old-www/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap25sec206.html

<HTML
><HEAD
><TITLE
>Required network setup for IPSec</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
REL="HOME"
TITLE="Securing and Optimizing Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="Linux FreeS/WAN VPN"
HREF="fSWAn.html"><LINK
REL="PREVIOUS"
TITLE="Configure RSA private keys secrets"
HREF="chap25sec205.html"><LINK
REL="NEXT"
TITLE="Testing the installation"
HREF="chap25sec207.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="chap25sec205.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 25. Linux FreeS/WAN VPN</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chap25sec207.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="AEN15198"
>25.9. Required network setup for IPSec</A
></H1
><P
>&#13;There are some considerations you must ensure are correct before running FreeS/WAN software. These considerations are important if you don't want to receive error messages during start up of your <SPAN
CLASS="acronym"
>VPN</SPAN
>. The following 
are required:
</P
><P
>&#13;You will need to enable <SPAN
CLASS="acronym"
>TCP</SPAN
>/<SPAN
CLASS="acronym"
>IP</SPAN
> forwarding on the both gateway servers. In Red Hat Linux, this is accomplished by changing or adding the following line, depending on the Red Hat version you use:

<DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/Version6.1.gif"
ALT="Version 6.1 only"
></IMG
></P
></DIV
>
Edit the <TT
CLASS="filename"
>network</TT
> file, <B
CLASS="command"
>vi</B
> <TT
CLASS="filename"
>/etc/sysconfig/network</TT
>, and change the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;FORWARD_IPV4="false"
</PRE
></TD
></TR
></TABLE
>
To read:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;FORWARD_IPV4="yes"
</PRE
></TD
></TR
></TABLE
>
</P
><P
>&#13;You must restart your network for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13;[root@deep] /# /etc/rc.d/init.d/network restart
</PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="literallayout"
><TT
CLASS="computeroutput"
>&#13;Bringing up interface lo		[  OK  ]
Bringing up interface eth0	        [  OK  ]
Bringing up interface eth1	        [  OK  ]
</TT
></PRE
></TD
></TR
></TABLE
>
</P
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/Version6.2.gif"
ALT="Version 6.2 only"
></IMG
></P
></DIV
><P
>&#13;To enable IPv4 forwarding on your RH 6.2 system, use the following command:

Edit the <TT
CLASS="filename"
>/etc/sysctl.conf</TT
> file and add the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;# Enable packet forwarding
net.ipv4.ip_forward = 1
</PRE
></TD
></TR
></TABLE
>
</P
><P
>&#13;You must restart your network for the change to take effect. The command to restart the network is the following:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13;[root@deep] /# /etc/rc.d/init.d/network <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="literallayout"
><TT
CLASS="computeroutput"
>&#13;Setting network parameters		[  OK  ]
Bringing up interface lo		[  OK  ]
Bringing up interface eth0	        [  OK  ]
Bringing up interface eth1	        [  OK  ]
</TT
></PRE
></TD
></TR
></TABLE
>
</P
><P
>&#13;Recall that automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The pluto daemon will start up, try to connect to the Pluto daemon at the other end of the tunnel, and establish a 
connection. For this reason, an IPSEC gateway should have packet filters rules <EM
>in the firewall script file</EM
> permitting the following protocols to traverse the gateway when talking to other IPSEC gateway:
<P
></P
><OL
TYPE="i"
><LI
><P
>&#13;UDP port 500 for IKE implemented by the Pluto daemon
</P
></LI
><LI
><P
>&#13;Protocol 50 for ESP encryption and/or authentication
</P
></LI
><LI
><P
>&#13;Protocol 51 for AH packet-level authentication
</P
></LI
></OL
>
</P
><DIV
CLASS="procedure"
><OL
TYPE="1"
><LI
><P
>&#13;Edit the <TT
CLASS="filename"
>firewall</TT
> script file, <B
CLASS="command"
>vi</B
> <TT
CLASS="filename"
>/etc/rc.d/init.d/firewall</TT
> on both gateway machines, and add/check the following lines to allow IPSEC packets 
to traverse the remote network gateway to your network gateway and vice versa:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;    # FreeS/WAN IPSec <SPAN
CLASS="acronym"
>VPN</SPAN
>
    # -------------------

    # If you are using the FreeSWAN IPSec <SPAN
CLASS="acronym"
>VPN</SPAN
>, you will need to fill in the
    # addresses of the gateways in the IPSECSG and the virtual interfaces for
    # FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
    # this firewall script rules file to set the parameters.

    # IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
    # Space separated list of virtual interfaces for FreeS/Wan IPSEC
    # implementation. Only include those that are actually used.

    # Allow IPSEC protocol from remote gateways on external interface
    # IPSEC uses three main types of packet:
    # IKE uses the UDP protocol and port 500,
    # ESP use the protocol number 50, and
    # AH use the protocol number 51

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $IPSECSG -j ACCEPT

    ipchains -A output  -i $EXTERNAL_INTERFACE -p udp \
             -d $IPSECSG -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p 50 \
             -s $IPSECSG -j ACCEPT

    ipchains -A output  -i $EXTERNAL_INTERFACE -p 50 \
             -d $IPSECSG -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p 51 \
             -s $IPSECSG -j ACCEPT

    ipchains -A output  -i $EXTERNAL_INTERFACE -p 51 \
             -d $IPSECSG -j ACCEPT

    # Allow all traffic to FreeS/WAN Virtual Interface
    ipchains -A input  -i $FREESWANVI \
             -s $ANYWHERE \
             -d $ANYWHERE -j ACCEPT

    ipchains -A output  -i $FREESWANVI \
             -s $ANYWHERE \
             -d $ANYWHERE -j ACCEPT

    # Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
    ipchains -A forward  -i $FREESWANVI \
             -s $ANYWHERE \
             -d $ANYWHERE -j ACCEPT
</PRE
></TD
></TR
></TABLE
>
where
<P
></P
><DIV
CLASS="variablelist"
><DL
><DT
>EXTERNAL_INTERFACE="eth0"</DT
><DD
><P
>&#13; You external interface to the Internet.
 </P
></DD
><DT
>ANYWHERE="any/0"</DT
><DD
><P
>&#13;Mean everywhere 0.0.0.0/0.
</P
></DD
><DT
>IPSECSG=<TT
CLASS="literal"
>208.164.186.2</TT
></DT
><DD
><P
>&#13;Space separated list of remote <SPAN
CLASS="acronym"
>VPN</SPAN
> gateways.
</P
></DD
><DT
>FREESWANVI=<TT
CLASS="literal"
>ipsec0</TT
></DT
><DD
><P
>&#13;Space separated list of virtual interfaces for FreeS/Wan.
</P
></DD
></DL
></DIV
>
<DIV
CLASS="important"
><BLOCKQUOTE
CLASS="important"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Important.gif"
ALT="Important"
></IMG
></SPAN
>: </B
>
See <A
HREF="soft-netfirew.html"
>Networking Firewall</A
>, for more information. Dont forget to add/check these firewall rules in the other gateway as well.
</P
></BLOCKQUOTE
></DIV
>
</P
></LI
><LI
><P
>&#13;
The <TT
CLASS="literal"
>rp_filter</TT
> subsystem related to <SPAN
CLASS="acronym"
>IP</SPAN
> spoofing protection must be turned off on both gateways for IPSEC to work properly. This is accomplished by checking if the value 0 (off) is set in 
the <TT
CLASS="filename"
>/proc/sys/net/ipv4/conf/ipsec0/rp_filter</TT
> and <TT
CLASS="filename"
>/proc/sys/net/ipv4/conf/eth0/rp_filter</TT
> files respectively:
</P
><OL
CLASS="SUBSTEPS"
TYPE="a"
><LI
><P
>&#13;    To check if the value 0 (off) is set in the <TT
CLASS="filename"
>rp_filter</TT
> files, use the commands:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13;[root@deep] /# <B
CLASS="command"
>cat</B
> /proc/sys/net/ipv4/conf/ipsec0/rp_filter
</PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="literallayout"
><TT
CLASS="computeroutput"
>&#13;0
</TT
></PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13;[root@deep] /# <B
CLASS="command"
>cat</B
> /proc/sys/net/ipv4/conf/eth0/rp_filter
</PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="literallayout"
><TT
CLASS="computeroutput"
>&#13;0
</TT
></PRE
></TD
></TR
></TABLE
>
<DIV
CLASS="important"
><BLOCKQUOTE
CLASS="important"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Important.gif"
ALT="Important"
></IMG
></SPAN
>: </B
>
The subdirectory <TT
CLASS="filename"
>ipsec0</TT
> in our example will be created only after the reboot of your system. So you may check the value of the <TT
CLASS="filename"
>rp_filter</TT
> file in the <TT
CLASS="filename"
>ipsec0</TT
> 
directory after your system has been restarted.
</P
></BLOCKQUOTE
></DIV
>
</P
></LI
><LI
><P
>&#13;To set the value 0 (off) in the both <TT
CLASS="filename"
>rp_filter</TT
> files manually, use the command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13;[root@deep] /# <B
CLASS="command"
>echo</B
> 0 &#62; /proc/sys/net/ipv4/conf/ipsec0/rp_filter
[root@deep] /# <B
CLASS="command"
>echo</B
> 0 &#62; /proc/sys/net/ipv4/conf/eth0/rp_filter
</PRE
></TD
></TR
></TABLE
>
<DIV
CLASS="tip"
><BLOCKQUOTE
CLASS="tip"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Tip.gif"
ALT="Tip"
></IMG
></SPAN
>: </B
>
Also you can put lines like the following in your firewall script files <TT
CLASS="filename"
>/etc/rc.d/init.d/firewall</TT
> on the both gateways to automatically set these values to 0 (off) and avoid making them manually:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;    # Disable <SPAN
CLASS="acronym"
>IP</SPAN
> spoofing protection to allow IPSEC to work properly
    <B
CLASS="command"
>echo</B
> 0 &#62; /proc/sys/net/ipv4/conf/ipsec0/rp_filter
    <B
CLASS="command"
>echo</B
> 0 &#62; /proc/sys/net/ipv4/conf/eth0/rp_filter
    </PRE
></TD
></TR
></TABLE
>
    </P
></BLOCKQUOTE
></DIV
>
    </P
></LI
></OL
></LI
><LI
><P
>&#13;<DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Note.gif"
ALT="Note"
></IMG
></SPAN
>: </B
>
In the example of the firewall script file above, we assume that <TT
CLASS="literal"
>eth0</TT
> is the interface you use for your connection. Of course if you use <TT
CLASS="literal"
>eth1</TT
> you must change <TT
CLASS="literal"
>eth0</TT
> to <TT
CLASS="literal"
>eth1</TT
>, and so on.
</P
></BLOCKQUOTE
></DIV
>
If you forget this step you will receive error messages on your terminal such as the following during the start up of FreeSWAN IPSEC:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="literallayout"
><TT
CLASS="computeroutput"
>&#13;ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
</TT
></PRE
></TD
></TR
></TABLE
>
</P
></LI
><LI
><P
>&#13;It's important to note that any masquerading rules for internal networks that use IPSEC must come after the rules allowing IPSEC related traffic (The step 2 and 3 above), or the machine will try to masquerade the packets, instead of 
them being passed over to IPSEC.

Edit the <TT
CLASS="filename"
>firewall</TT
> script file, <B
CLASS="command"
>vi</B
> <TT
CLASS="filename"
>/etc/rc.d/init.d/firewall</TT
> on both gateway machines and add/check the following lines to allow masqueraded packets to traverse the 
remote network gateway to your network gateway and vice versa:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;# Masquerade internal traffic.

    # All internal traffic is masqueraded externally.

    ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
</PRE
></TD
></TR
></TABLE
>
Where
<P
></P
><DIV
CLASS="variablelist"
><DL
><DT
>EXTERNAL_INTERFACE="eth0"</DT
><DD
><P
>&#13;You external interface to the Internet.
</P
></DD
><DT
>LOCALNET_1=" 192.168.1.0/24"</DT
><DD
><P
>&#13;whatever private range you use.
</P
></DD
></DL
></DIV
>
</P
></LI
></OL
></DIV
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Note.gif"
ALT="Note"
></IMG
></SPAN
>: </B
>
See <A
HREF="Masq-forward.html"
>Networking Firewall with Masquerading and Forwarding</A
> support for more information.
</P
></BLOCKQUOTE
></DIV
><P
>&#13;Now, you can reboot your system, and the machines on Gateway A should be able to talk to the machines on Gateway B with no problems.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="chap25sec205.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chap25sec207.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configure <SPAN
CLASS="acronym"
>RSA</SPAN
> private keys secrets</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="fSWAn.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Testing the installation</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>