Re: securing a WLAN with PPP (or the like)
On Wed, Mar 09, 2005 at 09:08:12AM +0000, Ronny Adsetts wrote:
> John Hedges said at 09/03/2005 08:30:
> >>>>So what about the Linux and OS X clients?
> >>>
> >>>Mac OS X 10.3 has IPSEC and L2TP support. I'm not sure about Linux
> >>>clients
> >>>yet; I'm doing the same set of experiments as Paul. :)
> >>
> >>I would appreciate it, as I'm sure many others would, if you and Paul
> >>could
> >>post your test results and conlusions to the list when you get done.
> >
> >I've been running IPSec on a wireless OS X client for some months now
> >with 2.6 kernel modules. Unfortunately I had to disable it a couple of
> >weeks ago as, after a gateway kernel upgrade from 2.6.6 to 2.6.10, the
> >IPSec packets were no longer being forwarded.
> >
> >I can post both Mac and linux configs if they are of interest.
>
> That would be useful I think. There's lots of information out there on
> IPSEC,
> wading through it can be painful.
Yes, I remember it being a bit of a struggle - I only wish I'd
documented it as I went along. Here are some config snippets that may or
may not help you:
linux gateway is 192.168.100.254
OS X wireless client is 192.168.0.2
linux side - you will need a 2.6 kernel for kernel ipsec.
--- IPSec config which I put in /etc/ipsec.conf ---
# Flush the SAD and SPD
flush;
spdflush;
spdadd 0.0.0.0/0 192.168.100.2/32 any -P out ipsec esp/tunnel/192.168.100.254-192.168.100.2/require;
spdadd 192.168.100.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.100.2-192.168.100.254/require;
--- IPSec init script to load the policies from /etc/ipsec.conf ---
#! /bin/sh
#
# ipsec
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
set -e
case "$1" in
start)
echo -n "Setting IPsec SPDs"
setkey -f /etc/ipsec.conf
echo "."
;;
stop)
echo -n "Flushing IPsec SPDs"
setkey -F
setkey -FP
echo "."
;;
reload|restart|force-reload)
echo -n "Resetting IPsec SPDs"
setkey -f /etc/ipsec.conf
echo "."
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
--- sections from /etc/racoon/racoon.conf - I only got as far as using pre-shared keys ---
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
# my_identifier user_fqdn "user@localhost";
# peers_identifier user_fqdn "user@localhost";
my_identifier address;
certificate_type x509 "gateway_cert.pem" "gateway_key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
# authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
--- /etc/racoon/psk.txt ---
192.168.100.2 password
--- ---
Mac side - I don't know a lot about macs but here goes ...
--- IPSec config in /etc/ipsec.conf ---
# Flush the SAD and SPD
flush;
spdflush;
spdadd 0.0.0.0/0 192.168.100.2/32 any -P in ipsec esp/tunnel/192.168.100.254-192.168.100.2/require;
spdadd 192.168.100.2/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.100.2-192.168.100.254/require;
---- /Library/StartupItems/IPSec/IPSec ---
#!/bin/sh
##
# IPSec startup
##
. /etc/rc.common
StartService ()
{
setkey -f /etc/ipsec.conf
# set the mtu to allow for IPSec packet headers
# sometimes this didn't work so I added a sleep
# which seemed to fix it
# there is probably a mac way to do this properly
sleep 2
ifconfig en1 mtu 1350
}
StopService ()
{
setkey -FP
setkey -F
}
RestartService ()
{
setkey -f /etc/ipsec.conf
}
RunService "$1"
---- /Library/StartupItems/IPSec/StartupParameters.plist ---
{
Description = "IPSec configuration";
Provides = ("IPSecSPs");
OrderPreference = "None";
}
--- /etc/racoon/psk.txt ---
192.168.100.254 password
--- ---
I think that's about it. This setup tunnels all packets to and from the
mac over the secure link between the mac and the linux router.
> >I'm also eager to hear if anyone has any ideas as to why 2.6.10 stopped
> >routing IPSec as I'd very much like to re-enable it.
>
> I don't have any ideas but... is this a kernel.org kernel?
No, it's a stock deb. It has just occurred to me that I didn't reduce the
mtu on the linux side - perhaps that might have something to do with it.
Cheers
John
Reply to: