WatchGuard's HOWTO (PSK)
Ronald C. Riviera's Settings (PSK)
Walter Wickersham's Notes (PSK)
Max Enders' Configs (Manual)
Old known issue with auto keying
Tips on key generation and format (Manual)
----SNIP---- RESCUED from archive.org -- Didn't someone copy over the list archives to the new project site?
From: lsalerts@watchguard.com
To: tnowaczyk@hycite.com
Subject: LiveSecurity | Editorial: Telecommuting without Windows -- FreeS/W=
AN
Date: 31 May 2002 14:38:08 -0700
---------------------------------------------------------------
NOTE: This e-mail was sent from an unattended mailbox, so
please do not reply to it. You can find our contact
information at the end of this e-mail.
Some URLs in the article below wrap to a second line. When that
occurs, clicking on them does not work. To follow a multi-line link,
please copy and paste its parts into your browser's address window
to reassemble it into a working URL. For an easier-to-read HTML
version of this article with live links, go to:
https://www3.watchguard.com/archive/showhtml.asp?pack=3D135105
---------------------------------------------------------------
EDITORIAL
TELECOMMUTING WITHOUT WINDOWS: FreeS/WAN
by Corey Nachreiner, Network Security Analyst, WatchGuard
Technologies, Inc <http://www.watchguard.com/products/service.asp>
[Editor's note: Though most LiveSecurity subscribers run Windows-
based networks, a significant minority of our customers prefer Linux
or Unix. Though WatchGuard claims neutrality in the everlasting
"Windows vs. *nix" debate, we realize some industry watchdogs call
for network administrators to abandon Windows. This week's article
and last week's ("Telecommuting without Windows: SSH," found at
<https://www3.watchguard.com/archive/showhtml.asp?pack=3D135101>) are
intended not only for our *nix users, but also for Windows users who
need to know about alternatives available for certain network
functions in case of a corporate mandate to reduce Windows use.
-- Scott Pinzon]
DO YOU HAVE AN UBER-GEEK Linux user in your organization who
constantly hounds you for IPSec VPN access to the Firebox? Maybe
you're that Linux geek, and you cringe at the idea of installing
Windows at home just so you can use the WatchGuard MUVPN client.=20
If so, you can now bask in the glow of FreeS/WAN-to-WatchGuard
interoperability.
In my previous article, I showed how Linux users with dynamic IP
addresses could use SSH to telecommute through a Firebox. However,
if your Linux users have the benefit of static IP addresses, they're
better served using FreeS/WAN to create an all-purpose tunnel. This
article describes how to configure FreeS/WAN in order to make an
IPSec tunnel to your Firebox.
WHAT IS FreeS/WAN?
FreeS/WAN, which stands for Free Secure Wide Area Network, is a free
Linux IPSec implementation. Theoretically, with FreeS/WAN users can
build VPN tunnels to any device that supports the IPSec standard. In
reality, sometimes implementation differences can make
interoperability between FreeS/WAN and other devices difficult.
DOWNLOADING AND INSTALLING FreeS/WAN
The FreeS/WAN site's download page <http://www.freeswan.org/download.html>=
=20
gives directions and locations for downloading FreeS/WAN. You might
also check with your Linux distribution as it may include an easy-
to-install RPM <http://www.tldp.org/HOWTO/RPM-HOWTO/index.html#INTRO>=20
for FreeS/WAN.
If you do a Google <http://www.google.com/> search on "Installing
FreeS/WAN," you'll find many resources that walk you through
FreeS/WAN installation, including the install section=20
<http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/install.html>
of the FreeS/WAN documentation. Since there are plenty of resources
on the Web describing how to install and use FreeS/WAN, I'll focus
specifically on setting up FreeS/WAN to interoperate with the
Firebox.
FreeS/WAN-TO-FIREBOX INTEROPERABILITY REQUIREMENTS
For IPSec interoperability between FreeS/WAN and a Firebox to
succeed, you need two things:
* A static public IP address for your Linux FreeS/WAN server.
Although you might want to create an IPSec tunnel from a
dynamically addressed Linux server, the Firebox requires something
called Aggressive Mode negotiation
<http://www.networkcomputing.com/922/922ws2side1.html>
to create tunnels to dynamic IPs. Unfortunately, the creators of
FreeS/WAN decided not to support Aggressive Mode. Since FreeS/WAN
does not support Aggressive Mode, the FreeS/WAN server must use a
static IP address for the IPSec tunnel to succeed.
* WatchGuard Firebox Software v5.0 or higher. Older versions
of WFS do not support some features that FreeS/WAN needs to create
an IPSec tunnel using dynamic keying (ISAKMP, defined at
<http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=3Disakmp>). If
you do not have the v5.0 software, you can still interoperate with
FreeS/WAN but you have to create a manually keyed tunnel (as
described on FreeS/WAN's Web page
<http://www.freeswan.org/freeswan_trees/freeswan-
1.95/doc/interop.html#watchguard>.)
CONFIGURING A TUNNEL BETWEEN FreeS/WAN AND THE FIREBOX
To best illustrate how to set up an IPSec tunnel between FreeS/WAN
and a Firebox, let's use a real-world example. Imagine creating a
tunnel for the following network:
[To see this diagram, log in with your WatchGuard user name and
password at https://www3.watchguard.com/archive/images/ED_Fre1.gif]
As the diagram indicates, the Linux server in this example is a dual
NIC server. (The term NIC is defined at
<http://www.webopedia.com/TERM/n/network_interface_card_NIC.html>)
Let's stipulate that it is NATing for the private network on
the second NIC. (The term NAT is defined at
<http://www.webopedia.com/TERM/N/NAT.html>).
-- Firebox configuration
Using the example network above, it's fairly easy to set up the
Firebox side of the IPSec tunnel. Essentially, we can pretend that
the FreeS/WAN side is just another Firebox and set up the IPSec
tunnel as we normally would. Here's what you would do:
* Open the Firebox configuration in Policy Manager.
* Go to Network => Branch Office VPN => Manual IPSec...
* Click on the Gateways button and then click the Add button
in the new window.
* Enter any name for the gateway name. "LinuxGateway" would
work fine (however, note that it's all one word; this field does
not accept spaces).
* Make sure you choose isakmp for Key Negotiation Type and IP
Address for Remote ID Type.
* The Gateway IP Address should be the public IP of the Linux
server we are creating a tunnel to. In this example, it would be
24.10.25.204.
* The Shared Key is the secret used to start the IPSec tunnel.
Both side's secrets must match. For security's sake, it's
recommended that you use a long alphanumeric string for the secret
so that it's hard to guess. However, for simplicity, I'll use
"secret" in this example.
* Click OK twice to save the gateway settings.
* Now click on the Tunnels button, then the Add button.
* Choose the gateway you made a second ago and press OK.
* Enter a name for the tunnel, such as "LinuxTunnel." (Any
name will do.)
* You can click on Phase 2 Settings if you would like to
adjust the security parameters for your IPSec tunnel. The Firebox
defaults with the strongest security settings for the tunnel (SHA,
3DES). I left these settings alone in my example. Whatever you
pick, FreeS/WAN won't have a problem matching it.
* Click OK twice to save the tunnel settings.
* Finally, we are ready to create a policy for our IPSec
tunnel. In this case, we want the Firebox's Trusted network to go
through the tunnel when accessing the Linux Server's private
network. Click on the Add button in the IPSec Configuration
window.
* In our example, the IPSec tunnel is between two networks, so
choose Network in both the Local field and the Remote field.
* For Local network, enter the network on the trusted side of
the Firebox (in this case, 192.168.0.0/24). For Remote network,
enter the private network behind the Linux server (in this case,
10.0.0.0/24).
* In the Disposition field, choose secure. The Tunnel field
should specify the tunnel you made a second ago.
* Press OK twice and you're finished with the Firebox IPSec
configuration. Save this configuration file to your Firebox so you
can start on the FreeS/WAN configuration.
-- FreeS/WAN configuration
FreeS/WAN uses two files to configure IPSec tunnels, ipsec.conf and
ipsec.secrets. In my install, these files were both found under
/etc/freeswan/ but their locations may differ, depending upon how
you installed FreeS/WAN. Once you find them, we need to edit them
with any text editor. Let's start with ipsec.secrets.
The ipsec.secrets file contains the key, or secret information, used
to start an IPSec tunnel. Of the many methods available to key an
IPSec tunnel, the Firebox uses the pre-shared key or secret method.
Open the ipsec.secrets file in any text editor. This file may be
pre-populated with an RSA public key. This is another method used to
key IPSec tunnels. We don't need this information for our Firebox's
tunnel, so you can delete the RSA keys if you like. (Leaving them
doesn't hurt, either.) What we really need is to add to this file
the pre-shared key we entered when we configured the Firebox's IPSec
gateway. Here is the syntax for adding a pre-shared key to
FreeS/WAN's ipsec.secrets file:
[Local IPSec gateway IP] [Remote IPSec gateway IP] : PSK
"the_preshared_key"
Given the above, here is what you would enter for our example
network:
24.10.25.204 208.144.22.2 : PSK "secret"
Save this change to the ipsec.secrets file and you are ready to move
on to the ipsec.conf file.
The ipsec.conf file contains all the configuration information for
your IPSec tunnels. Rather than detailing the syntax of an
ipsec.conf file, I'll include the file you would use for our example
with some inline comments describing the settings. (If you are
interested in the syntax details for ipsec.conf, see the man page
<http://www.freeswan.org/freeswan_trees/freeswan-
1.94/doc/manpage.d/ipsec.conf.5.html>.)
Here is the ipsec.conf file for our example network. The words in
parentheses are comments, so you would not include them in the
actual file:
config setup
interfaces=eth0 (This is the interface of the Linux
Server's gateway IP)
plutoload=search (FreeS/WAN needs this to negotiate
ISAKMP tunnels)
plutostart=search (Same as above)
conn Firebox (This is the connection information for
the Firebox tunnel. You can give the
tunnel any name by replacing "Firebox"
with whatever you want)
keyingtries=0 (This setting tells FreeS/WAN to re-key
persistently)
authby=secret (Tells FreeS/WAN to use pre-shared keys
to negotiate tunnel)
left=208.144.22.2 (The Firebox's External IP address)
leftnexthop=208.144.22.1 (The Firebox router's IP address)
leftsubnet=192.168.0.0/24 (The Firebox's Trusted network)
right=24.10.25.204 (The Linux Server's Public IP address)
rightnexthop=24.10.25.1 (The Linux Server's router's IP
address)
rightsubnet=10.0.0.0/24 (The private network behind the Linux
Server)
auto=add
Once you've set up the ipsec.conf file, save it and restart
FreeS/WAN's IPSec service. Here's the command I used to restart
ipsec:
/etc/rc.d/init.d/ipsec restart
To bring up the tunnel, make sure the Firebox is up and running with
the configuration changes you made before, then run this command on
your Linux server:
ipsec auto --up Firebox
The "Firebox" in this command is the name you used for the
connection information in your ipsec.conf file. After entering this
command, your new IPSec tunnel should come up.
YOU'VE GOT FreeS/WAN IPSEC!
If you replace all the IP addresses and networks in the example with
your real Firebox and Linux Server's information, the steps above
should produce a working IPSec tunnel between FreeS/WAN and your
Firebox. Now that you know how it interoperates with the Firebox,
the next time your uber-geek Linux user hassles you for a
telecommuting solution, you have the information you need to provide
Linux telecommuting bliss. ##
-----------------------------------------------------
FEEDBACK: Did this alert help you do your job? Is there
a topic you wish our experts would write an article about?
Let us know by e-mailing lsseditor@watchguard.com.
<mailto:lsseditor@watchguard.com>
For other helpful articles, log into the LiveSecurity Archive
<https://www3.watchguard.com/archive/broadcasts.asp>.
-------------------------------------------------------
UNSUBSCRIBE: You received this e-mail because you subscribed
to the WatchGuard LiveSecurity Service, which advises about
virus alerts, security best practices, new hacking exploits,
and more. To stop receiving future e-mails, or to change which
e-mail address receives this content, please log in at
https://www3.watchguard.com/archive/preferences.asp.
For technical support, visit
https://support.watchguard.com/incidents/NewIncident.asp
or call 1-877-232-3531.
------------------------------------------------------
Copyright 2002 WatchGuard Technologies, Incorporated. All
Rights Reserved. WatchGuard, LiveSecurity, Firebox and
ServerLock are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or
other countries. All other trademarks are the property of
their respective owners.
You may not modify, reproduce, republish, post, transmit
or distribute this content except as expressly permitted
in writing by WatchGuard Technologies, Inc.
----SNIP----
