Simple Road Warrior setup using FreeS/WAN (IPsec) and PGPnet |
By Samuli Kaski
< Mon Sep 15 13:22:53 EEST 2003 Last edited |
Simple Road Warrior setup using FreeS/WAN (IPsec) and PGPnet |
By Samuli Kaski
< Mon Sep 15 13:22:53 EEST 2003 Last edited |
The server was running Debian Woody with kernel 2.4.21 and the workstation was a Windows 2000 Professional with SP4. The used FreeS/WAN version was 2.01 and PGPnet was 7.0.3.
This article describes a simple Road Warrior setup between 2 hosts, the server and the client (workstation). In the PGP freeware version the gateway option is disabled hence you will have to setup explicit connections for each server and client pairs you want to secure, either as a single remote host or as a remote subnet. If you choose the latter all remote hosts on the remote subnet must understand IPsec.
In the following setup all Road Warrior clients use the same shared secret and everyone is allowed to connect. It is assumed that proper firewalling exists on UDP port 500 to restrict the clients that are able to connect to your server running FreeS/WAN. A shared secret method is seen as insecure so consider yourself warned.
You can get the FreeS/WAN patch from the FreeS/WAN FTP site. Untar to /usr/src and patch your kernel located in /usr/src/linux by running make oldmod followed by make minstall in the FreeS/WAN directory.
Installation is pretty straight forward with apt, simply invoke apt-get install freeswan.
First, you will need to adjust /etc/ipsec.conf. Here is a working configuration. Next, you will need to enter the shared secret into /etc/ipsec.secrets or use the provided /etc/ipsec.secrets. Now you are ready to launch FreeS/WAN. To do just that invoke /etc/init.d/ipsec start. You should see a message saying that kernel module was loaded successfully. You might want to look into /var/log/auth.log just to be sure that everything is working as is supposed.
Download PGPnet, unzip, and install with defaults. Create a personal keyring if you haven't got one yet. Reboot your workstation upon completion of the installation. Now configure PGPnet. Select the PGPnet icon in your taskbar, press the right mouse button and go to Options. Adjust the options according to the screenshots below.
Now that you have configured PGPnet, you will have to add a new connection. Do just that by selecting the PGPnet icon in your taskbar and going to PGPnet -> VPN. Choose "Add" to add a new connection.
Enter same shared secret you entered into /etc/ipsec.secrets this time into "Shared Secret" -> "Set Shared Passphrase". In the Connection Options you can choose between "Connect automatically" or "Require manual connection". The former establishes the VPN as soon as you try to access the remote host and the latter always requires manually setting up the VPN.
Now your VPN window should list the VPN connection you just added in a listening state (a ear icon in the Authentication column) without any active connection (the SA column is empty), see the screenshot below.
Depending whether you selected "Connect automatically" or "Require manual connection" the procedure is a bit different. In the first case simply attempt to connect to the remote host with your favorite program. In the latter case select the PGPnet icon in the taskbar, press right mouse button and go to PGPnet -> VPN. Select the connection and press the "Connect" button. Your VPN should now be established, have fun while securily surfing your Samba shares! :)
If things don't work you should try to pinpoint the problem to either FreeS/WAN or PGPnet. On the FreeS/WAN side of things your main place to look at is /var/log/auth.log and the "ipsec" utility while on the PGPnet side of things you have only the logging window in PGPnet -> Log.