Penguin

Before you can configure your IPSec setup, there is a little basic terminology to go through. Ready? Excellent!

There are two major types of IPSec configurations. You will need to decide which one you will be using.


Transport

Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. This is also sometimes known as "Bump in the stack" mode.

Tunnel

Tunnel mode generally signifies net-to-net encryption, and is what is known as a classic VPN. Here, you have two disparate networks wanting to communicate with each other over an insecure medium (normally the internet). Essentially, the two gateways to either network want to encrypt all communications between them, and route any traffic from their local network across that link to the other network. This mode is also normally used for "road warrior" type communications where a single mobile computer (the road warrior) needs to connect to and access a corporate network, again over an insecure medium. This is also sometimes known as "Bump in the wire".


Got all that? Excellent! Now, on to the mystical ways of server authentication.

FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a ManInTheMiddle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.

Note: While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!

Next Note: If you are wanting to interoperate with Windows 2000/XP, make sure that

  • a) The PKCS (.p12) certificate which you export (with the following command: openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12) is added to the local machine and not the current user. This is the first mistake I made. Otherwise, you'll get something like

auth.log.0:Nov 13 15:26:08 peer pluto[21342?: "remote-win2k-2"[2? 166.179.32.102 #2: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA

  • b) If there are any stateful firewalls in between the road warrior and the internal machine, make sure you allow ESP (protocol 50), with something like

iptables -A INPUT -p esp -j ACCEPT

Yet Another Note: Instructions on exporting x509 certs for use on 2k/xp can be found at http://www.natecarlson.com/linux/ipsec-x509.php, with a wealth of information at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. You'll also want a free utility found at http://vpn.ebootis.de to make the necessary IPSec policy changes to win2k/xp when you want to connect.

For an example PSK setup, head over to IPSecConfigurationPSK.
For an example RSA setup, head over to IPSecConfigurationRSA.