IPSec Howto

This section contains information on howto setup Plain IPSec as protection for your WLAN. It provides a clean & simple protection mechanism with a high level of security. For Windows and OS X Clients another way might be more comfortable since both, Windows and OS X, don't come with graphical clients (and that is what these users are used to) for plain IPSec. These Platforms provide clients for a protocol defined in rfc 3193 using L2TP+IPSEC.

Contents

  1. Plain IPSec
    1. Optionally devide wireless from wired network
    2. Install openswan
    3. Configuration
      1. Create CA and certificates for all gateways
      2. Create /etc/ipsec.conf
      3. Create /etc/ipsec.secrets
      4. Permissions
      5. Hotplug
      6. Firewall
      7. Bugfix (for RC4)
      8. Startup files
      9. Speed

1. Plain IPSec

This configuration assumes an OpenWRT router with dynamic Internet connection using DSL and a central site with fixed IP addresses (typical road warrior scenario). The goal is to set up IPSEC between both sites so the LAN and/or WIFI connected to the OpenWRT router can talk to the LAN connected to the central IPSEC gatway. For the sample configuration we assume the following setup:

central site IP address

1.2.3.4

central site LAN

192.168.2.0/24

central site name

central.site.vpn

road warrior LAN

192.168.1.0/24

road warrior email

road@warrior.vpn

1.1. Optionally devide wireless from wired network

If LAN and WIFI should be handled differently by the central site, it makes sense to seperate them and use two differnet IPSEC tunnels.

1.2. Install openswan

ipkg install openswan kmod-openswan ntpclient

1.3. Configuration

In this example, a configuration using a X.509 PKI is being used. Shared key is not really useful for road warrior setups, as it would require all road warriors to use the same shared key.

1.3.1. Create CA and certificates for all gateways

In this example, the hostname is used as common name for the central station and the email address for the road warrior. Some hints on how to use openssl to manage a PKI can be found at http://www.natecarlson.com/linux/ipsec-x509.php or http://freifunk.net/wiki/X509

On the OpenWRT box, copy the CA certificate to /etc/ipsec.d/cacerts/cacert.pem, the road warrior certificate to /etc/ipsec.d/certs/roadwarrior.pem and the private key to /etc/ipsec.d/private/roadwarriorkey.pem

1.3.2. Create /etc/ipsec.conf

A sample configuration is: 

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        plutodebug="none"
        klipsdebug="none"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        interfaces=%defaultroute

conn central
        authby=rsasig
        esp=aes-sha1
        right=1.2.3.4
        rightsubnet=192.168.2.0/24
        rightrsasigkey=%cert
        rightid=@central.site.vpn
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftrsasigkey=%cert
        leftid=road@warrior.vpn
        leftcert=roadwarrior.pem
        dpddelay=5
        dpdtimeout=15
        dpdaction=restart
        auto=start
        #keylife=20m
        keyingtries=%forever

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

1.3.3. Create /etc/ipsec.secrets

This file contains the name of the private key file and the passphrase needed to open the file: 

: RSA roadwarriorkey.pem "passphrase"

1.3.4. Permissions

Make sure the permissions of /etc/ipsec.secrets and /etc/ipsec.d/private/* allow read access only to root (chmod 400).

1.3.5. Hotplug

Configure the hotplug system to start and stop OpenSWAN each time the DSL connection is cut off by the provider:

/etc/hotplug.d/iface/30-ipsec 

#!/bin/sh

if [ "$PROTO" != "ppp" ]; then exit; fi

USER=root
export USER

case "$ACTION" in
        ifup)
                /etc/rc.d/init.d/ipsec start
                ;;
        ifdown)
                /etc/rc.d/init.d/ipsec stop
                ;;
esac

1.3.6. Firewall

Make sure to open your firewall for ESP and ISAKMP traffic (and maybe NAT-T if your setup requires nat-traversal) and disable NAT for the LAN of the central site:

Example /etc/firewall.user: 

iptables -A input_rule -p esp -s 1.2.3.4              -j ACCEPT  # allow IPSEC
iptables -A input_rule -p udp -s 1.2.3.4 --dport 500  -j ACCEPT  # allow ISAKMP
iptables -A input_rule -p udp -s 1.2.3.4 --dport 4500 -j ACCEPT  # allow NAT-T
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT
# Allow any traffic between road warrior LAN and central LAN
#iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
#iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT

1.3.7. Bugfix (for RC4)

As of Whiterussian RC4, to fix a bug replace /etc/hotplug.d/iface/10-ntpclient by https://dev.openwrt.org/file/trunk/openwrt/package/ntpclient/files/ntpclient.init.

1.3.8. Startup files

Optionally remove /etc/init.d/60ipsec, as this script is not really needed in this setup.

1.3.9. Speed

Depending on the encryption (esp=) the following transfer rates might be achieved:

aes-sha1

160kb/s

3des-sha1

230kb/s

des-sha1

260kb/s

CategoryHowTo

IPSec (last edited 2007-01-23 13:28:58 by JochenFriedrich)

Almost all of these pages are editable, create an account and click the edit (Edit) button at the top of the page.