Here’s a (possibly) handy little set of configs and such to help you get the FreeS/WAN IPSEC implementation working with a Sonicwall firewall in tunnel mode. It should work in transport mode with minimal changes but I have not tested that myself.
This is a working config with the sensitive information obsucated (mostly the external IPs of the firewalls and the secret key).
“fre.esw.an.ip” = freeswan gateway ip and “son.icw.all.ip” = sonicwall gateway ip.
I’ve found other examples which state you need the “SonicWall Unique Identifier” but I found this to be unnecessary (in fact I couldn’t get it working correctly using any leftid= combinations)
| FreeSwan GW |
| fre.esw.an.ip |
| SonicWall GW |
| son.icw.all.ip |
# PFS doesn't work so turn it off
# Freeswan Side
# Sonicwall Side
# you'll need to do "ipsec auto --up fswn-swll" to start this up
# unless you use auto=start, but thats just basic freeswan stuff
The Debian ipsec-tools package doesn’t work properly with the Debian 2.4.21 kernel (you can’t specify “ipsec” as policy, it only recognises “discard” and “none”). Herbert Xu helped me out and I’ve rebuild the packages against the 2.4.21 kernel sources, and now it seems to work ok. I’ve made the packages available here.
I’ve setup and old Pentium 100 Toshiba laptop with a wireless card and Debian as a “dumb-ish X terminal” at home over my 802.11b wireless network. It works rather well and very quiet. My girlfriend now has all the wonders that RedHat 9 brings, without having to lug a big heavy expensive power-hungry laptop around the house. Up until now I’d had a hacky ssh remote session thing running, but now I use XDMCP (X -probe IP) to login directly using gdm listening on the central box. A firewall attempts to protect the XDMCP and X11 services, with minimal privacy provided by WEP. I’ll have IPSEC implemented soon enough though.
I’m also working on a fail over redundant MySQL cluster setup at the moment and hope to write a quick HOWTO on it, covering Heartbeat and MySQL 4’s replication system. I’ll announce it here as usual.
We had advanced routing working with FreeSWAN on Linux. I’m amazed it works, especially with the bridging we had in place between 2 other interfaces on the same box (I’m just a tad cynical about the FreeSWAN stuff sometimes) (read: all the time).