FreeSwan, iptables, firewalls, MASQ, etc. - confused
I have tons of literature concerning the Subject of this letter, as well
as some responses from people on this list, and I have come to the
conclusion that I am totally confused.
First about my network situation:
I wish to connect through a VPN 2 separate networks, called NPC and USA,
respectively:
NPC's structure is as follows:
NPC has 5 public IP addresses, 64.7.20.137 - 141
Internal IP configuration is: 10.0.1.0/24
Gateway, router and NAT are located at 64.7.20.137. It's internal
address is 10.0.0.254
The VPN server through the NAT server has the following IP addresses:
public - 64.7.20.141, internal - 10.0.1.10
USA's structure is as follows:
USA has only 1 public IP addresses: 212.107.20.30
The VPN server will be located at this address with an internal address
of: 10.0.0.1.
Internal networking structure is: 10.0.0.0/24
64.7.20.137 ROUTER 10.0.1.254
----------
NPC |
|
----------
64.7.20.141 VPN 10.0.1.10
-----------------------------------------------------------
USA 212.107.20.30 VPN 10.0.0.0
----------
Here's what I've done so far.
I have compiled 2.4.18 kernels with Freeswan and ipsec. iptables is
installed and operating.
Per one source I have done the following actions involving ipsec.conf
and ipsec.secrets:
ipsec.secrets
I issued command: ipsec ranbits 256 > temp
then, I copied the key just created to ipsec.secrets to and edited
it to read as follows:
212.107.20.30 64.7.20.141
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
This file is exactly the same on both VPN servers.
ipsec.conf
reads as follows:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
keylife=1h
rekey=no
# uncomment this next line to enable it
#auto=route
# sample VPN connection
conn NPC-USA
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.1.10
leftsubnet=10.0.1.0/24
leftnexthop=64.7.20.137
# Right security gateway, subnet behind it, next hop toward left.
right=10.0.0.1
rightsubnet=10.0.0.0/24
rightnexthop=202.107.20.30
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
This seems very incorrect to me. I think the left side might be right,
but that the rightnexthop would have to be the DNS server for the ISP.
But, I'm not really sure.
Anyhow, that's about the extent of everything I've been able to figure
out. I'm not sure where to go from here.
According to the primary source I'm working off, I need to enable IPv4
forwarding. So, I added the following line to the file /etc/sysctl.conf:
net.ipv4.ip_forwarding = 1
The next step according to my source is to edit, what it calls a script
file, titled iptables. Now I wrote about this recently, but have to
admit that I don't know what people are talking about. Sorry.
Basically the source book says to edit iptables to read:
(NB: where EXTERNAL_INTERFACE="eth0" - your external gateway to the Internet
where IPSECSG is a space separated list of remote VPN gateways
where FREESWANVI="ipsec0" - a space separated list of virtual
interfaces for FreeS/Wan)
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --source-port -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --destination-port -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG --source-port -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG --destination-port -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p 51 \
-s $IPSECSG --source-port -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 51 \
-s $IPSECSG --destination-port -j ACCEPT
iptables -A INPUT -i $FREESWANVI \
--source-port \
--destination-port -j ACCEPT
iptables -A OUTPUT -o $FREESWANVI \
--source-port \
--destination-port -j ACCEPT
iptables -A FORWARD -i $FREESWANVI \
--source-port \
--destination-port -j ACCEPT
Now there are more steps after this, but I'm not certain about creating
this iptables file, where exactly I should put and apparently people
have told me I have to link it to runlevels.
So, now pulling out my hair. Could someone point me in the right direction?
Curtis
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: