Need Help With FreeS/WAN

Fri Jul 4 21:21:21 CDT 2003

Steven Elling wrote:
> Has anyone successfully setup FreeS/WAN and if so can you provide some help?

Yes (I run a partial-mesh VPN network for off-site engieering employees 
like myself), and I'll try. :)

> I've been trying to get FreeS/WAN setup for the past 6 months and have not 
> been able to get it to work.  I've read, re-read, re-read and again re-read 
> the documentation included with the software and on their site but just 
> cannot get it to work.
> 
> Here is what I am trying to do.  I've got a local network with a dedicated 
> Linux firewall to the Internet.  I've also got a WiFi access point 
> connected to the firewall and my laptop can use the firewall's services 
> over the WiFi network but I wan't to use IPSec to encrypt ALL traffic to 
> the firewall.
> 
> I'm using the FreeS/WAN 1.98b Gentoo ebuild on both machines and have tried 
> opportunistic encryption and "road warrior" remote access configurations.  
> Here is a layout of my network.
> 
> Internet - ppp0                       local network - eth0 - 192.168.1.0/24
> --------------------------+--------------------------
>                                  |
>                                  |
>                                  | WiFi network - eth1 - 192.168.2.0/24
>                                  |
>                                  |
>                                  |

I've set this up on a Wireless point-point network.  In my case, both 
ends are linux firewalls, but the setup you need should be similar.

Reading between the lines, I think I know what your problem is: You 
haven't setup an appropriate tunnel specification for the wireless traffic.

You can get everything IPSec incrypted in one of two ways:

1) You build a host-host connection between your laptop and the 
firewall, and run a tunneling protocol (typically GRE) over that.  You 
then route all traffic through the GRE tunnel, and "presto" everything's 
encrypted.  Note that if you want to get fancy, you can run routing 
protocols (like BGP) over the GRE tunnel (one reason this is a popular 
setup), and let routing "take care of itself". :)

2) You build a host-subnet tunnel, with the host end being your laptop 
and the subnet end being "everything" (ie 0.0.0.0/0, or the whole 
internet).  You might also need to build a second host-subnet tunnel 
with the subnet specified as 192.168.1.0/24 (your internal network) if 
you want the laptop to properly connect to your internal network, and 
not just the internet (FreeS/WAN currently doesn't "play well" with 
existing routing rules on the linux box...since it was developed before 
the fancy advanced routing stuff was possible, FreeS/WAN essentially 
builds it's own routing rules, so the packets can show up in wierd places).

I don't think either OE (opportunistic encryption) or a typical RW 
"road-warrior" setup will work for you (it's possible the RW config 
would work, but it's unlikely if you use the typical RW example configs).

Also note that once you *DO* get things working, it's not uncommon to 
have MTU related problems, which can be *REAL* confusing if your not 
familiar with low-level networking, but it doesn't sound like you've 
gotten that far yet.

Anyway, holler if you need detailed help...I'm generally busy this 
weekend, but will be checking e-mail occasionally.

For the best help, a barf from both ends, or at least your ipsec.conf 
files would be helpful.

-- 
Charles Steinkuehler
charles at steinkuehler.net