[Openswan Users] Openswan with Linksys Roadwarrier

Pat Fricke sales at prfhome.com
Fri Jan 20 08:04:48 CET 2006 

I don't know if my e-mails are not getting through or if you all are just
too busy to answer every mail, but I got it running. There may be a better
way but if it helps anybody anywhere . here is how I have configured.

 

First off, I am running Fedora core 4 and Openswan 2.4.4 with Linksys
roadwarriers (8 remote subnets, 27 stations connecting).

 

The Linksys routers are configured exactly like the example
http://www.freeswan.ca/docs/BEFVP41/

 

By the way, after my first post someone tried to hack into my VPN for
several days so I changed all of my subnets and my shared secret as well as
every user password.

This is why I have not shown my actual ip and subnet numbers here. And if
that person is reading this, I have blocked every subnet assigned to your
isp.

 

I hope you burn 

 

My ipsec.conf is:

 

****************************************************************************
*********

 

version 2

 

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

 

# More elaborate and more varied sample configurations can be found

# in FreeS/WAN's doc/examples file, and in the HTML documentation.

 

# basic configuration

config setup

            klipsdebug=none

            nat_traversal=yes

            plutodebug=none

            uniqueids=yes

 

conn %default

            authby=secret

            compress=no

            ikelifetime=28800s

            keyexchange=ike

            keylife=3600s

            pfs=no

 

conn my.first roadwarrier

    left= my.public.ip 

    leftid= my.public.ip

    leftnexthop= my.public.gateway

    right=%any

    rightnexthop=%defaultroute    

    rightsubnet= my.first.remote.subnet /24

    auto=add                    

 

conn my.second thru eighth.roadwarrier

 

everything repeated except (of course) different subnets for each connection

    

 

include /etc/ipsec.d/examples/no_oe.conf

 

****************************************************************************
**************

 

It turned out that the firewall is where I was having trouble but with a
hint from someone on the list I added forwarding for SAMBA ports.

Since some my roadwarriers are running Windows98, some are Win2k and some
are XP (and some of my subnets have all three) I forwarded all three
possible ports on all subnets.

Here is the resulting iptables

 

****************************************************************************
*************

 

# Firewall configuration written by lokkit

# Manual customization of this file is not recommended.

# Note: ifup-post will punch the current nameservers through the

#       firewall; such entries will *not* be listed here.

*filter

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:RH-Lokkit-0-50-INPUT - [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -p gre -i eth0 -j ACCEPT

# ESP

-A INPUT -p esp -i eth0 -j ACCEPT

# IKE

-A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT

# IKE accross NAT

-A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT

# Following group for SAMBA

-A INPUT -p udp -m udp -s my.first.remote.subnet /24 -i eth0 --dport 137:138
-j ACCEPT

-A INPUT -p tcp -m tcp -s my.first.remote.subnet /24 -i eth0 --dport 139 -j
ACCEPT

-A INPUT -p tcp -m tcp -s my.first.remote.subnet /24 -i eth0 --dport 445 -j
ACCEPT

 

The three lines above are repeated for each subnet

 

-A INPUT -i eth1 -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth0 --dport 67:68
--sport 67:68 -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth1 --dport 67:68
--sport 67:68 -j ACCEPT

-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT  --syn 

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT  --syn 

-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT

-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT  --syn 

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT  --syn 

-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth0 --dport 22 -j ACCEPT

-A INPUT -p udp -m udp --dport 23 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp -m state --dport 113 --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp -i eth0 --sport 1723 -j ACCEPT

# IKE

-A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT

# IKE accross NAT

-A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT

-A OUTPUT -p 50 -j ACCEPT

-A OUTPUT -o eth1 -j ACCEPT

-A OUTPUT -p tcp -m tcp -o eth0 --dport 21 -j ACCEPT

-A OUTPUT -p tcp -m tcp -o eth0 --dport 1723 -j ACCEPT

-A INPUT -p tcp -m tcp -m state --sport 3500:4000 --state NEW -j ACCEPT

-A INPUT -j RH-Lokkit-0-50-INPUT

COMMIT

*mangle

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed

 

****************************************************************************
*********************

 

Pat R. Fricke

PRF Enterprises

(503)520-9757

sales at prfhome.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060120/8f4165bd/attachment-0001.htm

More information about the Users mailing list