From: David Frascone (dave_at_frascone.com)
Date: Sun Dec 29 2002 - 23:55:10 CET
[ Again, please copy me on replies, since the list subscribe functions are
still broken ]
Ok, that worked great. I managed to get the tunnel up, and I'm pretty
happy. But, I do have one little gripe, that parhaps someone can help me
with.
I basically allow wireless nodes in the 10.X subnet to get access to the
'net via NAT, but my wired network is firewalled from them:
$IPTABLES -A FORWARD -i eth2 -d 192.168.0.0/16 -j DROP
And, particular ports on the firewall are opened (with ACCEPT on the INPUT
chain) before this blocking chain is added:
$IPTABLES -N block
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A block -m state --state NEW -i eth2 -d 192.168.1.0/24 -j DROP
$IPTABLES -A block -j DROP
Before ipsec is activated, everything works fine. Wireless nodes can get
dhcp, dns, etc from the firewall, but all other traffic to it, or to the
network behind it is blocked. But, the nodes can surf the net with ease.
Once ipsec comes up, wireless nodes can securely access the internal
network, but packets to the 'net get dropped into the void. I see them on
the wireless segment as raw packets (not ESP packets), but, for some reason,
my firewall no longer routes them to the default route.
Any ideas?
Here's the server's relevant portions of the ipsec.conf:
conn laptop-home-net
keylife=1h
left=10.0.0.1
leftsubnet=192.168.1.0/24
leftid=@newman.frascone.com
leftrsasigkey=I don't think so
right=%any
rightid=@laptop.frascone.com
rightrsasigkey=I don't think so
#compress=yes
# you'll need to do "ipsec auto --up fswn-swll" to start this up
# unless you use auto=start, but thats just basic freeswan stuff
auto=add
conn laptop-home-gate
keylife=1h
left=10.0.0.1
leftid=@newman.frascone.com
leftrsasigkey=I don't think so
right=%any
rightid=@laptop.frascone.com
rightrsasigkey=I don't think so
#compress=yes
# you'll need to do "ipsec auto --up fswn-swll" to start this up
# unless you use auto=start, but thats just basic freeswan stuff
auto=add
I can live with it the way it is, bring up ipsec for internal work, kill it
to surf, but I'd rather not have to.
-Dave
On Saturday, 28 Dec 2002, Sam Sgro wrote:
>
> On Sat, 28 Dec 2002, David Frascone wrote:
>
> > I'm trying to secure my wireless portion of my network. Since WEP is
> > broken, I'm trying to set up ipsec tunnels from my wireless devices to my
> > router (linux w/ freeswan)
> >
> > So, it looks kinda like this:
> >
> > +------------+
> > | Router +10.0.0.1--------------------10.0.0.0/24-----WIRELESS NODES
> > +-----+------+
> > |
> > |
> > Wired Network
> >
> >
> > So, my problem is, I can't seem to get the connection established. If I
> > move a wireless node to the 'net, and outside of the internal network, I can
> > use a normal road-warrior config w/o problems.
> >
> > But, going internally, the default route gets confused (since it's the same
> > as the router), and if I omit it, it just doesn't work. Can freeswan be
> > used on a single segment?
>
> To secure the internal network, you will need to create an ipsec interface on
> the internal interface (ie 10.0.0.1). You'll do this by modifying the
> "interfaces=" line in ipsec.conf - see its man page for more info.
>
> The downside to this is that you won't be able to use %defaultroute in your
> configs any longer. This may be a problem if you have a dynamically assigned
> public IP address.
>
> --
> Sam Sgro
> sam_at_freeswan.org
>
>
--
David Frascone
Give a woman an inch and she thinks she's a ruler.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Jan 03 2003 - 05:21:07 CET