I upgraded my home gateway firewall to Edgy today in the hope of fixing some SATA problems I’ve been experiencing. The new Edgy kernel might help – we’ll see.
Anyway, it went pretty well. Two runs (?) of apt-get dist-upgrade -u, a reboot and there I was.
Unfortunately I had two problems with my Openswan IPSEC VPNs. I’m not so sure if these count as bugs. I’ll be investigating further and reporting if so. Anyway, techie details follow…
(more…)
Here’s a (possibly) handy little set of configs and such to help you get
the FreeS/WAN IPSEC implementation working with a Sonicwall firewall in tunnel mode. It should work in transport mode with minimal changes but I have not tested that myself.
This is a working config with the sensitive information obsucated (mostly the external IPs of the firewalls and the secret key).
“fre.esw.an.ip” = freeswan gateway ip and
“son.icw.all.ip” = sonicwall gateway ip.
I’ve found other examples which state you need the “SonicWall Unique Identifier” but I found this to be unnecessary (in fact I couldn’t get it working correctly using any leftid= combinations)
Left Network
10.0.0.0/8
|
--------------------
| FreeSwan GW |
| fre.esw.an.ip |
--------------------
|
The InterNET(tm)
|
--------------------
| SonicWall GW |
| son.icw.all.ip |
--------------------
|
Right Network
192.168.1.0/24
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn fswn-swll
# PFS doesn't work so turn it off
pfs=no
keyingtries=0
ikelifetime=28800
keylife=5h
disablearrivalcheck=no
# Freeswan Side
left=fre.esw.an.ip
leftsubnet=10.0.0.0/8
leftnexthop=%defaultroute
# Sonicwall Side
right=son.icw.all.ip
rightsubnet=192.168.1.0/24
authby=secret
# you'll need to do "ipsec auto --up fswn-swll" to start this up
# unless you use auto=start, but thats just basic freeswan stuff
auto=add
fre.esw.an.ip son.icw.all.ip : PSK "allthefish"
The Debian ipsec-tools package doesn’t work properly with the Debian 2.4.21 kernel (you can’t specify “ipsec” as policy, it only recognises “discard” and “none”). Herbert Xu helped me out and I’ve rebuild the packages against the 2.4.21 kernel sources, and now it seems to work ok. I’ve made the packages available here.
I’ve setup and old Pentium 100 Toshiba laptop with a wireless card and Debian as a “dumb-ish X terminal” at home over my 802.11b wireless network. It works rather well and very quiet. My girlfriend now has all the wonders that RedHat 9 brings, without having to lug a big heavy expensive power-hungry laptop around the house. Up until now I’d had a hacky ssh remote session thing running, but now I use XDMCP (X -probe IP) to login directly using gdm listening on the central box. A firewall attempts to protect the XDMCP and X11 services, with minimal privacy provided by WEP. I’ll have IPSEC implemented soon enough though.
I’m also working on a fail over redundant MySQL cluster setup at the moment and hope to write a quick HOWTO on it, covering Heartbeat and MySQL 4’s replication system. I’ll announce it here as usual.
We had advanced routing working with FreeSWAN on Linux. I’m amazed it works, especially with the bridging we had in place between 2 other interfaces on the same box (I’m just a tad cynical about the FreeSWAN stuff sometimes) (read: all the time).