3 <title>FreeS/WAN examples</title>
4 <meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, examples">
8 Written by Sandy Harris for the Linux FreeS/WAN project
9 Freely distributable under the GNU General Public License
11 More information at www.freeswan.org
12 Feedback to users@lists.freeswan.org
15 RCS ID: $Id: user_examples.html,v 1.3 2001/12/29 17:06:10 sandy Exp $
16 Last changed: $Date: 2001/12/29 17:06:10 $
17 Revision number: $Revision: 1.3 $
19 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <h1><a name="user.examples">FreeS/WAN script examples</a></h1>
27 This file is intended to hold a collection of user-written example
28 scripts or configuration files for use with FreeS/WAN.
30 So far it has only one entry.
32 <h2><a name="poltorak">Poltorak's Firewall script</a></h2>
35 From: Poltorak Serguei <poltorak@dataforce.net>
36 Subject: [Users] Using FreeS/WAN
37 Date: Tue, 16 Oct 2001
41 I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
42 it and I think it would be interesting for someone to see the result of my
43 experiments and usage of FreeS/WAN. If you find a mistake in this
44 file, please e-mail me. And excuse me for my english... I'm learning.. :)
46 I'll talk about vary simple configuration:
48 addresses prefix = 192.168
50 lan1 sgw1 .0.0/24 (Internet) sgw2 lan2
51 .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
54 We need to let lan1 see lan2 across Internet like it is behind sgw1. The
55 same for lan2. And we need to do IPX bridge for Novel Clients and NDS
59 ------------------- ipsec.conf -------------------
65 leftsubnet=192.168.1.0/24
68 rightsubnet=192.168.2.0/24
72 --------------- end of ipsec.conf ----------------
74 ping .2.x from .1.y (y != 1)
75 It works?? Fine. Let's continue...
77 Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
78 the first IP (which is used to go to Internet) .0.1 and the packet won't go
79 through IPsec tunnel :( But if do ping on .1.1 kernel will respond from
80 that address (.1.1) and the packet will be tunneled. The same problem occurred then
81 .2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
82 sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
83 but from his "natural" IP or .0.1 . So the error message won't be delivered!
86 Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
87 problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
88 are powerful and elegant iproute2 :) We simply need to change source address
89 of packet that goes to other secure lan. This is done with
91 ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
95 The second step. We want install firewall on sgw1 and sgw2. Encryption of
96 traffic without security isn't a good idea. I don't use {left|right}firewall,
97 because I'm running firewall from init scripts.
99 We want IPsec data between lan1-lan2, some ICMP errors (destination
100 unreachable, TTL exceeded, parameter problem and source quench), replying on
101 pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
102 between sgw1 and sgw2 and from/to one specified host.
104 I'm using ipchains. With iptables there are some changes.
106 ---------------- rc.firewall ---------------------
109 # Firewall for IPsec lan1-lan2
121 SGW2_EXT=192.168.0.10
122 SGW2_INT=192.168.2.10
125 # SSH from and to this host
126 SSH_PEER_HOST=_SOME_HOST_
128 # this is for left. exchange these values for right.
145 $IPC -A input -i lo -j ACCEPT
146 $IPC -A output -i lo -j ACCEPT
148 # for IPsec SGW1-SGW2
150 $IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
151 $IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
153 $IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
154 ### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
156 $IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
157 $IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
158 $IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
159 $IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
160 $IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
161 $IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
167 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
168 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
170 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
171 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
173 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
174 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
178 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
179 $IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
181 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
182 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
184 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
185 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
189 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
190 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
192 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
193 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
195 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
196 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
198 ## Time To Live exceeded
200 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
201 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
203 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
204 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
206 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
207 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
211 $IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT
212 $IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT
214 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
215 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT
217 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
218 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT
221 ## from SSH_PEER_HOST
222 $IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
223 $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
225 $IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
226 $IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
228 $IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
229 $IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
231 $IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
232 $IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
235 $IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
236 $IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
238 ---------------- end of rc.firewall ----------------------
240 To understand this we need to look on this scheme:
242 ++-----------------------<----------------------------+
245 eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+
246 ------>| INPUT |-->/ ?local? /----->/ ?IPsec? /----->| decrypt & decapsulate |
247 eth1 +--------+ /---------/ /---------/ +-----------------------+
250 +----------+ +---------+ +-------+
251 | routing | | local | | local |
252 | decision | | deliver | | send |
253 +----------+ +---------+ +-------+
256 +---------+ +----------+
257 | forward | | routing |
258 +---------+ | decision |
261 ++----------------<-----------------++
269 /---------/ yes +-----------------------+
270 / ?IPsec? /----->| encrypt & encapsulate |
271 /---------/ +-----------------------+
275 ++-----------------------++-------------->
277 This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
279 FIX ME, please, if there are any errors
281 Test the new firewall now.
284 Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
286 tipxd didn't send packets.. :(
287 SIB and ipxtunnel worked fine :)
288 With ipxtunnel there was a little problem. In sources there are an error.
290 --------------------- in main.c ------------------------
294 --------------------------------------------------------
296 After this FIX everything goes right...
298 ------------------- /etc/ipxtunnel.conf ----------------
300 remote 192.168.101.97 2005
302 --------------- end of /etc/ipxtunnel.conf -------------
304 I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
305 authenticate encapsulated IPX packets, it is done with IPsec.
307 If you don't wont to use iproute2 to change source IP you need to use SIB
308 (it is able to bind local address) or establish tunnel between .0.1 and
309 .0.10 (external IPs, you need to do encryption in the program, but it isn't
312 For now I'm using ipxtunnel.
314 I think that's all for the moment. If there are any error, please e-mail me:
315 poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
316 kernel and firewall example on FreeS/WAN's manual pages.