Freeswan How To: First Step

Author: Matthias Gorjup
Last Update: 11th Nov 2002

This document provides information about first steps with freeswan package.
It describes how to set up IPsec connection betwen two hosts.
 

1. Configuration

host1 ================ host2
192.168.0.1            192.168.0.2
(SuSE 8.1)             (Red Hat 7.2)

Use ifconfig to set the IP address for eth0 interfaces. Check the configuration using route and ping commands.
 

2. Installation

The connection has been tested between SuSE 8.1 and Red Hat 7.2 boxes.
SuSE 8.1 comes with freeswan package already bundled into the distribution,
for Red Hat you need RPM packages.

2.1 SuSE 8.1

With yast2 install two packages:
freeswan and km_freeswan. These are freeswan packages, version 1.98.

2.2 Red Hat 7.2 - from RPMs

From http://www.freeswan.ca/code/freeswan-x509/RedHat-RPMs/7.2/
download two packages for the corresponding kernel version, for example:

freeswan-1.98b_x509_0.9.15_2.4.7_10-0.i386.rpm
freeswan-module-1.98b_x509_0.9.15_2.4.7_10-0.i386.rpm

Install them using rpm -i.

2.3 Red Hat 7.2 - from sources

2.3.1 Configuring kernel

First, you will need to rebuild the kernel in order to make it "ipsec enabled".
There are certain options you will need to set during configuring. Document
http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/kernel.html#kernelconfig
describes which options are irrelevant for ipsec and which are necessary.
You also need to make sure /usr/src/linux points to the correct kernel source tree:

#cd /usr/src
#ln -s linux-2.4.17 linux
#cd linux
#make menuconfig

2.3.2 Downloading and extracting freeswan package

Download package http://www.freeswan.ca/code/freeswan-1.99.tar.gz.

#su
#mv freeswan-1.99.tar.gz /usr/src
#cd /usr/src
tar xzvf freeswan-1.99.tar.gz

Now it's time to add any patches if you need them.

2.3.3 Make

Either make freeswan as a module...

Move to freeswan directory:

#cd /usr/src/freeswan-1.99

Make the freeswan module:

#make oldmod

Install it:

#make minstall

You can now directly start freeswan and test it.

...or statically linked

Make freeswan using your old kernel settings:

#make oldgo

Install it:

#make kinstall

Reboot your system and test your install.

You can check if installation was succesfull by starting ipsec service with command
rcipsec start on SuSE 8.1 or service ipsec start on Red Hat 7.2. and then use command
ipsec verify.
For possible problems, see
http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/trouble.html#install
After that stop the ipsec service (rcipsec stop on SuSE 8.1 or service ipsec stop on Red Hat 7.2).
 

3. Configuring ipsec.conf

Put following configuration into file /etc/ipsec:

config setup
    interfaces="ipsec0=eth0"
    klipsdebug=none
    plutodebug=none
    pluto=yes
    plutoload=vpn
    plutostart=vpn

conn vpn
    type=tunnel
    auto=start
    keyexchange=ike
    auth=esp
    keylife=2h
    keyingtries=0
    left=192.168.0.1
    right=192.168.0.2

On both hosts this file should be identical!! So edit it on one host and simply copy it to another.
 

4. Configuring ipsec.secrets

ipsec.secrets should contain only one line, consisting of two IP addresses
(of the host it self and of the host on another side) and a "shared key". This key can be any combination
of characters you want. But must be the same on both hosts:

a) host1 (192.168.0.1)

192.168.0.1 192.168.0.2 "abcdefghijklmonprs"

b) host2 (192.168.0.2)

192.168.0.2 192.168.0.1 "abcdefghijklmonprs"
 

5. Starting Connection

a) SuSE 8.1
rcipsec start

b) Red Hat 7.2
service ipsec start
 

6. Testing Connection

Check if ipsec0 interface is up with command ifconfig.
On host1 you should get following:

eth0 Link encap:Ethernet HWaddr 00:00:E2:90:D9:DE
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:e2ff:fe90:d9de/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35316 errors:0 dropped:0 overruns:0 frame:0
TX packets:29748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:40358163 (38.4 Mb) TX bytes:3546609 (3.3 Mb)
Interrupt:10 Base address:0xd000

ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.0.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:4107 (4.0 Kb) TX bytes:6468 (6.3 Kb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:401 errors:0 dropped:0 overruns:0 frame:0
TX packets:401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25076 (24.4 Kb) TX bytes:25076 (24.4 Kb)

Test the connection with ipsec look. On host1 you should get something like:

linux Thu Oct 31 14:35:18 CET 2002
192.168.0.1/32 -> 192.168.0.2/32 => tun0x1004@192.168.0.2 esp0x382b1e8a@192.168.0.2 (76)
ipsec0->eth0 mtu=16260(1443)->1500
esp0x382b1e89@192.168.0.2 ESP_3DES_HM...

route command on host1 should provide following output:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.2 192.168.0.2 255.255.255.255 UGH 0 0 0 ipsec0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 ipsec0

NOTE: Before setting up IP address of eth0 and routing table on each host, make sure ipsec
is not running. If it is running on one of the hosts, it will cause troubles.