IPSec (FreeS/WAN) anyone??

Federico Voges fvoges
Mon May 17 11:48:37 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Tue, 24 Jun 2003 10:28:03 -0400, Matthew Carpenter wrote:

>First off, please describe your testing in depth.  FreeS/WAN gateways do not
>use the tunnel by default so pinging through the tunnel from one of the
>gateways won't work.  If you wish to test the tunnel you need to ping through
>the tunnel using appropriately addressed hosts on either side of the gateways.
>

Searching the freeswan site again, I found that piece of info. BTW it
should be mentioned in the quick start page and in the configuration
page of the documentation ;)

After doing some ugly scripting to deal with my sub-optimal setup
(dynamic IP on both ends), the VPN is now working.

Let me describe the situation:

192.168.10.0/24     192.168.10.1 - dyn. IP
BUE-NET ------------- BUE-GW (postgres server) [ADSL modem] ---------+
                                                                     |
                                                                   INET
192.168.11.0/24     192.168.11.1 - dyn. IP                           |
NQN-NET ------------- NQN-GW [ADSL modem] ---------------------------+

I have 3 tunnels: net-net and net-gw (one for each end so ping works as
expected).

The hack I'm using right know is this:

* Every morning (about 6:00am) I force NET-GW to reconnect (adsl-stop,
wait, adsl-start)
* ip-up.local (both ends) has some really ugly stuff(tm) in it:

#!/bin/bash

# Test connection status. Thanks Telefonica for a great service (not!)
# Sometimes we connect but we don't get a default gateway....
route -n|grep -q "^0\.0\.0\.0"
if [ $? -ne 0 ]; then 
  echo "No default route. Dropping connection..."
  killall -HUP pppd
  exit 1
fi

# Test connection status. Thanks Telefonica for a great service (not!)
# Sometimes we get a connection to a black hole.....
ping -c 5 -w 5 200.69.192.31 >& /dev/null
if [ $? -ne 0 ]; then 
  echo "Can't ping to a known internet host. Dropping connection..."
  killall -HUP pppd
  exit 1
fi

# Stop FreeS/WAN
/usr/sbin/rcipsec stop >& /dev/null
sleep 3
# make sure ipsec is dead otherwise it won't start again
/usr/bin/killall pluto >& /dev/null
rm /var/run/pluto.pid >& /dev/null
rmmod -r ipsec >& /dev/null

# Update DDNS
echo "Updating DDNS..."
/usr/bin/lynx -dump "SOME-SECRET-URL-:)" 
if [ $? != 0 ]; then
   # Danger! This could cause an endless loop ;)
   echo "Ooops! Couldn't update DDNS! Dropping connection..."
   /usr/bin/killall -HUP pppd
   exit 1
fi

# The TTL for the dynamic DNS A record is 6secs, let's wait 7secs
sleep 7

# Let's restart IP Sec on the other GW (so it uses the new IP address)
ssh OTHER-GW /usr/local/sbin/ipsec_hack.sh

# We restart IP Sec in our side
/usr/sbin/rcipsec start
- ---EOF---

/usr/local/sbin/ipsec_hack.sh
#!/bin/bash

/bin/logger -i -t "ipsec_hack" "Start"
/bin/logger -i -t "ipsec_hack" "Stopping ipsec"
/etc/init.d/ipsec stop >& /dev/null
/bin/sleep 3
/sbin/rmmod -r ipsec >& /dev/null
/bin/rm /var/run/pluto.pid >& /dev/null
/bin/sleep 3
/bin/logger -i -t "ipsec_hack" "Sarting ipsec"
/etc/init.d/ipsec start >& /dev/null
- ---EOF---

The trick is restarting FreeS/WAN on the other side after updating the
dynamic DNS but before restarting FreeS/WAN on this side. If IP Sec is
running on this side all traffic to the other gw will go thorugh the
NET-GW tunnel which is down.

I know, it's a mess. But it's working ;)

Thinking agin, I've realized that I'll probably need just one tunnel.

BUE-GW is the router/firewall and is running the PostgreSQL server. The
desktops on both LANs (BUE-NET & NQN-NET) run the ERP software that
connects to BUE-GW.

So, I think I'd only need a net-gw tunnel from NQN-NET to BUE-GW. 

As I said, both ends have dynamic IP (ADSL). I hope to switch to static
IP (still using ADSL) as soon as the telco start offering the service.
That will be just on BUE-GW (different telcos on each end and only one
plans to offer static IP).

I have no other choice for the inet conection (except a leased line
that are waaay too expensive here).

Is my current setup too ugly?? Do you have any sugestion to improve
it??

Once I get a static IP, what changes would I have to make? 

TIA!

>Secondly, if you are interested in a fairly decent Web-GUI for FreeS/WAN,
>there is a pretty good WebMin module available.  Install WebMIN if you haven't
>already (www.webmin.com) and then install the FreeS/WAN module. 
> 

I have it installed, it comes with SCO Linux 4.0 (yup, first and only
license sold in Argentina). But it's incomplete (ie: no tunnel status
page), and it's not being developed (last version si about 2 years
old).
Federico Voges
Socio gerente

Intrasoft
Malabia 2137 14 A
(1425) Buenos Aires
Argentina

Te/Fax: 54-11-4833-5182
e-mail: fvoges at intrasoft.com.ar
Web: http://www.intrasoft.com.ar

-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 3.0

iQA/AwUBPviTQBRcJRaVKt4XEQKpSgCgh+rpanmJOO55rZIfV3A7/NntinwAoNT2
HV9ijaxRie3YIq1rRJ13IKKt
=jErK
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list