Advanced Linux Networking
Configuring a Linux FreeS /WAN Server
FreeS/WAN is a more Linux-centric VPN solution than is PPTP, but considered broadly, both serve a similar function: linking two or more computers or networks in a secure way over an insecure network, such as the Internet. As with PPTP, the first step in running a FreeS/WAN VPN is obtaining and installing the software. You can then begin configuring the system and establishing a link between FreeS/WAN systems. FreeS/WAN is actually a very sophisticated package, with more options than can be covered in this chapter. For more information, consult the FreeS/WAN documentation, and particularly the configuration manual, http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html. Obtaining and Installing FreeS/WAN
In early 2002, few Linux distributions ship with FreeS/WAN, but there are exceptions. Most notably, SuSE comes with the package, and a Mandrake package is also readily available. You should check your distribution to be sure it doesn't come with FreeS/WAN before obtaining it from the main FreeS/WAN Web site, http://www.freeswan.org. This site (or more precisely, the FTP site to which it links, ftp://ftp.xs4all.nl/pub/crypto/freeswan/) holds the software in source code form. FreeS/WAN requires explicit kernel support that's not standard in the Linux kernel, so to use it, you must recompile your kernel, as described shortly. If you install a FreeS/WAN package that came with your distribution, chances are these kernel changes are part of the kernel that came with the distribution, so your configuration task is simpler. The rest of this section assumes you're installing FreeS/WAN using its source code. If you compile FreeS/WAN from source code, you must have several components installed on your system:
To make and install the FreeS/WAN package, follow these steps:
At this point, your system should be working with a kernel that's capable of supporting FreeS/WAN. As part of the process, FreeS/WAN should have created a file called /etc/ipsec.secrets , which contains encryption keys. You'll need to deal with this file later, so for now you should check that it exists and contains some keys (which resemble hexadecimal gibberish). In order to be useful, you must configure FreeS/WAN on at least two computers, presumably on different networks. The installation process is the same on both. In many cases, both systems will be configured as routers, although you can install FreeS/WAN on a single system that's to connect to a remote network. Editing Configuration Files
FreeS/WAN uses two configuration files: /etc/ipsec.secrets and /etc/ipsec.conf . Each is important and plays a different role. The first contains encryption keys, which the servers use to identify themselves to each other. The second controls general-purpose configuration options. Setting Up Keys
As noted earlier, the FreeS/WAN build process should have created an /etc/ipsec.secrets file that contains encryption keys. If this file isn't present, or if it doesn't contain a key you want to use, you can generate a new key with the following command: # ipsec rsasigkey 128 > /root/rsa.key This command creates a 128-bit key and places it in the /root/rsa.key file. You can generate a key of some other length by specifying the desired length instead of 128 in the preceding example. The output of this command isn't quite what's needed, though. Specifically, you must add the following line to the start of the file: : RSA { Be sure to include the spaces around RSA . You must also add a line containing at least one space followed by a single right curly brace ( } ) to the end of the file. You can then copy the result into the existing /etc/ipsec.secrets file, replacing the current : RSA { block in that file. You should perform this step on both the FreeS/WAN VPN routers.
NOTE
The output of the ipsec rsasigkey command includes a commented-out line that begins #pubkey= . This sets the public key that you must give to other systems with which this system must communicate. You should make note of it now, because you'll need to enter it into the /etc/ ipsec.conf file of your other systems. Editing the IPSec Settings
Most FreeS/WAN installations create a default /etc/ipsec.conf file. This file isn't terribly useful as is, but it can be used as a good template for configuring your system. The file has three basic types of setup sections: config setup , conn %default and conn remotename . Adjusting Local Options
The config setup section specifies local settings. The default example section resembles the following: config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for \ lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup \ actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes The most important setting in this section is the interfaces line, which tells FreeS/WAN which interfaces to use for VPN connections (that is, where it can find VPN partners ). The default value of %defaultroute tells FreeS/WAN to use your default route, which normally connects to all non local IP addresses. You might want to specify particular interfaces, though. For instance, the following option tells the system to use eth0 and ppp1 : interfaces="ipsec0=eth0 ipsec1=ppp1" The klipsdebug and plutodebug options set the logging options for the Kernel IP Security (KLIPS) kernel features and for the Pluto daemon, which is a part of the FreeS/WAN package that handles key exchange. You can set these to all if you're having problems. Pluto can load connections into memory or start them automatically when FreeS/WAN starts up. The plutoload and plutostart options tell the system with which connections it should do this. The default value works well in most cases, but if you want to specify just some connections, you can name them instead. The drawback to listing individual FreeS/WAN servers is that if one crashes, it may not come back up into the VPN automatically after restarting. Adjusting Default Remote Options
Individual connections are defined through sections that begin with the keyword conn . FreeS/WAN supports a %default connection name for setting default connection options. Options you're likely to see in this section include the following:
In addition to these options, it's possible for various other options described in the next section, "Adjusting System-Specific Remote Options," to appear in a default connection section. If you find yourself entering the same options for several connections, you might move them all to the default configuration to reduce the chance of a typo causing problems and to shorten the configuration file. Adjusting System-Specific Remote Options
Each connection requires some customization, which is done in a conn section. The connection name follows conn , and that connection's options follow on subsequent lines, all of which are indented at least one space. Many of the options in this section relate to network interfaces. To help understand this, consider Figure 26.6. This shows a typical FreeS/WAN network. The configuration is described from the top ("left") VPN router. You must tell FreeS/WAN about various IP addresses used in this configuration. You do so with several options: Figure 26.6. A FreeS/WAN configuration requires you to identify several computer and network addresses involved in creating the VPN.
The labeling of a system or network as left or right is arbitrary. One useful mnemonic may be to give the link a name that includes both ends, such as boscinci for a VPN linking Boston and Cincinnati offices. You can then call the Boston side left and the Cincinnati end right , reflecting their positions in the name. You use the same configuration on both sides of the link; FreeS/WAN figures out which end it is by examining the system's existing network connections. Establishing a Link
The basic procedure for establishing a link between two FreeS/WAN routers is to start the ipsec program as a daemon on one and to use the same program to initiate a connection from the other computer. Once you've tested the connection, it should be started automatically whenever you start the computers and run ipsec on both. It doesn't matter which system you use in daemon mode and which you use to manually start the connection when you do this stage of the testing; unlike PPTP, FreeS/WAN makes little distinction between clients and servers. To start FreeS/WAN in daemon mode, type the following command: # ipsec setup start This starts the server and, depending upon the configuration of the plutoload , plutostart , and auto options described earlier, the system loads a configuration and waits for a connection or tries to initiate a connection. If you configured your systems as described earlier, with auto=add on both ends of the connection, you can start the server on one end and it will wait for a connection request from the other system. This will occur when you type the following command on the system that's not yet running the program: # ipsec auto --up name In this example, name should be the name of a connection link, such as boscinci . The system should attempt to start up that link. You can check to see if it was successful by typing ipsec look . If you receive a set of encryption information and a VPN routing table as output, then the connection was successful. You can also try using normal networking commands, like ping , traceroute , and telnet , to see if you can establish connections with systems on the remote network, and to verify that they're being routed via the VPN. Remember that, if the remote network is publicly accessible from the Internet at large, tools like ping won't verify that the connection is via the VPN. You should use protocols that are blocked from scrutiny by the general public, or from your local public addresses, to test your VPN functionality. Once you've gotten your network up and running, you can change the configuration of auto in /etc/ipsec.conf . If you set this to start on both ends, the startup will be automatic whenever the ipsec setup start command is issued. You can start FreeS/WAN in this way by starting it in a SysV or local startup script, as described in Chapter 4. |