Re: [fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3

From: Bruce B. Platt (bruce_at_ei3.com)
Date: 04/21/05

  • Next message: Paul Melson: "RE: [fw-wiz] IP130 Password Recovery"
    To: Mike Tubby <mike@tubby.org>
    Date: Thu, 21 Apr 2005 10:43:32 -0400
    
    

    I have had good luck when creating hub and spoke VPNs where I used
    netfilter rules on the hub to control the traffic from the spokes back
    to the hub.

    For my hub I used Trustix as I find it to be lightweight and stable. I
    used the 2.4.28-7 kernel. Trustix runs Openswan.

    I haven't touched FC3. I did some work with FC1 and 2. There is a lot
    of user support and an active community, but Fedora sure is a
    heavyweight for a purpose built box.

    I used simple netfilter rules to control traffic from the spokes back to
    the hub. The spokes were appliances like Netscreens, Pix 501s, etc.
    Policies to control traffic were implemented there also, but since they
    were remote, the risk existed of them being compromised. So I had
    netfilter rules on the Hub.

    Excuse me if I go too much into the obvious, but I went crazy finding
    all the information also. Here is an excerpt from a netfilter FORWARD
    table which I used in this context. Note that the first two lines serve
    the identical function, save the second uses the ipsec0 interface as the
    input interface. $LAN_IFACE is simply the Hub's interface address on
    192.168.0.0/24.

    $IPTABLES -A FORWARD -p tcp --dport 3001 -s 192.168.2.0/24 -d
    192.168.0.0/24 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 3001 -i ipsec0 -o $LAN_IFACE -d
    192.168.0.0/24 -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -s 192.168.2.0/24 -d 192.168.0.0/24 -j LOG
    --log-level info --log-prefix "VPN Dropped: "
    $IPTABLES -A FORWARD -p tcp -s 192.168.2.0/24 -d 192.168.0.0/24 -j DROP

    Here is a sample config from /etc/ipsec.conf. It shows some of the
    features useful like controlling the lifetime of the phase 1 ISAKMP and
    phase 2 ipsec phases.

    conn site1
             keyingtries=0
             authby=secret
             # Left (Local) security gateway, subnet behind it, next hop
    # toward right.
             left=1.2.3.4
             leftnexthop=1.2.3.1 # router
             leftsubnet=192.168.0.0/24
             # Right (remote) security gateway, subnet behind it, next hop
    # toward left.
             right=5.6.7.2
             rightnexthop=5.6.7.1 #router
             rightsubnet=192.168.2.0/24
             keylife=60m # phase 2 lifetime in minutes
             auto=start # start when service ipsec starts
             ikelifetime=480m # phase 1 lifetime in minutes

    Here are some links I found with lot's of searching which were useful to
    me in one way or another. Good luck. YMMV. Test a lot.

    http://www.novell.com/coolsolutions/appnote/7964.html
    http://lists.debian.org/debian-user/2003/05/msg01311.html
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Melson: "RE: [fw-wiz] IP130 Password Recovery"