Penguin
Blame: IPSecConfiguration
EditPageHistoryDiffInfoLikePages
Annotated edit history of IPSecConfiguration version 12, including all changes. View license author blame.
Rev Author # Line
1 JeeKay 1 Before you can configure your IPSec setup, there is a little basic terminology to go through. Ready? Excellent!
2
3 There are two major types of IPSec configurations. You will need to decide which one you will be using.
2 JeeKay 4 ----
1 JeeKay 5 !Transport
3 PerryLorier 6 Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. This is also sometimes known as "Bump in the stack" mode.
1 JeeKay 7
8 !Tunnel
3 PerryLorier 9 Tunnel mode generally signifies net-to-net encryption, and is what is known as a classic VPN. Here, you have two disparate networks wanting to communicate with each other over an insecure medium (normally the internet). Essentially, the two gateways to either network want to encrypt all communications between them, and route any traffic from their local network across that link to the other network. This mode is also normally used for "road warrior" type communications where a single mobile computer (the road warrior) needs to connect to and access a corporate network, again over an insecure medium. This is also sometimes known as "Bump in the wire".
2 JeeKay 10 ----
1 JeeKay 11 Got all that? Excellent! Now, on to the mystical ways of server authentication.
12
4 JeeKay 13 FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a ManInTheMiddle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.
1 JeeKay 14
15 __Note:__ While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!
5 MichaelBordignon 16
10 JohnMcPherson 17 __Next Note:__ If you are wanting to interoperate with Windows 2000/XP, make sure that
9 MichaelBordignon 18
12 MichaelBordignon 19 * a) The PKCS (.p12) certificate which you export (with the following command: openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12) is added to the __local machine__ and not the __current user__. This is the first mistake I made. Otherwise, you'll get something like
10 JohnMcPherson 20 auth.log.0:Nov 13 15:26:08 peer pluto[[21342]: "remote-win2k-2"[[2] 166.179.32.102 #2: encrypted
8 MichaelBordignon 21 Informational Exchange message is invalid because it is for incomplete ISAKMP SA
5 MichaelBordignon 22
9 MichaelBordignon 23 * b) If there are any stateful firewalls in between the road warrior and the internal machine, make sure you allow ESP (protocol 50), with something like
5 MichaelBordignon 24 iptables -A INPUT -p esp -j ACCEPT
25
10 JohnMcPherson 26 __Yet Another Note:__ Instructions on exporting x509 certs for use on 2k/xp can be found at http://www.natecarlson.com/linux/ipsec-x509.php, with a wealth of information at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. You'll also want a free utility found at http://vpn.ebootis.de to make the necessary IPSec policy changes to win2k/xp when you want to connect.
1 JeeKay 27
28 For an example PSK setup, head over to [IPSecConfigurationPSK]. %%%
29 For an example RSA setup, head over to [IPSecConfigurationRSA].