]> git.ipfire.org Git - people/ms/strongswan.git/blob - doc/user_examples.html
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
(no commit message)
[people/ms/strongswan.git] / doc / user_examples.html
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
2 <HTML>
3 <HEAD>
4 <TITLE>Introduction to FreeS/WAN</TITLE>
5 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
6 <STYLE TYPE="text/css"><!--
7 BODY { font-family: serif }
8 H1 { font-family: sans-serif }
9 H2 { font-family: sans-serif }
10 H3 { font-family: sans-serif }
11 H4 { font-family: sans-serif }
12 H5 { font-family: sans-serif }
13 H6 { font-family: sans-serif }
14 SUB { font-size: smaller }
15 SUP { font-size: smaller }
16 PRE { font-family: monospace }
17 --></STYLE>
18 </HEAD>
19 <BODY>
20 <A HREF="toc.html">Contents</A>
21 <A HREF="background.html">Previous</A>
22 <A HREF="makecheck.html">Next</A>
23 <HR>
24 <H1><A name="user.examples">FreeS/WAN script examples</A></H1>
25 This file is intended to hold a collection of user-written example
26 scripts or configuration files for use with FreeS/WAN.
27 <P> So far it has only one entry.</P>
28 <H2><A name="poltorak">Poltorak's Firewall script</A></H2>
29 <PRE>
30 From: Poltorak Serguei &lt;poltorak@dataforce.net&gt;
31 Subject: [Users] Using FreeS/WAN
32 Date: Tue, 16 Oct 2001
33
34 Hello.
35
36 I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
37 it and I think it would be interesting for someone to see the result of my
38 experiments and usage of FreeS/WAN. If you find a mistake in this
39 file, please e-mail me. And excuse me for my english... I'm learning.. :)
40
41 I'll talk about vary simple configuration:
42
43 addresses prefix = 192.168
44
45 lan1 sgw1 .0.0/24 (Internet) sgw2 lan2
46 .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
47
48
49 We need to let lan1 see lan2 across Internet like it is behind sgw1. The
50 same for lan2. And we need to do IPX bridge for Novel Clients and NDS
51 synchronization.
52
53 my config:
54 ------------------- ipsec.conf -------------------
55 conn lan1-lan2
56 type=tunnel
57 compress=yes
58 #-------------------
59 left=192.168.0.1
60 leftsubnet=192.168.1.0/24
61 #-------------------
62 right=192.168.0.10
63 rightsubnet=192.168.2.0/24
64 #-------------------
65 auth=esp
66 authby=secret
67 --------------- end of ipsec.conf ----------------
68
69 ping .2.x from .1.y (y != 1)
70 It works?? Fine. Let's continue...
71
72 Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
73 the first IP (which is used to go to Internet) .0.1 and the packet won't go
74 through IPsec tunnel :( But if do ping on .1.1 kernel will respond from
75 that address (.1.1) and the packet will be tunneled. The same problem occurred then
76 .2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
77 sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
78 but from his &quot;natural&quot; IP or .0.1 . So the error message won't be delivered!
79 It's a big problem...
80
81 Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
82 problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
83 are powerful and elegant iproute2 :) We simply need to change source address
84 of packet that goes to other secure lan. This is done with
85
86 ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
87
88 Cool!! Now it works!!
89
90 The second step. We want install firewall on sgw1 and sgw2. Encryption of
91 traffic without security isn't a good idea. I don't use {left|right}firewall,
92 because I'm running firewall from init scripts.
93
94 We want IPsec data between lan1-lan2, some ICMP errors (destination
95 unreachable, TTL exceeded, parameter problem and source quench), replying on
96 pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
97 between sgw1 and sgw2 and from/to one specified host.
98
99 I'm using ipchains. With iptables there are some changes.
100
101 ---------------- rc.firewall ---------------------
102 #!/bin/sh
103 #
104 # Firewall for IPsec lan1-lan2
105 #
106
107 IPC=/sbin/ipchains
108 ANY=0.0.0.0/0
109
110 # left
111 SGW1_EXT=192.168.0.1
112 SGW1_INT=192.168.1.1
113 LAN1=192.168.1.0/24
114
115 # right
116 SGW2_EXT=192.168.0.10
117 SGW2_INT=192.168.2.10
118 LAN2=192.168.2.0/24
119
120 # SSH from and to this host
121 SSH_PEER_HOST=_SOME_HOST_
122
123 # this is for left. exchange these values for right.
124 MY_EXT=$SGW1_EXT
125 MY_INT=$SGW1_INT
126 PEER_EXT=$SGW2_EXT
127 PEER_INT=$SGW2_INT
128 INT_IF=eth1
129 EXT_IF=eth0
130 IPSEC_IF=ipsec0
131 MY_LAN=$LAN1
132 PEER_LAN=$LAN2
133
134 $IPC -F
135 $IPC -P input DENY
136 $IPC -P forward DENY
137 $IPC -P output DENY
138
139 # Loopback traffic
140 $IPC -A input -i lo -j ACCEPT
141 $IPC -A output -i lo -j ACCEPT
142
143 # for IPsec SGW1-SGW2
144 ## IKE
145 $IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
146 $IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
147 ## ESP
148 $IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
149 ### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
150 ## forward LAN1-LAN2
151 $IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
152 $IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
153 $IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
154 $IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
155 $IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
156 $IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
157
158 # ICMP
159 #
160 ## Dest unreachable
161 ### from/to Internet
162 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
163 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
164 ### from/to Lan
165 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
166 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
167 ### from/to Peer Lan
168 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
169 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
170 #
171 ## Source quench
172 ### from/to Internet
173 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
174 $IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
175 ### from/to Lan
176 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
177 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
178 ### from/to Peer Lan
179 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
180 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
181 #
182 ## Parameter problem
183 ### from/to Internet
184 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
185 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
186 ### from/to Lan
187 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
188 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
189 ### from/to Peer Lan
190 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
191 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
192 #
193 ## Time To Live exceeded
194 ### from/to Internet
195 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
196 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
197 ### to Lan
198 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
199 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
200 ### to Peer Lan
201 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
202 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
203
204 # ICMP PINGs
205 ## from Internet
206 $IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT
207 $IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT
208 ## from LAN
209 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
210 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT
211 ## from Peer LAN
212 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
213 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT
214
215 # SSH
216 ## from SSH_PEER_HOST
217 $IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
218 $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
219 ## to SSH_PEER_HOST
220 $IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
221 $IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
222 ## from PEER
223 $IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
224 $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
225 ## to PEER
226 $IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
227 $IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
228
229 # ipxtunnel
230 $IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
231 $IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
232
233 ---------------- end of rc.firewall ----------------------
234
235 To understand this we need to look on this scheme:
236
237 ++-----------------------&lt;----------------------------+
238 || ipsec0 |
239 \/ |
240 eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+
241 ------&gt;| INPUT |--&gt;/ ?local? /-----&gt;/ ?IPsec? /-----&gt;| decrypt decapsulate |
242 eth1 +--------+ /---------/ /---------/ +-----------------------+
243 || no || no
244 \/ \/
245 +----------+ +---------+ +-------+
246 | routing | | local | | local |
247 | decision | | deliver | | send |
248 +----------+ +---------+ +-------+
249 || ||
250 \/ \/
251 +---------+ +----------+
252 | forward | | routing |
253 +---------+ | decision |
254 || +----------+
255 || ||
256 ++----------------&lt;-----------------++
257 ||
258 \/
259 +--------+ eth0
260 | OUTPUT | eth1
261 +--------+ ipsec0
262 ||
263 \/
264 /---------/ yes +-----------------------+
265 / ?IPsec? /-----&gt;| encrypt encapsulate |
266 /---------/ +-----------------------+
267 || no ||
268 || ||
269 || \/ eth0, eth1
270 ++-----------------------++--------------&gt;
271
272 This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
273
274 FIX ME, please, if there are any errors
275
276 Test the new firewall now.
277
278
279 Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
280
281 tipxd didn't send packets.. :(
282 SIB and ipxtunnel worked fine :)
283 With ipxtunnel there was a little problem. In sources there are an error.
284
285 --------------------- in main.c ------------------------
286 &lt; bytes += p.len;
287 ---
288 &gt; bytes += len;
289 --------------------------------------------------------
290
291 After this FIX everything goes right...
292
293 ------------------- /etc/ipxtunnel.conf ----------------
294 port 2005
295 remote 192.168.101.97 2005
296 interface eth1
297 --------------- end of /etc/ipxtunnel.conf -------------
298
299 I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
300 authenticate encapsulated IPX packets, it is done with IPsec.
301
302 If you don't wont to use iproute2 to change source IP you need to use SIB
303 (it is able to bind local address) or establish tunnel between .0.1 and
304 .0.10 (external IPs, you need to do encryption in the program, but it isn't
305 strong).
306
307 For now I'm using ipxtunnel.
308
309 I think that's all for the moment. If there are any error, please e-mail me:
310 poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
311 kernel and firewall example on FreeS/WAN's manual pages.
312
313 PoltoS
314 </PRE>
315 <HR>
316 <A HREF="toc.html">Contents</A>
317 <A HREF="background.html">Previous</A>
318 <A HREF="makecheck.html">Next</A>
319 </BODY>
320 </HTML>
Michael's strongswan development tree