FreeSwan, iptables, firewalls, MASQ, etc. - confused

[Curtis Vaughan <curtis@npc-usa.com>]

I have tons of literature concerning the Subject of this letter, as well 
as some responses from people on this list, and I have come to the 
conclusion that I am totally confused.

First about my network situation:
I wish to connect through a VPN 2 separate networks, called NPC and USA, 
respectively:

NPC's structure is as follows:
NPC has 5 public IP addresses, 64.7.20.137 - 141
Internal IP configuration is: 10.0.1.0/24
Gateway, router and NAT are located at 64.7.20.137. It's internal 
address is 10.0.0.254
The VPN server through the NAT server has the following IP addresses: 
public - 64.7.20.141, internal - 10.0.1.10

USA's structure is as follows:
USA has only 1 public IP addresses: 212.107.20.30
The VPN server will be located at this address with an internal address 
of: 10.0.0.1.  
Internal networking structure is: 10.0.0.0/24
    


           64.7.20.137     ROUTER     10.0.1.254    
                         ----------
NPC                           |
                             |
                         ---------- 
           64.7.20.141      VPN       10.0.1.10

-----------------------------------------------------------

USA       212.107.20.30      VPN       10.0.0.0
                         ----------


Here's what I've done so far.

I have compiled 2.4.18 kernels with Freeswan and ipsec.  iptables is 
installed and operating.

Per one source I have done the following actions involving ipsec.conf 
and ipsec.secrets:

ipsec.secrets
   I issued command: ipsec ranbits 256 > temp
   then, I copied the key just created to ipsec.secrets to and edited 
it to read as follows:

   212.107.20.30  64.7.20.141 
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

   This file is exactly the same on both VPN servers.  

ipsec.conf   
   reads as follows:

config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes

# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%dns
	rightrsasigkey=%dns

# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
	left=%defaultroute
	right=%opportunistic
	keylife=1h
	rekey=no
	# uncomment this next line to enable it
	#auto=route

# sample VPN connection
conn NPC-USA
	# Left security gateway, subnet behind it, next hop toward right.
	left=10.0.1.10
	leftsubnet=10.0.1.0/24
	leftnexthop=64.7.20.137
	# Right security gateway, subnet behind it, next hop toward left.
	right=10.0.0.1
	rightsubnet=10.0.0.0/24
	rightnexthop=202.107.20.30
	# To authorize this connection, but not actually start it, at startup,
	# uncomment this.
	auto=add



This seems very incorrect to me. I think the left side might be right, 
but that the rightnexthop would have to be the DNS server for the ISP. 
But, I'm not really sure.

Anyhow, that's about the extent of everything I've been able to figure 
out.  I'm not sure where to go from here.

According to the primary source I'm working off, I need to enable IPv4 
forwarding. So, I added the following line to the file /etc/sysctl.conf: 
net.ipv4.ip_forwarding = 1

The next step according to my source is to edit, what it calls a script 
file, titled iptables.  Now I wrote about this recently, but have to 
admit that I don't know what people are talking about.  Sorry.

Basically the source book says to edit iptables to read:

(NB: where EXTERNAL_INTERFACE="eth0" - your external gateway to the Internet
    where IPSECSG is a space separated list of remote VPN gateways
    where FREESWANVI="ipsec0" - a space separated list of virtual 
interfaces for FreeS/Wan)

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
        -s $IPSECSG --source-port -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
        -s $IPSECSG --destination-port -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p 50 \
        -s $IPSECSG --source-port -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 50 \
        -s $IPSECSG --destination-port -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p 51 \
        -s $IPSECSG --source-port -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 51 \
        -s $IPSECSG --destination-port -j ACCEPT


iptables -A INPUT -i $FREESWANVI \
        --source-port \
        --destination-port -j ACCEPT

iptables -A OUTPUT -o $FREESWANVI \
        --source-port \
        --destination-port -j ACCEPT


iptables -A FORWARD -i $FREESWANVI \
        --source-port \
        --destination-port -j ACCEPT


Now there are more steps after this, but I'm not certain about creating 
this iptables file, where exactly I should put and apparently people 
have told me I have to link it to runlevels.  

So, now pulling out my hair.  Could someone point me in the right direction?

Curtis


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org