[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: securing a WLAN with PPP (or the like)



On Wed, Mar 09, 2005 at 09:08:12AM +0000, Ronny Adsetts wrote:
> John Hedges said at 09/03/2005 08:30:
> >>>>So what about the Linux and OS X clients?
> >>>
> >>>Mac OS X 10.3 has IPSEC and L2TP support.  I'm not sure about Linux 
> >>>clients
> >>>yet; I'm doing the same set of experiments as Paul.  :)
> >>
> >>I would appreciate it, as I'm sure many others would, if you and Paul 
> >>could
> >>post your test results and conlusions to the list when you get done.
> >
> >I've been running IPSec on a wireless OS X client for some months now
> >with 2.6 kernel modules. Unfortunately I had to disable it a couple of
> >weeks ago as, after a gateway kernel upgrade from 2.6.6 to 2.6.10, the
> >IPSec packets were no longer being forwarded.
> >
> >I can post both Mac and linux configs if they are of interest.
> 
> That would be useful I think. There's lots of information out there on 
> IPSEC,
> wading through it can be painful.

Yes, I remember it being a bit of a struggle - I only wish I'd
documented it as I went along. Here are some config snippets that may or
may not help you:

linux gateway is 192.168.100.254
OS X wireless client is 192.168.0.2

linux side - you will need a 2.6 kernel for kernel ipsec.

--- IPSec config which I put in /etc/ipsec.conf ---
# Flush the SAD and SPD
flush;
spdflush;

spdadd 0.0.0.0/0 192.168.100.2/32 any -P out ipsec esp/tunnel/192.168.100.254-192.168.100.2/require;
spdadd 192.168.100.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.100.2-192.168.100.254/require;

--- IPSec init script to load the policies from /etc/ipsec.conf ---
#! /bin/sh
#
# ipsec

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

set -e

case "$1" in
  start)
	echo -n "Setting IPsec SPDs"
    setkey -f /etc/ipsec.conf
	echo "."
	;;
  stop)
	echo -n "Flushing IPsec SPDs"
    setkey -F
    setkey -FP
	echo "."
	;;
  reload|restart|force-reload)
	echo -n "Resetting IPsec SPDs"
    setkey -f /etc/ipsec.conf
	echo "."
	;;
  *)
	N=/etc/init.d/$NAME
	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
	echo "Usage: $N {start|stop|restart|force-reload}" >&2
	exit 1
	;;
esac

exit 0

--- sections from /etc/racoon/racoon.conf - I only got as far as using pre-shared keys ---
remote anonymous
{
	exchange_mode main,aggressive;
	doi ipsec_doi;
	situation identity_only;

#    my_identifier user_fqdn "user@localhost";
#    peers_identifier user_fqdn "user@localhost";
	my_identifier address;
	certificate_type x509 "gateway_cert.pem" "gateway_key.pem";

	nonce_size 16;
	initial_contact on;
	proposal_check obey;	# obey, strict or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
#		authentication_method rsasig;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 2;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

--- /etc/racoon/psk.txt ---
192.168.100.2   password

--- ---

Mac side - I don't know a lot about macs but here goes ...

--- IPSec config in /etc/ipsec.conf ---
# Flush the SAD and SPD
flush;
spdflush;

spdadd 0.0.0.0/0 192.168.100.2/32 any -P in ipsec esp/tunnel/192.168.100.254-192.168.100.2/require;
spdadd 192.168.100.2/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.100.2-192.168.100.254/require;

---- /Library/StartupItems/IPSec/IPSec ---
#!/bin/sh

##
# IPSec startup
##

. /etc/rc.common

StartService ()
{
    setkey -f /etc/ipsec.conf
    # set the mtu to allow for IPSec packet headers
    # sometimes this didn't work so I added a sleep
    # which seemed to fix it
    # there is probably a mac way to do this properly
    sleep 2
    ifconfig en1 mtu 1350
}

StopService ()
{
    setkey -FP
    setkey -F
}

RestartService ()
{
    setkey -f /etc/ipsec.conf
}

RunService "$1"

---- /Library/StartupItems/IPSec/StartupParameters.plist ---
{
  Description     = "IPSec configuration";
  Provides        = ("IPSecSPs");
  OrderPreference = "None";
}

--- /etc/racoon/psk.txt ---
192.168.100.254   password

--- ---

I think that's about it. This setup tunnels all packets to and from the
mac over the secure link between the mac and the linux router.

> >I'm also eager to hear if anyone has any ideas as to why 2.6.10 stopped
> >routing IPSec as I'd very much like to re-enable it.
> 
> I don't have any ideas but... is this a kernel.org kernel?
No, it's a stock deb. It has just occurred to me that I didn't reduce the
mtu on the linux side - perhaps that might have something to do with it.

Cheers

John



Reply to: