As tunnel endpoint
Ken Bantoft's instructions (Road Warrior with PSK)
Nate Carlson's caveats
In IPsec passthrough mode
Sample HOWTO through a Linksys Router
Nadeem Hasan's configs -Broken Link -
Brock Nanson's tips -Broken Link -
PGPnet to FreeS/WAN connectivity through a Linksys* router HOWTO:
1. Disclaimer 2. Preface 3. Requirements 4. Network Diagram 5. Configuring the Linksys* Router 6. Configuring Windows 7. Making and Importing the Certificates 8. Configuring FreeS/WAN 9. Configuring PGPnet 10. Tricky things I noted 11. About the Author
1. Disclaimer
This document is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose
2. Preface
The goal of this document is to explain how to connect a PGPnet client to a Linux FreeS/WAN gateway and the subnet behind it through a Linksys* EtherFast Cable/DSL Router with x509 certificates for authentication.
3. Requirements
A Linksys* router, the author used the BEFSR41 model, with firmware >= 1.36. FreeS/WAN (http://www.freeswan.org) compiled and installed with the x509 patch for pluto AND _confread (http://www.strongsec.com/freeswan) The full version of PGPnet, that supports gateways. (http://www.nai.com)
4. Network Diagram
_________________ ___________________________ | PGPnet Box | | Linksys* Router | | 192.168.1.101 |=====|192.168.1.1 xxx.xxx.xxx.xxx|==> The "Inter - net" ----------------- --------------------------- ____________________________ _________________ | FreeS/WAN Gateway | | Internal Subnet | The "Inter - net" <==|yyy.yyy.yyy.yyy 192.168.0.1 |===| 192.168.0.0 | ---------------------------- -----------------
5. Configuring the Linksys* Router
To configure the Linksys* router follow these steps:
1. Fire up your favorite web browser and go to http://192.168.1.1 2. Set up your WAN networking parameters, be them DHCP assigned or given to you by your cable company. 3. CLICK APPLY BEFORE YOU CHANGE TABS! (settings don't stay put when you change tabs) 4. Click on the DHCP tab and click "Enable DHCP". 5. Enter 192.168.1.110 for Starting IP Address. 6. Make sure the Number of DHCP Users is greater than the amount of people you expect to use DHCP, but less than 145. 5. Don't forget to hit apply. 6. Click the advanced tab. 7. Make sure IPSec passthru is enabled (if you change this be sure to hit apply again, also if you don't have IPSec passthru you have to upgrade your firmware). 8. Don't forget to hit apply.
With this configuration, the router will only assign IP addresses starting at 192.168.1.110 and up. In this way, the one machine that wants to connect to the FreeS/WAN gateway can have a static IP below 192.168.1.110, and the rest of the machines that don't need to connect to the FreeS/WAN gateway have dynamically assigned addresses and configuration options.
6. Configuring Windows
To configure the Windows machine follow these steps:
1. Install PGP Personal Privacy and make sure you select PGPnet when it asks you what components you want to install. 2. When it asks you to select an adapter, select the ethernet adapter you have connected to the Linksys* router. 3. After the install it will ask if you want to reboot your machine, do it. 4. When the machine starts up, right click on Network Neighborhood and go to Properties. 5. Make sure that you have: TCP/IP->[PGPnet Virtual Private Networking driver] PGPnet Virtual Private Networking driver->[Ethernet Adapter] 6. Make sure you DON'T have: TCP/IP->[Ethernet Adapter] If you do, delete it. 7. Highlight TCP/IP->[PGPnet Virtual Private Networking driver] and click on Properties. 8. Under the IP Address tab, click specify IP address and enter the following: IP Address: 192.168.1.101 Subnet Mask: 255.255.255.0 9. Under the Gateway tab, type 192.168.1.1 under New Gateway and click add. 10. Under the DNS Configuration click Enable DNS, and enter your DNS servers and host name. 11. Finally click OK to get out of the Properties section. 12. Click OK to get out of the Networking section, and you'll have to restart your machine.
7. Making and Importing Certificates
Here is how to make x509 certificates in Linux with openssl for import into PGPnet and FreeS/WAN. NOTE: I am VERY new at doing this, please tell me if I'm doing it wrong.
1. Make sure the openssl command can be found in your path. 2. Enter the /etc/ipsec.d directory. 3. Create the PGPnet certificate: 1. /usr/local/ssl/misc/CA.sh -newcert 2. That will generate a public and private key in the file newcert.pem 3. openssl pkcs12 -export -in newcert.pem -out newcert.p12 4. That will put the private and public key into pkcs12 format for import into PGPnet. 5. Now rename newcert.pem and newcert.p12 pgpnet.pem and pgpnet.p12 respectively. 4. Now do the same for the FreeS/WAN certificate, but don't make a pkcs12 version of it, instead move the pem file to freeswan.pem and copy just the public key part of it (you can edit it just like any other file) to freeswan-pub.pem. 5. Now stick pgpnet.p12 and freeswan-pub.pem on a floppy and sneaker net (walk) them on over the the PGPnet machine. 6. On the PGPnet machine: 1. Goto Start->Programs->PGP->PGPKeys 2. Type Control-M to import (or go to keys->import) 3. Type a:\pgpnet.p12 and click open 4. Select the RSA key pair and click import. 5. Now do the same for the freeswan-pub.pem file. 7. On the Linux machine: 1. Type /usr/local/lib/ipsec/fswcert -k /etc/ipsec.d/freeswan.pem >> /etc/ipsec.secrets. 2. Now edit ipsec.secrets and delete the old key data, but leave the beginning header and put an indented brace at the end, so it looks like: : RSA { Modulus: 0x... PublicExponent: 0x... PrivateExponent: 0x... Prime1: 0x... Prime2: 0x... Exponent1: 0x... Exponent2: 0x... Coefficient: 0x... } Note: Make sure that ending brace is INDENTED. 3. Type openssl x509 -in freeswan.pem -outform DER -out ../x509cert.der 8. Now burn the disk you used to transport the keys.
8. Configuring FreeS/WAN
To configure FreeS/WAN there are two conn structures you need to make:
conn ConnectToGateway left=xxx.xxx.xxx.xxx leftsubnet=192.168.1.101/32 leftcert=pgpcert.pem right=yyy.yyy.yyy.yyy rightsubnet=yyy.yyy.yyy.yyy/32 rightcert=freeswancert.pem pfs=no authby=rsasig auto=add conn ConnectToSubnet left=xxx.xxx.xxx.xxx leftsubnet=192.168.1.101/32 leftcert=pgpcert.pem right=yyy.yyy.yyy.yyy rightsubnet=192.168.0.0/24 rightcert=freeswancert.pem pfs=no authby=rsasig auto=add
Now restart FreeS/WAN by typing /etc/init.d/ipsec restart or /etc/rc.d/init.d/ipsec depending on your Linux distribution.
9. Configuring PGPnet
To configure PGPnet follow these steps:
1. Goto view/options. 2. Under general hit expert mode. 3. Under authentication/x509 certificate click select certificate 4. Highlight the pgpcert and hit OK. 5. Under advanced, have TripleDES for Ciphers, MD5 for hashes, 1024 for Diffie Hellman, and nothing for compression. Under proposals remove all except for: IKE: RSA Sig - MD5 - TripleDES - 1024 IPSEC: None - MD5,TripleDES - None also set Perfect forward secrecy to none. 6. Under hosts click add. 7. Pick a descriptive name for the gateway. 8. Enter yyy.yyy.yyy.yyy for it's IP address. 9. Select secure gateway. 10. For remote authentication click x509 auth and select the freeswancert 11. Click OK. 12. Click on the gateway, and click add 13. Say yes when it asks you if you want to add it under the gateway. 14. Enter a descriptive name for the subnet. 15. Select insecure subnet. 16. Put in it's IP and subnet mask, in our case 192.168.0.0/255.255.255.0. 17. Click OK. 18. Click on the subnet and click connect.
10. Tricky things I noted
PGPnet when connecting to the FreeS/WAN server needs to have the right subnet specified as xxx.xxx.xxx.xxx/32, meaning just that address.
You can't use DHCP on the windows machine that will connect to the freeswan gateway, because you need to specify the left subnet as 192.168.1.101/32 (or any other static IP that the windows machine is using), meaning just that address.
I had all kinds of issues with using an IP address for identification with a preshared key, so I just started using x509 certificates.
Make sure you put your public/private key pair in the x509 certificates box under the options menu, and the public key for the server in the x509 certificates box for the server connection.
You won't be able to ping the 192.168.1.101 client from the FreeS/WAN server over the ipsec tunnel until the client has pinged you, and even then I'm pretty sure your ability to ping it will time out after a period of inactivity. Basically this has to do with the fact that the router doesn't allow incoming traffic unless it initiated a connection. Since ICMP is connectionless, it lets all ICMP traffic from a host in for a while after it sends out some ICMP traffic from it's internal subnet to that host.
For some reason I couldn't update the firmware on the router. The tftp program would never connect, and the routers diagnostic light would start blinking and never stop. I lost two routers trying this, so eventually I just gave up and stuck with firmware 1.36.
I found that if I had TCP/IP->[Ethernet Adapter] in the networking section for windows I would get an Invalid Message ID error from PGPnet. The only thing you should have in that section is TCP/IP->PGPnet Virtual Private Networking Driver.
10. About the Author
Comments or questions, you can email me at ryan@intphsys.com.
