Hello,
For those that might be interested, I've successfully connected a
Linux/freeswan box to a Timestep gate (Alcatel Timestep 7132, 7133, 7137)
with shared secret authentication.
The Linux box : I'm running Mandrake 8.2, iptables and Freeswan 1.95. It is
connected to the Internet via an ADSL connection with a fixed IP address.
In the Timestep security descriptor, you need to specify : GROUP 2 in the
ISAKMP part.
The Linux box is given a virtual IP (v1.v2.v3.v4) in a subnet routed in the
private net to avoid to route non owned IP address in the private net. This
IP is used when communicating with hosts in x.y.0.0 via a NAT rule.
iptables -t nat -A POSTROUTING -d x.y.0.0/16 -j SNAT --to-source v1.v2.v3.v4
I've a small script that establishes the tunnel and set the Linux resolv.conf
to point to Name servers in the private net which are able to resolve
internal and Internet names. Another script closes the tunnel and swap back
resolv.conf to ISP's Name servers.
Here's the architecture. The black interface is connected to a DMZ of the FW.
The red interface of the Timestep is either connected to internal network or
to another DMZ so that it possible to filter some TCP ports. If the FW
performs NAT, then you need to specify the Leftid as the internal IP of the
black interface in the ipsec.conf file (see attached ipsec.conf samples).
Private Net ------- FW/Nat ----- Internet ----- Linux
x.y.0.0/16 | l1.l2.l3.l4
| DMZ v1.v2.v3.v4
|
Timestep
i1.i2.i3.i4 t1.t2.t3.t4
Herafter, the ipsec.conf for fixed IP address. For those not having a fixed IP
address, the road warrior version of ipsec.conf.
Greetings / AS
------------------------------
# Timestep interop with fixed IP
# /etc/freeswan/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
interfaces="ipsec0=ppp0"
conn %default
keyingtries=0
disablearrivalcheck=yes
# Timestep VPN connection
conn timestep
type=tunnel
left=t1.t2.t3.t4 # Public IP address of the Timestep Gate
leftsubnet=x.y.0.0/16 # Class B network in the private net.
leftid=i1.i2.i3.i4 # Internal IP address of the Timestep Gate
right=l1.l2.l3.l4 # Public IP address of the Linux box
rightsubnet=v1.v2.v3.v4/32 # Linux box Virtual IP address
rightnexthop=n1.n2.n3.n4 # Next hop
keyexchange=ike
authby=secret
# Timestep interop. road warrior conf.
# /etc/freeswan/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
interfaces=%defaultroute
conn %default
keyingtries=0
disablearrivalcheck=yes
# Timestep VPN connection
conn timestep
type=tunnel
left=t1.t2.t3.t4
leftsubnet=x.y.0.0/16
leftid=i1.i2.i3.i4
right=%defaultroute
rightsubnet=v1.v2.v3.v4/32
keyexchange=ike
authby=secret
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST