[Openswan Users]
Making a 10.1.x.x client look like it's on the 10.0.x.x net
Philip Pemberton
philpem at dsl.pipex.com
Thu Nov 24 01:06:25 CET 2005
Hi,
I'm trying to use an IPSec tunnel to secure a wireless LAN adapter. At the
moment, my network looks like this:
Wireless AP ============ Linux box ======== Private LAN
10.1.0.5/16 eth1:10.1.0.1/16
eth0:10.0.0.1/16 10.0.0.0/16 subnet
What I have at the moment is a system where ppp0 (DSL modem) is forwarded
onto eth0 using iptables, with eth1 connected to the access point to provide
a "wild" network separate to my "secure" wired network (eth0).
What I want is to have eth1 locked down except for IPSec, and then have an
IPSec tunnel (using X.509 certificate authentication) providing access to the
10.0.0.0/16 network for wireless clients with a valid certificate.
I've had a look at the code on Nate Carlson's site
(<http://www.natecarlson.com/linux/ipsec-x509.php>), and managed to establish
a VPN link between my laptop and the server over WiFi. As far as I can tell,
the packets are coming in through eth1, then OpenSWAN is decrypting them and
retransmitting them back over eth1. I thought it was supposed to set up a
secondary interface (ipsec0) and dump the derypted packets onto that?
Anyway, what I want to do is have the 10.1.x.x packets from the roadwarrior
connection profile forwarded onto eth0 as if they were normal packets. In
other words, I want my laptop to look as if it were connected to eth0 (my
"secure" wired connection).
Here's my current, working ipsec.conf:
-----8<-----
## based on http://www.natecarlson.com/linux/ipsec-x509.php
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth1"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=10.1.0.0/16
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
left=10.1.0.1
leftcert=host.polaris.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-----8<-----
This is what "tcpdump -i eth1" comes up with when I ping 10.1.0.1 (the
server):
-----8<-----
22:06:31.346378 IP 10.1.0.16 > 10.1.0.1: ESP(spi=0xfd860009,seq=0x9)
22:06:31.346378 IP 10.1.0.16 > 10.1.0.1: icmp 40: echo request seq 256 [**]
22:06:31.347348 IP 10.1.0.1 > 10.1.0.16: ESP(spi=0x32de9e67,seq=0x2)
-----8<-----
Surely OpenSWAN should be creating a new interface and the [**]'d packet
should be going out over that?
The OS is Slackware Linux 10.1 with a custom-built 2.6.10 kernel. I compiled
ipsec in user-mode, because I didn't feel like rebuilding the kernel again.
I've already got the kernel's IPSec modules built anyway.
Thanks.
--
Phil. | Acorn RiscPC600 SA220 64MB+6GB 100baseT
philpem at philpem.me.uk | Athlon64 3200+ A8VDeluxe R2 512MB+100GB
http://www.philpem.me.uk/ | Panasonic CF-25 Mk.2 Toughbook
... When God endowed man with brains, he did not intend to guarantee them.
More information about the Users
mailing list