AppNote: VPN FreeS/WAN Configuration Guide with NBM 3.8 Server

Novell Cool Solutions: AppNote
By Upendra Gopu

Reader Rating from 8 ratings

Digg This - Slashdot This

Posted: 12 Nov 2003

Upendra Gopu
Senior Software Engineer
gupendra@novell.com

This document provides information on how to deploy the Free S/WAN VPN clients with Novell BorderManager (NBM) 3.8 servers. This document is aimed at experienced FreeS/Wan IPsec administrators. This document does not provide detailed instructions on installing, distributing, patching and compiling Linux sources. It also does not provide information on updating active kernel, planning IP routing, and so on. The document briefly explains how to create the certificates necessary for authentication. The certificate authority (CA) running on the NBM 3.8 server will be able to generate the required certificates. This interoperability guide is a source of additional information, and not a comprehensive manual for VPN deployment.

1.0 Introduction

When FreeS/WAN VPN clients are installed with Novell BorderManager 3.8 servers, the NBM 3.8 server acts as a security gateway. It can be contacted by the FreeS/WAN IPsec host to establish a virtual private connection to the private network protected by the NBM 3.8 Server.

Although you can use pre-shared keys for authentication, we recommend certificates are for security reasons. The support for X.509 certificates is imported by a user-contributed software patch.

The combinations could be:

Authentication: pre-shared key, X.509 certificate
Encryption: 3DES

In addition to these variables, all the sample configurations in this document use the following IKE/IPsec proposals:

IP compress: disabled
IKE Lifetime: 240 minutes (4 hours)
IPsec lifetime: 60 minutes (1 hour)
IKE integrity: MD5
IKE mode: Main mode
IKE Group: MODP 1024 (group 2)
IPsec integrity: MD5
IPsec mode: tunnel (for all VPN connections)
PFS: enabled. (MODP 1024, group 2)

This document does not cover the following scenarios:

NAT-Traversal (NAT-T) patch
Transport mode host-to-host connections

Further Information:

FreeS/WAN IPsec Project: http://www.freeswan.org
X.509 patch for FreeS/WAN: http://www.strongsec.com/freeswan
Linux Documentation Project: http://www.linuxdoc.org
Red Hat Inc.: http://www.redhat.com
Delete SA Notification patch: http://open-source.arkoon.net/
Novell BorderManager: http://www.novell.com

This following figure is a network environment. By the end of this paper you should be able to set up such an environment using FreeS/WAN VPN clients are installed with Novell BorderManager 3.8 servers.

^{FIGURE 1. 1: The Network Environment}

2.0 Requirements

This document is based on the interoperability tests between FreeS/WAN and the NBM 3.8 VPN server. The test used:

Red Hat Linux v8.0
Linux kernel 2.4.18-14 from RH 8.0
FreeS/WAN v1.99
X509patch-0.9.15-freeswan-1.99 (required for X.509 certificate support)
NBM 3.8 VPN Server

Though this document is based on a configuration with Red Hat Linux, you should be able to run any Linux distribution to get similar results. Still for reasons of the tests the functionality described here is only verified with the above components.

2.1 Compiling the FreeS/WAN Client with the Patches

1. Download the source code.

2. The source code for Linux kernel must be in /usr/src/linux. For example, Red Hat 8.0 requires you to add a symbolic link as follows:

# cd /usr/src
# ln -s linux-2.4 linux

3. Extract both FreeS/WAN and x509 patch sources to /usr/src (this example assumes that you have first downloaded the source code to /root/src directory)

# cd /usr/src
# tar xvfz /root/src/Freeswan-1.99.tar.gz
# tar xvfz /root/src/x509patch-0.9.15-freeswan-1.99.tar.gz

4. To get X.509 certificate support for FreeS/WAN, install the x.509patch:

# cd usr/src/Freeswan-1.99 # patch -p1 < ../ x509patch-0.9.15-freeswan-1.99/Freeswan.diff

For more detailed information, refer to either the x509 patch readme file or to http://www.strongsec.com/freeswan.

5. Patch the Linux kernel sources with FreeS/WAN and compile FreeS/WAN.

If you use the kernel-sources rpm package instead of the official kernel tar package and would like to compile an identical kernel with those standard Red Hat Linux (kernels but patched for FreeS/WAN IPsec support) you may want to use the .config files included in the kernel-source rpm package.

For example, if you have a single processor machine with a i686 CPU you could use the /usr/src/linux/configs/kernel-2.4.18-i686. config file:

# cd /usr/src/linux
# cp configs/kernel-2.4.18-i686.config .config
# make config
# make dep

Enter the following commands to compile both FreeS/WAN and the kernel:

# cd /usr/src/Freeswan-1.99
# make ogo

For more information on the kernel options required and recommended by FreeS/WAN, refer to the FreeS/WAN documentation, especially the doc/kernel.html document.

6. Compile the kernel and kernel modules, install them, and configure the boot loader (LILO, Grub) to boot up the system with the new kernel as a default.

When using Red Hat Linux you may want to use the following procedure:

# cd /usr/src/linux
# make bzImage
# make install
# make modules
# make modules_install

Prepare your default boot loader to boot up the system with the freshly compiled and installed kernel.

Please refer to the FreeS/WAN documentation for more details. The Kernel-HOWTO document by Linux Documentation Project gives a lot of useful information about compiling and setting up a new kernel to the system (http://www.tdlp.org).

7. You can get the ready RPMs built for your kernel with the x509 certificates patch from the following site.

http://download.freeswan.ca/freeswan-x509/RedHat-RPMs

IPsec is very sensitive to even minor changes of the kernel. We recommend that you take the rpm which exactly matches your kernel.

You can get your kernel version as follows:

# uname -a
Linux linuxclient 2.4.18-14 #1 Wed July 11 14:30:30 EDT 2003 i686 i386 GNU/Linux

Based on the kernel version, get the pre-patch RPMs for the kernel. Download those RPMs and install them.

Get a kernel module which matches that version. For example:

freeswan-module-1.99_x509_0.9.15_2.4.18_14-0.i386.rpm

Note: These modules will work only on the Red Hat kernel for which they were built.

Get FreeS/WAN utilities to match. For example:

freeswan-1.99_x509_0.9.15_2.4.18_14-0.i386.rpm

Check the signatures for the freeswan.org RPMs.

While you're at the ftp site, grab the RPM signing key

freeswan-rpmsign.asc

If you're running RedHat 8.x, import this key into the RPM database:

# rpm --import freeswan-rpmsign.asc

Check the signatures on both RPMs using:

#rpm --checksig freeswan*.rpm
freeswan-module-2.00_2.4.18_14-0.i386.rpm: pgp md5 OK
freeswan-userland-2.00_2.4.18_14-0.i386.rpm: pgp md5 OK

2.2 Install the RPMs

1. Become root:

# su

2. Install your RPMs with:

# rpm -ivh freeswan*.rpm

3. Test your install:

To check that you have a successful install, run:

# ipsec verify
Check your system to see if IPsec is installed and has started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that Pluto is running [OK]

You should see at least the above messages.

Firewalling: You need to allow UDP 500 through your firewall, plus ESP (protocol 50) and AH (protocol 51). Otherwise your KIPS might fail.

3.0 Configuring FreeS/WAN host as a VPN client

Configure the FreeS/WAN secrets file for the RSA private key.

The secrets file of FreeS/WAN IPsec is /etc/ipsec.secrets. Here you must declare the pre-shared key (PSK, shared secret) or the location of the RSA private keys if deploying X.509 certificates.

3.1 If using pre-shared key authentication

The secrets file /etc/ipsec.secrets of a FreeS/WAN gateway with public eth0 interface IP address 10.10.10.10 must include the pre-shared key as such as:

10.10.10.10 %any : PSK "MyPreSharedSecret"

Note: We recommend that you do not use pre-shared keys for VPN clients. This is because all the remote clients will be using the same pre-shared key.

3.2 If using X.509 certificates

You must define the RSA private key in the /etc/ipsec.secrets file as follows:

: RSA /etc/ipsec.d/private/userKey.pem "MySecretPassword"

In the example above, the private keys were protected with the password "MySecretPassword" when creating a certificate request for the FreeS/WAN host.

Extract the private key from the "user.pfx" file generated for the user using the following command. The extract will ask for a import passphrase. Provide the password you gave during the generation of the file. Later it will ask you a passphrase to lock the file. This passphrase is the one you give in the ipsec.secrets file (for example: "MYSecretPassword").

# openssl pkcs12 -nocerts -in usercert.pfx
-out userKey.pem

Keep the extracted userkey.pem file in /etc/ipsec.d/private/

If you want to use both a pre-shared key and a X.509 certificate, your /etc/ipsec.secrets file must contain both the definitions. Refer to the FreeS/WAN documentation for more information on creating and setting up your private key have been installed properly.

1. Configure the FreeS/WAN /etc/ipsec.conf file for the PSS mode with 3DES encryption.

In our case the interface used is eth0, if yours is different, substitute the proper interface name

config setup
Interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
uniqueids=yes

conn %default
keyingtries=1
disablearrivalcheck=no
authby=secret
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
auto=add

This tunnel is required if you want the FreeS/WAN host to be able to communicate with the NBM 3.8 VPN server machine that is if you want to ping the NBM 3.8 VPN server gateway from the FreeS/WAN host. Define the following:

conn fsw-psk-3des
type=tunnel
left=172.16.158.73
leftnexthop=172.16.158.72
right=10.10.10.10
rightnexthop=10.10.10.1
keyexchange=ike
auth=esp

This tunnel is necessary in order to allow the FreeS/WAN host to communicate with the Protected Networks behind the NBM 3.8 VPN Gateway.

Conn ptnw-nbm38
type=tunnel
left=172.16.158.73
leftnexthop=172.16.158.72
leftsubnet=192.168.0.0/16
right=10.10.10.10
rightnexthop=10.10.10.1
keyexchange=ike
auth=esp

2. Configure the FreeS/WAN /etc/ipsec.conf file for the Certificate mode with 3DES encryption.

In our case the interface used is eth0, if yours is different, substitute the proper interface name.

config setup
Interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
uniqueids=yes

conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
auto=add

This tunnel is required if you want the FreeS/WAN host to be able to communicate with the NBM 3.8 VPN server machine That is if you want to ping the NBM 3.8 VPN server gateway from the FreeS/WAN host. Define the following:

conn fsw-cert-3des
type=tunnel
left=172.16.158.73
leftnexthop=172.16.158.72
leftcert=user.der
right=10.10.10.10
rightnexthop=10.10.10.1
rightcert=user.der
keyexchange=ike
auth=esp

This tunnel is necessary in order to allow the FreeS/WAN host to communicate with the Protected Networks behind the NBM 3.8 VPN gateway.

Conn ptnw-nbm38
type=tunnel
left=172.16.158.73
leftnexthop=172.16.158.72
leftsubnet=192.168.0.0/16
leftcert=user.der
right=10.10.10.10
rightnexthop=10.10.10.1
rightcert=user.der
keyexchange=ike
auth=esp

This section allows us to attach virtual IPsec interface to our physical network interfaces. In the sample above, ipsec0 is attached to the eth0 interface. If you require autostart of the VPN during the boot process, please see "man ipsec.conf" for more information on "plutoload" and "plutostart".

Conn %default:

keyingtries=1
This section has to be defined.

disablearrivalcheck=no
This section has to be defined.

authby=secret
This specifies the authentication methodology is by pre-shared secret.

keyexchange=ike
This specifies that the key exchange protocol to be used is IKE.

ikelifetime=240m
This parameter defines the life time of the IKE SAs formed for the communication.

keylife=60m
This parameter defines the life time of the IPsec SAs formed for the communication.

Pfs=yes
This parameter enables the perfect forward secrecy during the IKE negotiation. If you don't want PFS you can set it to no.

Conn <connection name>:
This section must be defined for each VPN connection. It holds the configuration of VPN options and routes to be added during the established of the VPN. In the sample above, a connection named "ptnw-nbm38" is defined and holds the following properties:

type=tunnel
This option specifies to use TUNNEL mode for the VPN, instead of TRANSPORT mode. NBM 3.8 does not support transport mode at this time.

left=172.16.158.73
This is the left end-point or side of the VPN. In the sample above, it is used to represent the NBM 3.8 VPN Server.

leftsubnet=192.168.0.0/16
This defines the topology of the left side of the VPN. Since we are using the left side to represent the NBM 3.8 VPN server, this should match (in whole or part) the protected networks defined.

right=10.10.10.10
This is the right end-point or side of the VPN. In the sample above, it is used to represent the FreeS/WAN host.

rightnexthop=10.10.10.1
This represents the IP address of the gateway the right side of our VPN will use to get to the left side.

keyexchange=ike
Use IKE to exchange keys.

auth=esp
Enable ESP headers for packets.

This completes the configuration on the linux machine.