FreeS/WAN is a popular implementation of IPSec for GNU/Linux. At its current version (1.9.7) it needs to be patched to incorporate X.509 capability. You can find a patched version on this site. Some GNU/Linux distrubutions have applied the patch for you so check your package. The advantage of this version is that you can use openssl to create certificates to use with FreeS/WAN and DNS CERT records, but more specifically you can interact with the Microsoft Implementation of IPSec. For more information check Nate's page.
mv newreq.pem /etc/freeswan/ipsec.d/private/host.example.com.key mv newcert.pem /etc/freeswan/ipsec.d/host.example.com.pem |
mv cacert.pem /etc/freeswan/ipsec.d/cacerts |
Generate a certificate revocation list or copy yours to the right location.
openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem |
Still on the gateway machine, configure the ipsec.secrets file by including the line:
: RSA host.example.com.key “password” |
The password being the one used to generate the key pair. Configure ipsec.conf as following:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn roadwarrior-net leftsubnet=<your_subnet>/<your_netmask> also=roadwarrior conn roadwarrior right=%any left%defaultroute leftcert=host.example.com.pem auto=add pfs=yes |
As with the gateway copy the following files securely to the configuration directories:
mv newreq.pem /etc/freeswan/ipsec.d/private/clienthost.example.com.key mv newcert.pem /etc/freeswan/ipsec.d/clienthost.example.com.pem |
mv cacert.pem /etc/freeswan/ipsec.d/cacerts |
Generate a certificate revocation list or copy yours to the right location.
openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem |
Finally you need to copy also the certificate (not the private key) of your gateway machine
mv host.example.com.pem /etc/fresswan/ipsec.d/host.example.com.pem |
Similarly edit your ipsec.secrets file to load the client private key
: RSA clienthost.example.com.key “password” |
and edit the ipsec.conf as follows to enable the connection:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn roadwarrior-net left=(ip of host) leftsubnet=(gateway_host_subnet)/(gateway_host_netmask) also=roadwarrior conn roadwarrior left=(ip of host) leftcert=host.example.com.pem right=%defaultroute rightcert=clienthost.example.com.pem auto=add pfs=yes |
Now you can start the VPN link
ipsec auto --up roadwarrior ipsec auto --up roadwarrior-net |
To start the link automatically, replace in the configuration file 'auto=add' by 'auto=start'
Additionally note the output of:
openssl x509 -in cacert.pem -noout -subject |
Copy this file securely to the MS-Windows machine.
You know need to install Marcus Muller's ipsec.exe utility in for instance c:\ipsec directory.
Open Microsoft Management Console (MMC), in 'Add/Remove Snap-in' click on 'Add' then click on 'Certificates', then 'Add' Select 'Computer Account', and 'Next'. Select 'Local computer', and 'Finish'. Click on 'IP Security Policy Management', and 'Add'. Select 'Local Computer', and 'Finish' click 'Close' then 'OK'
Now you can add the .p12 certificate
Click the plus arrow by 'Certificates (Local Computer)' then right-click 'Personal', and click 'All Tasks' then 'Import' click 'Next'. Type the path to the .p12 file (or browse and select the file), and click 'Next'. Type the export password, and click 'Next'. Select 'Automatically select the certificate store based on the type of certificate', and click 'Next'. Click 'Finish', and say yes to any prompts that pop up. Exit the MMC, and save it as a file so you don't have to re-add the Snap In each time.
Install ipsecpol.exe (Windows 2000) or ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Edit your ipsec.conf (on the windows machine), replacing the "RightCA" with the output of the 'openssl x509 -in cacert.pem -noout -subject'; reformatted as below (you need to change the /'s to commas, and change the name of some of the fields -- just follow the example below):
conn roadwarrior left=%any right=(ip_of_remote_system) rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root" network=auto auto=start pfs=yes conn roadwarrior-net left=%any right=(ip_of_remote_system) rightsubnet=(your_subnet)/(your_netmask) rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root" network=auto auto=start pfs=yes |
Start the link
Run the command 'ipsec.exe'. Here's example output:
C:\ipsec>ipsec IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller Getting running Config ... Microsoft's Windows XP identified Host name is: (local_hostname) No RAS connections found. LAN IP address: (local_ip_address) Setting up IPSec ... Deactivating old policy... Removing old policy... Connection roadwarrior: MyTunnel : (local_ip_address) MyNet : (local_ip_address)/255.255.255.255 PartnerTunnel: (ip_of_remote_system) PartnerNet : (ip_of_remote_system)/255.255.255.255 CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy... Connection roadwarrior-net: MyTunnel : (local_ip_address) MyNet : (local_ip_address)/255.255.255.255 PartnerTunnel: (ip_of_remote_system) PartnerNet : (remote_subnet)/(remote_netmask) CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy... C:\ipsec> |
Now, ping your gateway host. It should say 'Negotiating IP Security' a few times, and then give you ping responses. Note that this may take a few tries; from a T1 hitting a VPN server on a cable modem, it usually takes 3-4 pings. Do the same for the internal network on the remote end, and you should be up!