Consider a large department which encompasses multiple subnets in several buildings. If this department wanted to put Windows 98 and/or Windows NT clients behind the logical firewall and still do "domain login", they'd run into problems because Microsoft WINS and domain login protocols don't NAT. One solution is to put a Microsoft WINS server and Domain Controller on each subnet with a 10.x.y.z address (so clients can communicate with them directly without using NAT).
A more economical solution is to put a single WINS server and Domain Controller behind one firewall and tunnel the private (10.x.y.z) traffic between private subnets. With the tunnels in place, it appears to clients that the multiple 10.x.y.z private subnets are routed to each other (behind the firewall).
The software package recommended to create these "ipsec" tunnels is called
"FreeS/WAN" (or more recently "Openswan") and below are the instructions you
need to use it. (For more
detail, look in "/usr/share/doc/freeswan/doc/
" on your gibraltar
system or see the FreeS/WAN homepage
and/or the Openswan homepage.
if you aren't using gibraltar).
In the text below, the name "FreeS/WAN" refers to either version.
Because FreeS/WAN encrypts data it sends through tunnels, in some cases it may be necessary to use a lighter-weight, non-encrypting tunnel mechanism. If you think you may not want or can't afford encryption, see Tunneling Between Firewalls Without Encryption.
cat /etc/gibraltar_version
".
grep Revision /usr/local/sbin/tables
"
and make sure your firewall rules were generated by
revision 1.70 or higher of the web-based rule generator. If not,
upload and regenerate them.
echo : RSA={ | tr = '\011' > /tmp/key ipsec rsasigkey --verbose --random /dev/urandom 2048 >> /tmp/key echo =} | tr = '\011' >> /tmp/keyThen insert the contents of
"/tmp/key"
into
"/etc/ipsec.secrets"
in place of the
": RSA
" line and any indented lines which follow it.
Here is an example completed "/etc/ipsec.secrets file":
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : RSA { # RSA 2048 bits fw135 Wed Feb 5 15:39:28 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQN/5dVltWfcd6xKvyz6xKvyzLMCJGP... #IN KEY 0x4200 4 1 AQN/5dVltWfdVltWfcd6xK... # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: 0x7fe5d565b567dc77a7dc77ac4abf2c... PublicExponent: 0x03 # everything after this point is secret PrivateExponent: 0x1550f8e648f8e648e6a4be... Prime1: 0xe78ad9bf5f75e25f75e2653f945e510... Prime2: 0x8d6852fc7da8d705a8d705ce86e1c6d... Exponent1: 0x9a5c912a3fa3ec437fec437fb83e... Exponent2: 0x5e458ca853c5a853c5e4ae89af41... Coefficient: 0x70e812167fc2167fc63fbb5c10... } # do not change the indenting of that "}"
/etc/ipsec.conf
". That file should be identical on each of your
firewall boxes. FreeS/WAN will automatically figure out, based on the contents
of "/etc/ipsec.secrets
", which tunnels and endpoints to create on
each box. The values for "leftrsasigkey=
" and
"rightrsasigkey=
" are found in the "#pubkey=
" entry
in the "/etc/ipsec.secrets
" file of the respective hosts.
You can extract and format it most easily by typing: ipsec showhostkey --left
" or
"ipsec showhostkey --right
".Here is an example /etc/ipsec.conf file with one tunnel (between 10.208.11.0/24 and 10.208.15.0/24).
Unfortunately, beginning with Gibraltar 0.99.8, the characters in red below MUST be present but for older versions of Gibraltar they must NOT be present.
version 2 ########################################################################## # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file # basic configuration config setup #interfaces=%defaultroute interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none #plutoload=%search #plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 authby=rsasig # specific tunnels conn sample1 # Left gateway, subnet behind it, next hop toward right (router). left=128.208.11.80 leftrsasigkey=0x01037688577895c8d6eed00e7dcd72e9e60597f4d8... leftsubnet=10.208.11.0/24 leftnexthop=128.208.11.100 # Right gateway, subnet behind it, next hop toward left (router). right=128.208.15.80 rightrsasigkey=0x01037ef8a86f4fb7b1b0c0f03f49a6ab2911e7ff1... rightsubnet=10.208.15.0/24 rightnexthop=128.208.15.100 auto=start
ipsec setup --start
"
(or restart if it is already running) and
ignore the bind() error which relates to an IP/V6 socket you don't have.
You should see some progress gobbledygook including "ISAKMP SA established"
followed by "IPsec SA established".
NOTE:
Traffic to or from a tunnel endpoint box itself doesn't go through the tunnel
(see the FreeS/WAN docs for why). This means you must test the tunnel with
actual clients or by forcing traffic through the tunnel with something like:
traceroute -s 10.208.11.80 10.208.15.80
for the sample connection above.
When you have your tunnels working, you can uncomment the line in
"/etc/runlevel.conf
" which starts "ipsec
"
(FreeS/WAN) when gibraltar is rebooted. (Remove the initial "#" to uncomment
the line). Don't do this until you're sure the tunnels will start or your
boot may hang. (You may want to keep a backup config floppy with ipsec
commented out just in case :).
For the record, when the sample1 tunnel above is in operation, this
is what "netstat -rn
" shows when run on host
128.208.15.80:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 128.208.15.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 128.208.15.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0 10.208.11.0 128.208.15.100 255.255.255.0 UG 40 0 0 ipsec0 10.208.15.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 0.0.0.0 128.208.15.100 0.0.0.0 UG 40 0 0 eth0
gui-paste
.
Beginning with version 0.99.5, Gibraltar systems generate self-signed X.509 certificates when you first boot them (unconfigured) which can be used instead of the host keys described above. There are both advantages and disadvantages to doing this but, for the record, here is a procedure (which may change) which seems to work.
/etc/ipsec.secrets
" and
replace it with the line below: : RSA /etc/ipsec.d/private/gibraltarKey.pem
/etc/ipsec.conf
" as in step #4 above except use
"leftcert=cacerts/hostname.pem
" in place of
"leftrsasigkey=
" and copy each
"/etc/ipsec.d/gibraltarCert.pem
" file to
"/etc/ipsec.d/cacerts/hostname.pem
" on all
participating Gibraltar systems. Same for "rightcert
".
A Logical Firewall with a 1GHz Pentium 3 can probably encrypt and tunnel somewhere in the neighborhood of 40-80 megabits/sec. If your througput needs exceed your firewall's CPU's capacity AND you are tunneling between two campus subnets (where security of the intersubnet infrastructure is not of concern), you may be interested in a lighter-weight unencrypted tunnel described below (through which a 1GHz Pentium 3 can tunnel in the neighborhood of 250 megabits/sec).
Basically, to setup an unencrypted tunnel, you need to arrange to execute two commands on each end of each tunnel every time the firewall is booted:
ip tunnel add ipsec-# local A.B.C.D remote W.X.Y.Z mode ipip
ifconfig ipsec-# 10.B.C.D pointopoint 10.X.Y.Z netmask 255.255.255.0
A.B.C.D
refers to the public/routable
IP address of the LFW on which the commands are executed and
W.X.Y.Z
refers to the public/routable IP address
of the LFW at the other end of the tunnel. #
is a small number (or letter) you choose arbitrarily to give each tunnel's
virtual device a unique name.
Note that even though there is no ipsec involved, you name
the virtual network interfaces ipsec-# so the firewall rules which
apply to ipsec tunnels will work without modification.
To cause the tunnel setup commands to be executed automatically when the
firewall boots, you'll want to put them into an executable script named:
"/usr/local/sbin/tunnel
" (for example):
and add this line near the end of "#!/bin/sh case "$1" in start) ip tunnel add ipsec-1 local 128.208.11.80 remote 128.208.15.80 mode ipip ifconfig ipsec-1 10.208.11.80 pointopoint 10.208.15.80 netmask 255.255.255.0 ;; stop) ip tunnel del ipsec-1 ;; *) echo Usage: $0 'start|stop' 1>&2 ;; esac
/etc/runlevel.conf
"
(after the "arplog" line) to run them when the firewall starts:
98 - 2,3,4,5 /usr/local/sbin/tunnel
To start your tunnels manually, type: "tunnel start
" and
to stop them manually, type: "tunnel stop
".
Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date --
Mon Jan 28 12:27:08 PST 2008