LI>
229 <LI>a name by which each side can identify itself for IPsec
230 negotiations. Its form is a Fully Qualified Domain Name preceded by
231 an @ sign, ie. @road.example.com.
232 <BR>It does not need to be within a domain that you own. It can be a made-up
236 <H4>Get your leftrsasigkey...
</H4>
237 <P>On your laptop, print your IPsec public key:
</P>
238 <PRE> ipsec showhostkey --left
</PRE>
239 <P>The output should look like this (with the key shortened for easy
241 <PRE> # RSA
2192 bits road.example.com Sun Jun
9 02:
45:
02 2002
242 leftrsasigkey=
0sAQPIPN9uI...
</PRE>
244 <P>Don't have a key? See
245 <A HREF=
"old_config.html#genrsakey">these instructions
</A>.
248 <H4>...and your rightrsasigkey
</H4>
249 <P>Get a console on the gateway:
</P>
250 <PRE> ssh2 xy.example.com
</PRE>
251 <P>View the gateway's public key with:
</P>
252 <PRE> ipsec showhostkey --right
</PRE>
253 <P>This will yield something like
</P>
254 <PRE> # RSA
2048 bits xy.example.com Fri Apr
26 15:
01:
41 2002
255 rightrsasigkey=
0sAQOnwiBPt...
</PRE>
258 <H3>Customize
<VAR>/etc/ipsec.conf
</VAR></H3>
260 <P>On your laptop, copy this template to
<VAR>/etc/ipsec.conf
</VAR>.
261 (on Mandrake,
<VAR>/etc/freeswan/ipsec.conf
</VAR>).
262 Substitute the information you've gathered for our example data.
</P>
264 left=%defaultroute # Picks up our dynamic IP
265 leftnexthop=%defaultroute #
266 leftid=@road.example.com # Local information
267 leftrsasigkey=
0sAQPIPN9uI... #
268 right=
192.0.2.10 # Remote information
269 rightsubnet=
10.0.0.0/
24 #
270 rightid=@xy.example.com #
271 rightrsasigkey=
0sAQOnwiBPt... #
272 auto=add # authorizes but doesn't start this
273 # connection at startup
</PRE>
275 <P>The template for the gateway is different. Notice how it
276 reverses
<VAR>left
</VAR> and
<VAR>right
</VAR>, in keeping with our
277 convention that
<STRONG>L
</STRONG>eft is
<STRONG>L
</STRONG>ocal,
278 <STRONG>R
</STRONG>ight
<STRONG>R
</STRONG>emote. Be sure to switch your
279 rsasigkeys in keeping with this.
</P>
281 <PRE> ssh2 xy.example.com
282 vi /etc/ipsec.conf
</PRE>
287 left=
192.0.2.2 # Gateway's information
288 leftid=@xy.example.com #
289 leftsubnet=
192.0.2.128/
29 #
290 leftrsasigkey=
0sAQOnwiBPt... #
291 rightnexthop=%defaultroute # correct in many situations
292 right=%any # Wildcard: we don't know the laptop's IP
293 rightid=@road.example.com #
294 rightrsasigkey=
0sAQPIPN9uI... #
295 auto=add # authorizes but doesn't start this
296 # connection at startup
</PRE>
300 <H3>Start your connection
</H3>
302 <P>You must start the connection from the Road Warrior side. On your laptop,
304 <PRE> ipsec auto --start net-to-net
</PRE>
306 <P>You should see:
</P>
307 <PRE>104 "net-net" #
223: STATE_MAIN_I1: initiate
308 106 "road" #
301: STATE_MAIN_I2: sent MI2, expecting MR2
309 108 "road" #
301: STATE_MAIN_I3: sent MI3, expecting MR3
310 004 "road" #
301: STATE_MAIN_I4: ISAKMP SA established
311 112 "road" #
302: STATE_QUICK_I1: initiate
312 004 "road" #
302: STATE_QUICK_I2: sent QI2, IPsec SA established
</PRE>
314 <P>Look for
<VAR>IPsec SA established
</VAR>. If you're
315 unsuccessful, see our
316 <A HREF=
"trouble.html#trouble">troubleshooting tips
</A>.
</P>
320 <H3>Do not MASQ or NAT packets to be tunneled
</H3>
322 <P>If you are using
<A HREF=
"glossary.html#masq">IP masquerade
</A> or
323 <A HREF=
"glossary.html#NAT.gloss">Network Address Translation (NAT)
</A>
325 you must now exempt the packets you wish to tunnel from this treatment.
326 For example, if you have a rule like:
</P>
328 <PRE>iptables -t nat -A POSTROUTING -o eth0 -s
10.0.0.0/
24 -j MASQUERADE
331 <P>change it to something like:
</P>
332 <PRE>iptables -t nat -A POSTROUTING -o eth0 -s
10.0.0.0/
24 -d \!
192.0.2.128/
29 -j MASQUERADE
</PRE>
335 <H3>Test your connection
</H3>
337 <P>From your laptop, ping a subnet node behind the remote gateway. Do not
338 choose the gateway itself for this test.
</P>
340 <PRE> ping ns.winston.example.com
</PRE>
342 <P>Snoop the packets exiting the laptop, with a command like:
</P>
343 <PRE> tcpdump -i wlan0
</PRE>
344 <P>You have success if you see (Encapsulating Security Payload) packets
345 travelling
<B>in both directions
</B>:
</P>
347 <PRE> 19:
16:
32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=
0x3be6c4dc,seq=
0x3)
348 19:
16:
32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=
0x5fdd1cf8,seq=
0x6)
</PRE>
351 <P>If you do, great! Traffic between your Road Warrior and the net
352 behind your gateway is protected.
354 <A HREF=
"trouble.html#trouble">troubleshooting hints
</A>.
</P>
356 <P>Your new tunnel protects only traffic addressed to the net, not to
357 the IPsec gateway itself. If you need the latter, you'll want to make an
358 <A HREF=
"adv_config.html#adv_config">extra tunnel.
</A>.
</P>
360 <H3>Finishing touches
</H3>
362 <P>On both ends, name your connection wisely, like:
</P>
363 <PRE>conn mike-to-office
</PRE>
364 <P><B>On the laptop only,
</B> replace
</P>
367 <PRE> auto=start
</PRE>
368 <P>so that you'll be connected on-boot.
</P>
369 <P>Happy telecommuting!
</P>
371 <H3>Multiple Road Warriors
</H3>
373 <P>If you're using RSA keys, as we did in this example, you can add
374 as many Road Warriors as you like. The left/rightid
375 parameter lets Linux FreeS/WAN distinguish between multiple Road Warrior
376 peers, each with its own public key.
</P>
378 <P>The situation is different for shared secrets (PSK). During a
379 PSK negotiation, ID information is not available at the time Pluto
380 is trying to determine which secret to use, so, effectively, you can
381 only define one Roadwarrior connection. All your PSK road warriors
382 must therefore share one secret.
</P>
387 <P>Using the principles illustrated here, you can try variations such as:
389 <LI>a telecommuter with a static IP
</LI>
390 <LI>a road warrior with a subnet behind it
</LI>
392 <P>Or, look at some of our
<A HREF=
"adv_config.html#adv_config">more complex configuration examples.
</A>.
</P>