Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IpCop 1.4.x blue vpn to gentoo howto
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Sun Mar 06, 2005 10:19 pm    Post subject: IpCop 1.4.x blue vpn to gentoo howto Reply with quote

IpCop 1.4.2 blue vpn to gentoo machine

Im writing this for a couple reasons, one i know there is at least one other person out there wondering how to do this, and two in the bizarre case my notes ever suddenly disappear or burst into flames. :lol:

Things to note
This setup shows how to do a preshared-key vpn to a single wireless host. Im explaining things this way cause for most beginners its easier to understand and set up, and then expand into certs and stuff later (someone else can write a doc on that). im using a theoretic ip numbers, yours will differ.

BEFORE YOU START THIS HOWTO
Please make sure you can connect your wireless to the ipcop without the vpn. So to simplify, before you start, can you ping www.yahoo.com from your wireless connection? If not, stop now and get that set up, you might want to take the time and make sure that everythings working without vpn.

The setup this is being done on
This is explained with Ipcop1.4.2 that has a blue interface for wireless
My wireless machine is a toshiba tecra8000 running gentoo with a 2.6.11 kernel using a netgear wg511 as the eth0
interface

Things needed to be installed
ipsec-tools
iptables (what? you dont have this installed already, shame on you)
a current 2.6 kernel
im doing this on 2.6.11 so im not sure if it will work on a lower version or not? someone want to try and post
there results?

Lets get this party started

The ips being used for this example
Ipcop Blue ip: 192.168.199.1
gentoo ip: 192.168.199.69

ok, to start lets make sure your 2.6 kernel is good to go. You need to have the following compiled either as modules or built in to the kernel: (mine are built in since this is used everytime i boot up)

Code:

This is from the 2.6.11 kernel options
Device Drivers --->
         Networking Support --->
                   Networking Options --->
                                 <*> PF_KEY sockets
                                 <*> IP: tunneling
                                 <*> IP: AH transformations
                                 <*> IP: ESP transformations
                                 <*> IP: IPComp transformations
                                 <*> IPsec user configuration interface

If you want to include ipv6 support just make s ure the same things are checked in the IPv6 entries

Cryptographic Options --->
             <*> MD4 digest algorith
             <*> SHA256  digest algorithm
             <*> SHA384 and SHA512 difgest algorithms
             <*> Serpent cipher algorith
             <*> AES cipher algorithms


I include the crypto stuff in the kernel instead of a modules since this is used everytime i boot the laptop
ok, rebuild your kernel install it and reboot onto it. make sure things are working properly before going on.

If you havent done so, emerge ipsec-tools, and iptables now.

Good to go so far?
lets get ipcop setup for the new blue vpn

Log onto your ipcop through the web interface, goto the vpn tab and select vpn
This will bring up your vpn settings.
Code:

Ok under Global settings:
  Local VPN Hostname/IP:     Putyourhostnameoriphere             Enabled: yes
  VPN on BLUE:                                                   Enabled: yes


Next, lets add the connection
Under the Connection status and control click the add button
We want a Host-to-Net Virtual Private Network (RoadWarrior) then click add
now we come to the Connection: screen

Code:

Connection:

Name: bluevpn
Interface: BLUE
Local Subnet: 0.0.0.0/0.0.0.0
Remote Host/IP:    LEAVE THIS BLANK
Remark: bluevpn
Enabled: yes          Edit advanced settings when done:yes
Authentication:
Use a Pre-Shared Key:         instertsomereallylongpresharedkeyphrasehere


Then click save, but dont forget to right down your preshared key!!
now were to the advanced: section, heres my setup, yours might differ

Code:

Compression: NO                                 Nat-Traversal: yes
IKE Encryption: AES (256 bit)                   IKE Integrity: SHA1 MD5
IKE Lifetime: 1 hours                           IKE Grouptype: MODP-1536
ESP Encryption: AES (256 bit)                   ESP Integrity: SHA1 MD5
ESP Keylife: 8 hours                            ESP Grouptype: Phase1 Group
Use only proposed settings: YES


Now were done with IpCop for a minute, lets finish getting the wireless client set up.

ok, a couple of things that will make your life easier at this moment:
ssh into your ipcop (ssh -l root -p 222 192.168.199.1)
tail -f /var/log/messages
this will let you view whats going on with the firewall end and help if there are problems :)

lets get the gentoo setup now
on your gentoo machine edit the following files:

/etc/conf.d/racoon
Code:


RACOON_OPTS="-4"

RACOON_CONF="/etc/racoon/racoon.conf"
RACOON_PSK_FILE="/etc/racoon/psk.txt"
SETKEY_CONF="/etc/racoon/setkey.conf"

RACOON_RESET_TABLES="true"


/etc/racoon/psk.txt this is where we place the pre-share key from earlier
Code:

# IPv4/v6 addresses
192.168.199.1     put the key you made earlier here


theres only two more file, dont worry, were getting really close :D
/etc/racoon/racoon.conf
Code:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log notify;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode main;
        proposal {
                encryption_algorithm aes256;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo anonymous
{
        pfs_group modp1024;
        lifetime time 2600 seconds;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}


and finally, /etc/racoon/setkey.conf
Code:

#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.199.69/32 0.0.0.0/0 any
    -P out ipsec esp/tunnel/192.168.199.69-192.168.199.1/require;

spdadd 0.0.0.0/0 192.168.199.69/32 any
    -P in ipsec esp/tunnel/192.168.199.1-192.168.199.69/require;



yes, were done, now time to play, here we go,
were going to command line the test phase till me make sure things are working, then we'll automate em with gentoo.
ok, first lets set the keys, in a terminal (xterm,eterm) su to root.
in this terminal type:
Code:

setkey -f /etc/racoon/setkey.conf

if everything went good you should be at a command prompt again. =)
ok, now lets try racoon
Code:
racoon -F -f /etc/racoon/racoon.conf

now in another xterm type:
Code:

ping 192.169.199.1

you should see activity in both the ipcop window ( the one tailing /var/log/messages on ipcop)
and in the racoon xterm. If things are good in just a second the ping will start up like normal.
If theres problems read through the logs in your xterms that are tailing and find out whats going on.
From here if things are working good, you can exit racoon and set it up the gentoo way:
Code:

rc-update add racoon default

then just start it from one of your shells:
Code:

/etc/init.d/racoon start

this will bring things back up.

IMPORTANT NOTE
ok, a few things to note, the IpCop may show the connection as still closed, for some reason i have never figured this out. but to fix it, close your browser and come back to the vpn page and it should show open.

um, from here its not hard to change to using certs instead of preshared keys, read the ipsec-howto and heres another great post i found to help with the racoon.conf setup
https://forums.gentoo.org/viewtopic-t-185088-highlight-racoon.html
its about half way down
anyways if you get this working, you should be able to get certs and stuff working withing 10-15 minutes with no problem
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


Last edited by dreamshadow on Fri Apr 22, 2005 4:49 am; edited 1 time in total
Back to top
View user's profile Send private message
thagrinna
n00b
n00b


Joined: 30 Nov 2002
Posts: 1
Location: Wisconsin, US

PostPosted: Thu Mar 10, 2005 3:22 pm    Post subject: Reply with quote

Nice documentation. This should be very useful.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum