home  wiki

Spelling: FreeSWANandWindowsHowto

Please note this wikiViki, Niki, Riki, Wini page is a work in progress. Corrections or
requests for clarification are very welcome.

* 0. Assumptions [1]
* 1. Creating and installing certificates [2]

* 1.1 Create a Certificate Authority [3]
* 1.2 Create a certificate for your Linux machine [4]
* 1.3 Create certificates for your Windows machines [5]
* 1.4 Importing certificates on the Windows client [6]

* 2. IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S Configuration [7]

* 2.1 Windows side configuration [8]
* 2.2 Linux side configuration [9]

* 3. Starting the connection [10]

* 3.1 Firewall considerations [11]
* 3.2 Linux side [12]
* 3.3 Windows side [13]

-------------------------
WHAT IS FREESWANFREE SWAN, FREE-SWAN, FREES WAN, FREES-WAN, FORESEEN, FREESTONE, FOREWARN, FRESNO, RESEWING, FREEZING, FORESEEING, FORESKIN, FRISSON, FORSWORN, RESOWING [14]?

From the FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing homepage [15]: FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [16] is an implementation
of Internet Protocol Security (IPSEC) and Interactive Key Exchange
(IKE) for Linux. IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S uses strong cryptography to provide both
authentication and encryption services. Authentication ensures that
packets are from the right sender and have not been altered in
transit. Encryption prevents unauthorised reading of packet contents.

WHY WOULD I WANT TO USE FREESWANFREE SWAN, FREE-SWAN, FREES WAN, FREES-WAN, FORESEEN, FREESTONE, FOREWARN, FRESNO, RESEWING, FREEZING, FORESEEING, FORESKIN, FRISSON, FORSWORN, RESOWING [17]?

I'm using FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [18] to authenticate remote wireless users so they
can gain further access to my network.

WHY IS THIS PAGE HERE?

Getting FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [19] to work with Windows is a concept that is not
well documented on the Internet. No one site will tell you everything
you need to know. I spent far too much time chasing up different
websites to confirm details or proceedures. It all has to be put in
the one place.

WHAT OTHER INSTRUCTIONAL PAGES ARE OUT THERE?

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html - great
instructions on getting Windows to work FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [20] using
IPSEC/L2TP. Very few details on getting pppdpp pd, pp-pd, pod, papped, pepped, pipped, popped, pupped, PD, Pd, pd, PPS, pop, PP, pp, pad, pud, oped, piped, plod, pond, prod, upped, Pippa, Pippo, Pippy, Pope, Poppy, pappy, peppy, pope, poppa, poppy, puppy, PhD, Pip, cpd, pap, pep, pip, ppm, ppr, pup, paid, peed, pied, PMed, aped, pend, sped, spud, Pepe, Pepi, papa, pipe, pupa and l2tpd going though. I
haven't used this approach, yet.

http://www.natecarlson.com/linux/ipsec-x509.php - guide to setting up
FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [21] and Windows using the FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [22] X.509 patch.

http://www.strongsec.com/freeswan/install.htm - X.509 patch
installation and configuration guide. Not a detailed guide for Windows
clients, but great for setting up FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [23].

http://www.securityfocus.com/infocus/1519 - introduction to
Microsoft's implementation of IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S and L2TPD in Windows.

0. ASSUMPTIONS

* You are trying to make a secure connection from the Windows
machine, to the Linux gateway.
* The Linux machine must:

* Have FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [24] with X.509 patches installed. Instructions on
how to do this are available at the _FreeSWAN website [25],
Freeswan.ca [26], and the X.509 patch homepage [27].
* For FreeswanFree swan, Free-swan, Frees wan, Frees-wan, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing 2.02 on DebianDebi an, Debi-an, Durban, Devina, Deina, Serbian, Devan, Devin, Dean, Debi, Dian, Dobbin, Dubbin, Dewain, Detain, Fabian, Tabina, Debar, Deign, Debra, Debit, Tobin, Denna, Dvina, Dwain, Divan, Drain, Dalian, Damian, Debi's, Deccan, Dorian, Nubian, Debonair, Debunk, Demean, Design, Bean, Dena, Dina, Deana, Deane, Deann, Debbi, Deni, Deon, Diana, Diane, Diann, Dabbing, Daubing, Dobbing, Dubbing, Dilan, Debiting, Ban, Dan, Deb, Deena, Den, Dubai, Bin, Din, Debbie, Deeann, Dublin, Danubian, Deanna, Dion you'll need the libgmp3-dev package
installed to compile.
* Have a static IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP address.

* The Windows machine must:

* be running Windows XP. The procedure for Windows 2000 is similar,
so the instructions below might still work
* Have the Windows XPPX, P, X, SP, PP, WP, XE, XI, AP, DP, GP, HP, JP, KP, LP, MP, NP, RP, VP, XL, XS, OP, UP, XV, XX, EXP, X'S support tools installed. You can install these
from the do this from the 'Support/Tools' directory on the XPPX, P, X, SP, PP, WP, XE, XI, AP, DP, GP, HP, JP, KP, LP, MP, NP, RP, VP, XL, XS, OP, UP, XV, XX, EXP, X'S CD. Run
the setup program, and you must choose 'Complete installation' to
install the tools we require.
* For an attempt in Windows 2000 have a chance, at least SP2 must be
installed.

* Both machines are on the same subnet. If this isn?t the case, look
into the use of the 'leftnexthop' and 'rightnexthop' settings for
FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [28]?s /etc/ipsec.conf_ configuration file ? the current
version of FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [29] does not interface with the route table at
all, so requires the next hop information to be able to find the other
end of the tunnel.

1. CREATING AND INSTALLING CERTIFICATES

You will need to use the opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's package to create the framework for
a Certificate Authority for all machines on your network to trust.
Ensure this package is installed on your Linux machine by using
_apt-get_ or installing the relevant RPM.

Once installed, you will need to find the location of the _CA.sh_
shell script (sometimes just _CA_) which we will be using to create
the certificates. For Mandrake Linux 9.0, this file is located in
_/usr/lib/ssl/misc_. Other locations might be _/var/ssl/misc_ or
_/usr/share/ssl/misc_.

1.1 CREATE A CERTIFICATE AUTHORITY

The configcon fig, con-fig, Cong, confide, confine, confirm, conic, Congo, confer, confab, conga, conform, confuse, confute, converge, convoke, configure, conifer, Kong, conj, conk, gong, confider, concur, conger, connive, convict, convoy, confers, confess, conker, convex, convey file for OpenSSLOpens, Openest, Openness, Openly, Openers, Opines, Pencil, Utensil, Opener's, Apnea's [30], _openssl.conf_, is located in the
parent directory of the directory you located above. Open this file in
your favorite text editor, so we can set the number of days the
certificates we create will stay valid. Change _default_days_ entry to
3650. Also set _default_bits_ to 2048.

Change back to the misc directory, and create new CA certificates by
issuing the command:

./CA.sh -newca

Press enter at the first prompt. You will then be asked for a pass
phrase ? PEMPERM, POEM, PM, PEN, PE, EM, PAM, PYM, POM, PPM, PEI, PEA, PEE, PER, PEW, DEM, LEM, PET, PEG, REM, FEM, GEM, HEM, PEP files have their content protected by a pass phrase. This
particular phrase is for your CA?s certificates. You will need it in
later steps, so make sure you remember it.

Then enter the information that your CA will be identified by.
Commercial CA?s leave some fields blank, so you only need to enter
details that you deem necessary. In the examples below I have entered
a country, state, and organisation name for my CA.

You now have your CA'sCa's, Car's, Caw's, Cay's, Cs's, Ac's, C's, Cad's, Cal's, Cam's, Can's, Caz's, Cab's, Cap's, Cat's, Va's, A's, Cass, Co's, Cu's, Ga's, Cars, Caws, Cays, RCA's, Cb's, Cd's, Cf's, Cl's, Cm's, Cr's, Ct's, Cabs, Cads, Cams, Cans, Caps, Cats, Ba's, Ch's, Cy's, Ha's, Ia's, La's, Na's, Pa's keys residing in the _demoCA_ directory.

To give FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [31] access to the CA?s public key, we need to put
the key in a place and format FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [32] can use. The following
command makes a copy of the Root CA in DER format, and outputs it to
the right place:

opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's x509 -in demoCA/cacert.pem -outform DER -out
/etc/ipsec.d/cacerts/RootCA.der

Now that your Root CA has been created, we can reduce life of
subsequent certificates we create. Change this to ~5 years (1825 days)
by editing _openssl.conf_ and changing the _default_days_ entry again.

Next, we need to create a certificate revocation list (CRL):

opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's ca -gencrl -out crl.pem

Move this to the right location:

mvMTV, MVP, MB, MC, Mb, NV, M, m, V, v, MA, ME, MI, MM, MO, MW, Me, Mo, My, WV, ma, me, mi, mm, mo, mu, my, AV, Av, CV, Ev, IV, JV, MD, MN, MP, MS, MT, Md, Mg, Mk, Mn, Mr, Ms, Mt, RV, TV, UV, av, iv, mg crl.pem /etc/ipsec.d/crls

And we're done creating your CA.

1.2 CREATE A CERTIFICATE FOR YOUR LINUX MACHINE

Create a certificate for your Linux FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [33] gateway using the
command:

./CA.sh -newreq

Enter another PEMPERM, POEM, PM, PEN, PE, EM, PAM, PYM, POM, PPM, PEI, PEA, PEE, PER, PEW, DEM, LEM, PET, PEG, REM, FEM, GEM, HEM, PEP pass phrase, and enter identification data for your
gateway machine. Then use the CA certs to sign the request ("make it
official") using the command:

./CA.sh -sign

Public and private keys are now in the files _newcert.pem_ and
_newreq.pem_. Rename these so they are easy to tell apart from other
certificates:

mvMTV, MVP, MB, MC, Mb, NV, M, m, V, v, MA, ME, MI, MM, MO, MW, Me, Mo, My, WV, ma, me, mi, mm, mo, mu, my, AV, Av, CV, Ev, IV, JV, MD, MN, MP, MS, MT, Md, Mg, Mk, Mn, Mr, Ms, Mt, RV, TV, UV, av, iv, mg newcert.pem host.pem mvMTV, MVP, MB, MC, Mb, NV, M, m, V, v, MA, ME, MI, MM, MO, MW, Me, Mo, My, WV, ma, me, mi, mm, mo, mu, my, AV, Av, CV, Ev, IV, JV, MD, MN, MP, MS, MT, Md, Mg, Mk, Mn, Mr, Ms, Mt, RV, TV, UV, av, iv, mg newreq.pem host.key

(replace 'host' with suitable machine name)

Copy _host.key_ to your _/etc/ipsec.d/private_ directory. We also
need to tell FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [34] how to access this file - we do this by
entering the PEMPERM, POEM, PM, PEN, PE, EM, PAM, PYM, POM, PPM, PEI, PEA, PEE, PER, PEW, DEM, LEM, PET, PEG, REM, FEM, GEM, HEM, PEP pass phrase into your _/etc/ipsec.secrets_ file. The
format should look like this:

RSARISA, ROSA, RS, RDA, RA, SA, RSI, ORSA, URSA, RSV, REA, SSA, ASA, BSA, GSA, ISA, RCA, RNA, USA, R'S, RA'S /etc/ipsec.d/private/silverstone.key "pass phrase"
An older version of _/etc/ipsec.secrets_ will contain a lot of
mathematical data relating to your private key as spat out by the
fswcertfacet, faucet, fiercest, fascist, facets, fussiest, fewest, fester, faucets, festers, Foster, faced, faces, faster, feces, foster, fanciest, fosters, face's, farces, fastest, fustier, secede, fices, facet's, farce's, fustiest, safest, forced, forces, faucet's, Foster's, force's program - with newer versions of FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [35]/X.509, this
isn't necessary.

Next we can convert the public key to binary DER format and install
it as FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [36]'s default x509 certificate. This step is optional,
depending on how you setup your IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S settings in _/etc/ipsec.conf_ -
but it is best to do it just in case:

opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's x509 -in newcert.pem -outform derDer, Dee, dear, deer, doer, Dre, DE, De, Derk, Dyer, derv, dyer, fer, Dr, ER, Er, er, DAR, DEA, Dar, Dew, Dir, Dur, dew, Oder, DEC, Deb, Dec, Del, Dem, Den, Des, Dev, deb, def, deg, den, Ber, Ger, Ker, aer, her, oer, per, yer, Dex, Der's, De's, e'er, o'er -out /etc/x509cert.der

1.3 CREATE CERTIFICATES FOR YOUR WINDOWS MACHINES

This procedure is very similar to the one in the previous section, so
look there if you need any clarification on the following commands.

Generate a private key and Certificate Request using ./CA.sh -newreq.
Enter the details for your Windows machine.

Sign the request using ./CA.sh -sign.

Rename the two files newreq.pem & newcert.pem:

mvMTV, MVP, MB, MC, Mb, NV, M, m, V, v, MA, ME, MI, MM, MO, MW, Me, Mo, My, WV, ma, me, mi, mm, mo, mu, my, AV, Av, CV, Ev, IV, JV, MD, MN, MP, MS, MT, Md, Mg, Mk, Mn, Mr, Ms, Mt, RV, TV, UV, av, iv, mg newcert.pem client.pem mvMTV, MVP, MB, MC, Mb, NV, M, m, V, v, MA, ME, MI, MM, MO, MW, Me, Mo, My, WV, ma, me, mi, mm, mo, mu, my, AV, Av, CV, Ev, IV, JV, MD, MN, MP, MS, MT, Md, Mg, Mk, Mn, Mr, Ms, Mt, RV, TV, UV, av, iv, mg newreq.pem client.key

Next, the files need to be transferred to the Windows machine.
Windows accepts certificates in, amoungstamongst, angst, amnesty, ingest, mangiest, Armonk's, unjust others, PKCS#12 format:

opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's pkcs12 -export -in client.pem -inkey client.key -certfile
demoCA/cacert.pem -out client.p12

The first pass phrase is the one used to create the client
certificate. The second one you are asked to enter is for encryption
of the .p12 file. You will need this again when you import the
certificates on the Windows machine.

Record the ID of your client?s certificate, as spat out by the
command:

opensslopens, openest, openness, openly, openers, opines, pencil, utensil, opener's, apnea's x509 -in client.pem -noout -subject

Later, this ID will be placed into your /etc/ipsec.conf file.

1.4 IMPORTING CERTIFICATES ON THE WINDOWS CLIENT

Move the .p12 file to your Windows client machine. The file is
somewhat protected by the pass phrase, but a secure move (eg. Floppy
disk) is better than an unsecureinsecure, unsecured, unscrew, unsure one.

Download the "Windows 2000 VPNVON, VP, VAN, VIN, JPN, LPN tool" from http://vpn.ebootis.de/ and
extract the files from the zip file to a temporary directory on your
hard disk, eg. _C:ipsec_. For the sake of completeness, copy the
'ipseccmd.exe' file from _C:Program FilesSupportFiles Support, Files-Support, Fleshpot, Fusspot, Fleapit, Fliest, Flippest, Flossiest, Flipped, Flowerpot, Fluster Tools_ into this
directory. (If you don't have 'ipseccmd.exe' or the 'Support Tools'
directory, see the assumptions section at the top of this page.) This
program is required by the _ipsec_ tool.

The following instructions on how to import the certificates MUST BE
FOLLOWED PRECISELY or else the import may not work properly and you
will get "IKE failed to find valid machine certificate" errors later ?
you have been warned.

Find the _ipsec_ directory in Windows Explorer and double click the
_IPSec.msc_ file. This will bring up an MMCMC, MM, MAC, MIC, MME console that will allow
the Root CA certificate to be installed correctly. Yes, the console is
in German!

Expand the last entry in the list on the right, 'Zertifikate (Lokaler
Computer)' which means 'Certificates (Local Computer)'. Select the
'Trusted Root Certification Authorities' folder. In the right pane, in
the empty area under 'Certificates', right click and select All Tasks
-> Import.

Follow the instructions in the Certificate Import Wizard, selecting
your .p12 file and entering the pass phrase that the file was
encrypted with. On the next screen, make sure you let Windows decide
where to put the certificates that the file contains. Then confirm
your selections on the final screen, click finish, and you should be
told that the import succeeded. You should NOT be prompted to confirm
if you want to add the root CA to any store ? if you get this prompt,
the import will fail.

Go into the Certificates folder in the Trusted Root Certification
Authorities store. Find your Root CA, and double click on it. In the
details tab, click on the 'Subject' entry. Record, in reverse, the
entries listed here as a comma separated list, eg:

C=AU, S=Victoria, O=Node DJJDJ, DC, JG, HAJJ, DEC, DAG, DEG, DIG, DOC, DOG, DUG, DEX, DIX CA

You will need these soon for your Windows _ipsec.conf_ file. You can
now close the MMCMC, MM, MAC, MIC, MME console ? don?t save changes to the IPSec.msc file.

2. IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S CONFIGURATION

2.1 WINDOWS SIDE CONFIGURATION

At the start, Window?s IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S settings will be governed by the
_ipsec.conf_ file that came with the Windows 2000 VPNVON, VP, VAN, VIN, JPN, LPN Tool. This
provides an easy way to get IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S up and going, using settings for a
simple client-server connection. We will build upon these settings
later as your situation requires. The basic _ipsec.conf_ file on your
Windows client should look like this:

connConn, Conni, Conny, CNN, Con, con, Conan, coin, cone, cony, coon, corn, Cong, conj, conk, cons, cont, Bonn, Donn, Conn's, Con's, con's secure-me
left=%any # Local IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP address
right=10.10.64.49 # Server IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP address
rightca="C=AU, S=Victoria, O=Node DJJDJ, DC, JG, HAJJ, DEC, DAG, DEG, DIG, DOC, DOG, DUG, DEX, DIX CA" # RootCARoot CA, Root-CA, ROTC, Roots, Root, Rota, Root's, Rooter, Ronica, Robotic, Rooted, Erotica, Rica, Rita, Riot, Ricotta, Rotas, RCA, Rot, Rotor, OTC, Reta, Rock, Roda, Rood, Rook, Rote, Rout, Rota's [37] DSNDAN, SN, DEN, DON, DUN, DIN, DST, USN, D'S from
earlier
network=auto
authmode=MD5
pfs=yes
auto=start

For my _ipsec.conf_ files I always consider left = local and right =
remote regardless of if we are on the client or server machine. By
this standard, _left_ above is the client machine?s IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP address. If
this is assigned by DHCPDHAKA, HICCUP, TEACUP, TOECAP or unknown, %any is normally sufficient.
_right_ is the IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP of the server you are connecting to. _rightca_ is
the DSNDAN, SN, DEN, DON, DUN, DIN, DST, USN, D'S of your root CA that you noted earlier. The rest are standard
options and can be left as they appear above.

Save the file after making your changes.

2.2 LINUX SIDE CONFIGURATION

FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [38]?s settings are governed by the _/etc/ipsec.conf_ file.
Open this up in your text editor, and copy the following text into it
- section headings should have no whitespace before them, and settings
should be indented with one tab:

configcon fig, con-fig, Cong, confide, confine, confirm, conic, Congo, confer, confab, conga, conform, confuse, confute, converge, convoke, configure, conifer, Kong, conj, conk, gong, confider, concur, conger, connive, convict, convoy, confers, confess, conker, convex, convey setup
interfaces="ipsec0=wlan0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

connConn, Conni, Conny, CNN, Con, con, Conan, coin, cone, cony, coon, corn, Cong, conj, conk, cons, cont, Bonn, Donn, Conn's, Con's, con's %default
authby=rsasig
left=10.10.64.49
leftrsasigkey=%cert
rightrsasigkey=%cert
keyingtries=3
pfs=yes
auto=add

connConn, Conni, Conny, CNN, Con, con, Conan, coin, cone, cony, coon, corn, Cong, conj, conk, cons, cont, Bonn, Donn, Conn's, Con's, con's secure-me
right=%any
rightid="C=AU, ST=Victoria, O=NodeDJJ, CN=Dushku"
auth=esp
esp=3des-md5-96

You only need to change three settings to get this to suit your own
connections. Under the _config setup_ heading, replace wlan0 with the
interface that client connections will come from. Under the _conn
%default_ heading, change left to the IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP of your FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [39] server.
And under _conn secure-me_, change rightidright id, right-id, righted, rightist, righto, Rights, rights, Right, right, rigid, righting, frighted, rioted, righter, lighted, rightly, sighted, wighted, tight, relighted, rightest, retied, rights's, roted, wrights, rifted, riptide, Wright, wright, freighted, rightward, Wright's, wright's, rated, redid to the DSNDAN, SN, DEN, DON, DUN, DIN, DST, USN, D'S of your client
machine. Note that this must match how Windows identifies itself to
FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [40] ? commas separate entries, and the 'State' field is
denoted by ST not S.

3. STARTING THE CONNECTION

3.1 FIREWALL CONSIDERATIONS

If you are running a firewall on your Linux machine, you will need to
add rules to allow other machines to (1) authenticate with FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing
[41], and (2) talk to the Linux box once the tunnel is up.

STEP (1) involves allowing IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S traffic through. For key
negotiations when the tunnel is first brought up, UDPUSP, DP, UP, ADP, EDP, GDP, UMP port 500 is used
on both ends of the connection. If you have an IPTablesPotables, Portables, Eatables, Spitballs, Spitball's firewall with
a default DROP policy for all default chains, adding lines similar to
the following to your firewall script will get you started:

iptablespotables, portables, eatables, spitballs, spitball's -A INPUT -i wlan0 -p udpUSP, DP, up, ADP, EDP, GDP, ump --sport 500 --dport 500 -j ACCEPT
iptablespotables, portables, eatables, spitballs, spitball's -A OUTPUT -o wlan0 -p udpUSP, DP, up, ADP, EDP, GDP, ump --sport 500 --dport 500 -j ACCEPT

This is not an IPTablesPotables, Portables, Eatables, Spitballs, Spitball's tutorial (see
http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html
for one of those) but here is a quick rundown of the first line above:

iptablespotables, portables, eatables, spitballs, spitball's ?A INPUT append the rule that follows to the input chain: -i
wlan0 For traffic from the wlan0 interface... -p udpUSP, DP, up, ADP, EDP, GDP, ump ...that uses the
UDPUSP, DP, UP, ADP, EDP, GDP, UMP protocol... --sport 500 ...and originates from port 500... --dport
500 ...and is headed for port 500: -j ACCEPT accept this traffic.

You will also nee to let through the key exchange protocols. These
are numbered 50 (ESP) and 51 (AH):

iptablespotables, portables, eatables, spitballs, spitball's -A INPUT -i wlan0 -p 50 -j ACCEPT iptablespotables, portables, eatables, spitballs, spitball's -A OUTPUT -o
wlan0 -p 50 -j ACCEPT iptablespotables, portables, eatables, spitballs, spitball's -A INPUT -i ! wlan0 -p 51 -j ACCEPT
iptablespotables, portables, eatables, spitballs, spitball's -A OUTPUT -o ! wlan0 -p 51 -j ACCEPT

STEP (2) involves allowing traffic from the IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S interface (eg.
ipsec0, ipsec1, etc.) through your firewall. This will depending on
exactly what resources on your system an authorised user will have
access to. For access to all services on the local machine, the
following IPTablesPotables, Portables, Eatables, Spitballs, Spitball's rules will suffice:

iptablespotables, portables, eatables, spitballs, spitball's -A INPUT -i ipsec+ -j ACCEPT iptablespotables, portables, eatables, spitballs, spitball's -A OUTPUT -o ipsec+ -j
ACCEPT

The _ipsec+_ interface will match any interface starting with
'ipsec'. Consult the IPTablesPotables, Portables, Eatables, Spitballs, Spitball's tutorial link above if you require more
restricted access to the local machine.

3.2 LINUX SIDE

Restart (or start) FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [42] on your Linux box by typing
something along the lines of _service ipsecOPEC, upset, Isac, apse, opes, Issac, apses, UPC, UPS, apace, ops, ups, apes, parsec, apex, ipecac, Isaac, aspic, apiece, apse's, Isak, epic, ape's restart_. FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [43]
records a log of its activities in _/var/log/secure_, so do a _tail
/var/log/secure_ or your preferedprefer ed, prefer-ed, preferred, proffered, refereed, referred, preformed, premiered, revered, pilfered, prefaced, prepared, proofread, prefigured method of checking logs to see if
everything seems ok. Your log should look something like this:

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's ipsec__plutorun: Starting Pluto
subsystem... Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: Starting Pluto
(FreeS/WAN Version 1.99) Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]:
including X.509 patch with
traffic selectors (Version 0.9.21)

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: Changing to directory
'/etc/ipsec.d/cacerts'

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: loaded cacertca cert, ca-cert, caret, cachet, Cart, cart, caster, cert, concert, cast, caveat, cavort, covert, cater, Capet, cadet, facet, cased, caters, coaxer, caste, carts, Carce, Catt, coaster, cacti, carat, concerto, cat, coast, CRT, cared, Carter, carder, carter, casket, causer, coater, Case, Cate, Cort, Curt, Gert, accede, accost, card, cars, case, curt, kart, carders, carters, Cate's, Cart's, cart's, Car's, car's, Carter's, carder's, carter's file
'RootCA.der'
(892 bytes)

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: Changing to directory
'/etc/ipsec.d/crls'

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: loaded crlCarl, curl, Cl, Cr, cl, COL, Cal, Col, cal, col, cry, CRT, Cpl, cpl, Erl, URL, Cr's file 'crl.pem'
(568 bytes)

Feb 24 02:35:38 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: loaded my default X.509 cert
file '/etc/x509cert.der' (953 bytes)

Feb 24 02:35:39 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: added connection description
"secure-me"

Feb 24 02:35:39 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: listening for IKE messages
Feb 24 02:35:39 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: adding interface ipsec0/wlan0
10.10.64.49 Feb 24 02:35:39 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[9501]: loading secrets
from
"/etc/ipsec.secrets"

The important line is _added connection description "secure-me"_ ?
this tells you that FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [44] liked your configcon fig, con-fig, Cong, confide, confine, confirm, conic, Congo, confer, confab, conga, conform, confuse, confute, converge, convoke, configure, conifer, Kong, conj, conk, gong, confider, concur, conger, connive, convict, convoy, confers, confess, conker, convex, convey and has added the
'secure-me' connection description to its list of possible
connections. If this line isn?t there, check over the Linux
configuration steps to make sure you haven?t missed anything.

3.3 WINDOWS SIDE

To turn on the IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S policies on the Windows machine, start a command
prompt, navigate to the folder where you extracted the Windows 2000
VPNVON, VP, VAN, VIN, JPN, LPN tool, and type _ipsec_. The tool will display details about the
connection we defined, pause for 5 to 10 seconds while it does it?s
work, then return you to the command line. It hasn?t actually started
the tunnel yet ? just brought up the relevant policies in Windows. You
can bring up the tunnel by pinging your Linux box:

ping 10.10.64.49

If you are lucky, you will see:

C:>ping 10.10.64.49

Pinging 10.10.64.49 with 32 bytes of data:

Negotiating IPIPA, OP, UP, PI, IO, IMP, I, P, AP, KIP, PIP, RIP, VIP, DIP, HIP, LIP, NIP, SIP, TIP, YIP, ZIP, IA, IE, IR, PP, WP, II, DP, GP, HP, ID, IL, IN, IQ, IT, IV, JP, KP, LP, MP Security. Reply from 10.10.64.49: bytes=32 time=2ms
TTL=64 Reply from 10.10.64.49: bytes=32 time=1ms TTL=64 Reply from
10.10.64.49: bytes=32 time=2ms TTL=64

Ping statistics for 10.10.64.49: Packets: Sent = 4, Received = 3,
Lost = 1 (25% loss), Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

The connection attempt is also recorded by FreeSWANFree SWAN, Free-SWAN, Foreseen, Freestone, Forewarn, Fresno, Resewing, Freezing, Foreseeing, Foreskin, Frisson, Forsworn, Resowing [45] in
_/var/log/secure_, looking something like:

Feb 24 04:28:01 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[10356]: "secure-me"[1] 10.10.64.60
#1:
responding to Main Mode from unknown peer 10.10.64.60

Feb 24 04:28:02 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[10356]: "secure-me"[1] 10.10.64.60
#1:
Peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=NodeDJJ, CN=Dushku'

Feb 24 04:28:02 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[10356]: "secure-me"[1] 10.10.64.60
#1:
sent MR3, ISAKMPISAK MP, ISAK-MP, SCAMP, SKIMP, ISAK, SCAMPI, SKIMPY, ISLAM, ISAK'S, ISAAK, STAMP, SWAMP, AMP, IMP, ISM, ASAP, ISAC, IZAK, SKIP, CAMP, SUMP SA established

Feb 24 04:28:02 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[10356]: "secure-me"[1] 10.10.64.60
#2:
responding to Quick Mode

Feb 24 04:28:02 silverstonesilver stone, silver-stone, silvers tone, silvers-tone, siltstone, Silvester, Galveston, Sylvester, Celestine, Selestina, Silvester's pluto[10356]: "secure-me"[1] 10.10.64.60
#2:
IPsecOPEC, Upset, Isac, Apse, Opes, Issac, Apses, UPC, UPS, Apace, Ops, Ups, Apes, Parsec, Apex, Ipecac, Isaac, Aspic, Apiece, Apse's, Isak, Epic, Ape's SA established

As you can see, two connections are brought up for each IPSECOPEC, UPSET, ISAC, APSE, OPES, ISSAC, APSES, UPC, UPS, APACE, OPS, APES, PARSEC, APEX, IPECAC, ISAAC, ASPIC, APIECE, APSE'S, ISAK, EPIC, APE'S tunnel:
the ISAKMPISAK MP, ISAK-MP, SCAMP, SKIMP, ISAK, SCAMPI, SKIMPY, ISLAM, ISAK'S, ISAAK, STAMP, SWAMP, AMP, IMP, ISM, ASAP, ISAC, IZAK, SKIP, CAMP, SUMP (Internet Security Association and Key Management Protocol)
Security Association for key management, and the IPsecOPEC, Upset, Isac, Apse, Opes, Issac, Apses, UPC, UPS, Apace, Ops, Ups, Apes, Parsec, Apex, Ipecac, Isaac, Aspic, Apiece, Apse's, Isak, Epic, Ape's Security
Association for data transfers.

Links:
------
[1] http://melbourne.wireless.org.au/#0__assumptions
[2]
http://melbourne.wireless.org.au/#1__creating_and_installing_certificates
[3]
http://melbourne.wireless.org.au/#1_1_create_a_certificate_authority
[4]
http://melbourne.wireless.org.au/#1_2_create_a_certificate_for_your_linux_machine
[5]
http://melbourne.wireless.org.au/#1_3_create_certificates_for_your_windows_machines
[6]
http://melbourne.wireless.org.au/#1_4_importing_certificates_on_the_windows_client
[7] http://melbourne.wireless.org.au/#2__ipsec_configuration
[8] http://melbourne.wireless.org.au/#2_1_windows_side_configuration
[9] http://melbourne.wireless.org.au/#2_2_linux_side_configuration
[10] http://melbourne.wireless.org.au/#3__starting_the_connection
[11] http://melbourne.wireless.org.au/#3_1_firewall_considerations
[12] http://melbourne.wireless.org.au/#3_2_linux_side
[13] http://melbourne.wireless.org.au/#3_3_windows_side
[14] http://melbourne.wireless.org.au/?FREESWAN
[15] http://www.freeswan.org/
[16] http://melbourne.wireless.org.au/?FreeSWAN
[17] http://melbourne.wireless.org.au/?FREESWAN
[18] http://melbourne.wireless.org.au/?FreeSWAN
[19] http://melbourne.wireless.org.au/?FreeSWAN
[20] http://melbourne.wireless.org.au/?FreeSWAN
[21] http://melbourne.wireless.org.au/?FreeSWAN
[22] http://melbourne.wireless.org.au/?FreeSWAN
[23] http://melbourne.wireless.org.au/?FreeSWAN
[24] http://melbourne.wireless.org.au/?FreeSWAN
[25] http://www.freeswan.org/
[26] http://www.freeswan.ca/
[27] http://www.strongsec.com/freeswan/index.htm
[28] http://melbourne.wireless.org.au/?FreeSWAN
[29] http://melbourne.wireless.org.au/?FreeSWAN
[30] http://melbourne.wireless.org.au/?OpenSSL
[31] http://melbourne.wireless.org.au/?FreeSWAN
[32] http://melbourne.wireless.org.au/?FreeSWAN
[33] http://melbourne.wireless.org.au/?FreeSWAN
[34] http://melbourne.wireless.org.au/?FreeSWAN
[35] http://melbourne.wireless.org.au/?FreeSWAN
[36] http://melbourne.wireless.org.au/?FreeSWAN
[37] http://melbourne.wireless.org.au/?RootCA
[38] http://melbourne.wireless.org.au/?FreeSWAN
[39] http://melbourne.wireless.org.au/?FreeSWAN
[40] http://melbourne.wireless.org.au/?FreeSWAN
[41] http://melbourne.wireless.org.au/?FreeSWAN
[42] http://melbourne.wireless.org.au/?FreeSWAN
[43] http://melbourne.wireless.org.au/?FreeSWAN
[44] http://melbourne.wireless.org.au/?FreeSWAN
[45] http://melbourne.wireless.org.au/?FreeSWAN

[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]

> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building131
gathering194
interested489
operational241
testing200