This section gives an overview of:
This section is intended to cover only the essentials, things you should know before trying to use FreeS/WAN.
For more detailed background information, see the history and politics and IPSEC protocols sections.
FreeS/WAN is a Linux implementation of the IPSEC (IP security) protocols. IPSEC provides encryption and authentication services at the IP (Internet Protocol) level of the network protocol stack.
Working at this level, IPSEC can protect any traffic carried over IP, unlike other encryption which generally protects only a particular higher-level protocol -- PGP for mail, SSH for remote login, SSL for web work, and so on. This has both advantages and disadvantages, discussed in our IPSEC section
IPSEC can be used on any machine which does IP networking. Dedicated IPSEC gateway machines can be installed wherever required to protect traffic. IPSEC can also run on routers, on firewall machines, on various application servers, and on end-user desktop or laptop machines.
Three protocols are used
Our implementation has three main parts:
IPSEC is optional for the current (version 4) Internet Protocol. FreeS/WAN adds IPSEC to the Linux IPv4 network stack. Implementations of IP version 6 are required to include IPSEC. Work toward integrating FreeS/WAN into the Linux IPv6 stack has started.
For more information on IPSEC, see our IPSEC protocols section, our collection of IPSEC links or the RFCs which are the official definitions of these protocols.
IPSEC is designed to let different implementations work together. We provide:
The VPN Consortium fosters cooperation among implementers and interoperability among implementations. Their web site has much more information.
Because IPSEC operates at the network layer, it is remarkably flexible and can be used to secure nearly any type of Internet traffic. Two applications, however, are extremely widespread:
There is enough opportunity in these applications that vendors are flocking to them. IPSEC is being built into routers, into firewall products, and into major operating systems, primarily to support these applications. See our list of implementations for details.
We support both of those applications, and various less common IPSEC applications as well, but we also add one of our own:
This is an extension we are adding to the protocols. FreeS/WAN is the first prototype implementation, though we hope other IPSEC implementations will adopt the technique once we demonstrate it. See project goals below for why we think this is important.
A somewhat more detailed description of each of these applications is below. Our setup section will show you how to build each of them.
A VPN, or Virtual Private Network lets two networks communicate securely when the only connection between them is over a third network which they do not trust.
The method is to put a security gateway machine between each of the communicating networks and the untrusted network. The gateway machines encrypt packets entering the untrusted net and decrypt packets leaving it, creating a secure tunnel through it.
If the cryptography is strong, the implementation is careful, and the administration of the gateways is competent, then one can reasonably trust the security of the tunnel. The two networks then behave like a single large private network, some of whose links are encrypted tunnels through untrusted nets.
Actual VPNs are often more complex. One organisation may have fifty branch offices, plus some suppliers and clients, with whom it needs to communicate securely. Another might have 5,000 stores, or 50,000 point-of-sale devices. The untrusted network need not be the Internet. All the same issues arise on a corporate or institutional network whenever two departments want to communicate privately with each other.
Administratively, the nice thing about many VPN setups is that large parts of them are static. You know the IP addresses of most of the machines involved. More important, you know they will not change on you. This simplifies some of the admin work. For cases where the addresses do change, see the next section.
The prototypical "Road Warrior" is a traveller connecting to home base from a laptop machine. Administratively, most of the same problems arise for a telecommuter connecting from home to the office, especially if the telecommuter does not have a static IP address.
For purposes of this document:
These require somewhat different setup than VPN gateways with static addresses and with client systems behind them, but are basically not problematic.
There are some difficulties which appear for some road warrior connections:
In most situations, however, FreeS/WAN supports road warrior connections just fine.
One of the reasons we are working on FreeS/WAN is that it gives us the opportunity to add what we call opportuntistic encryption. This means that any two FreeS/WAN gateways will be able to encrypt their traffic, even if the two gateway administrators have had no prior contact and neither system has any preset information about the other . We hope this will go some distance toward creating a secure Internet, an environment where message privacy is the default. See our history and politics of cryptography section for discussion.
Both systems pick up the authentication information they need from the DNS (domain name service), the service they already use to look up IP addresses. Of course the administrators must put that information in the DNS, and must set up their gateways with opportunistic encryption enabled. Once that is done, everything is automatic. The gateways look for opportunities to encrypt, and encrypt whatever they can. Whether they also accept unencrypted communication is a policy decision the administrator can make.
A draft document giving most of the details of how we plan to implement this has been posted to the mailing list. See links below.
Only one current product we know of implements a form of opportunistic encryption. Secure sendmail will automatically encrypt server-to-server mail transfers whenever possible.
A complication, which applies to any type of connection -- VPN, Road Warrior or opportunistic -- is that a secure connection cannot be created magically. There must be some mechanism which enables the gateways to reliably identify each other. Without this, they cannot sensibly trust each other and cannot create a genuinely secure link.
Any link they do create without some form of authentication will be vulnerable to a man-in-the-middle attack. If Alice and Bob are the people creating the connection, a villian who can re-route or intercept the packets can pose as Alice while talking to Bob and pose as Bob while talking to Alice. Alice and Bob then both talk to the man in the middle, thinking they are talking to each other, and the villain gets everything sent on the bogus "secure" connection.
There are two ways to build links securely, both of which exclude the man-in-the middle:
Automatic keying is much more secure, since if an enemy gets one key only messages between the previous re-keying and the next are exposed. It is therefore the usual mode of operation for most IPSEC deployment, and the mode we use in our setup examples. FreeS/WAN does support manual keying for special circumstanes. See this section.
For automatic keying, the two systems must authenticate each other during the negotiations. There is a choice of methods for this:
Public key techniques are much preferable, for reasons discussed later, and will be used in all our setup examples. FreeS/WAN does also support auto-keying with shared secret authentication. See this section.
Our overall goal in FreeS/WAN is to make the Internet more secure and more private.
Our IPSEC implementation supports VPNs and Road Warriors of course. Those are important applications. Many users will want FreeS/WAN to build corporate VPNs or to provide secure remote access.
However, our goals in building it go beyond that. We are trying to help build security into the fabric of the Internet so that anyone who choses to communicate securely can do so, as easily as they can do anything else on the net.
More detailed objectives are:
If we can get opportunistic encryption implemented and widely deployed, then it becomes impossible for even huge well-funded agencies to monitor the net.
See also our section on history and politics of cryptography, which includes our project leader's rationale for starting the project.
People outside this core team have made substantial contributions. See
Any of those will have a list of other "munitions" mirrors.
More recently we have expanded to five lists, each with its own archive.
More information on mailing lists.
Unfortunately the export laws of some countries restrict the distribution of strong cryptography. FreeS/WAN is therefore not in the standard Linux kernel and not in all CD or web distributions.
FreeS/WAN is included in various general-purpose Linux distributions from countries (shown in brackets) with more sensible laws:
For distributions which do not include FreeS/WAN and are not Redhat (which we develop and test on), there is additional information in our compatibility section.
We would appreciate hearing of other distributions using FreeS/WAN.
There are also several sets of scripts available for managing a firewall which is also acting as a FreeS/WAN IPSEC gateway. See this list.
We would appreciate hearing of other specialised distributions using FreeS/WAN, or other script sets.
Several vendors use FreeS/WAN as the IPSEC component of a turnkey firewall or VPN product:
We would appreciate hearing of other products using FreeS/WAN.
FreeS/WAN documentation up to version 1.5 was available only in HTML. Now we ship two formats:
The Makefile assumes the htmldoc tool is available. You can
download it from Easy Software. You
may need to get source code and change some of the limits in
All formats should be available at the following websites:
The distribution tarball has only the two HTML formats.
Note: If you need the latest doc version, for example to see if anyone has managed to set up interoperation between FreeS/WAN and whatever, then you should download the current snapshot. What is on the web is documentation as of the last release. Snapshots have all changes I've checked in to date.
Text files in the main distribution directory are README, INSTALL, CREDITS, CHANGES, BUGS and COPYING.
FreeS/WAN commands and library routines are documented in standard Unix manual pages, accessible via the man(1) command. We also provide them in HTML, accessible from this index. In the event of disagreement between this HowTo and the man pages, the man pages are more likely correct since they are written by the implementers. Please report any such inconsistency on the mailing list.
The gmp (GNU multi-precision arithmetic) and Libdes (encryption) libraries which we use each have their own documentation. You can find it in those library directories.
Various user-written HowTo documents are available. The ones covering FreeS/WAN-to-FreeS/WAN connections are:
User-wriiten HowTo material may be especially helpful if you need to interoperate with another IPSEC implementation. We have neither the equipment nor the manpower to test such configurations. Users seem to be doing an admirable job of filling the gaps.
Check what version of FreeS/WAN user-written documents cover. The software is under active development and the current version may be significantly different from what an older document describes.
Two design documents show current team thinking on new developments:
A number of papers giving further background on FreeS/WAN, or exploring its future or its applications, are also available:
Several of these provoked interesting discussions on the mailing lists, worth searching for in the archives.
Interoperability test results are in our web links document.
Not all code in the distribution is ours, however. See the CREDITS file for details. In particular, note that the Libdes library has its own license.
For more detailed background information, see:
To begin working with FreeS/WAN, go to:
Some Linux distributions, listed in the introduction, ship with FreeS/WAN included. If you are using one of them, you need not perform a FreeS/WAN installation. That should all be done for you already. All you have to do is:
Users of such distributions can skip ahead to our section on setting up FreeS/WAN.
Unfortunately, due to export laws restricting distribution of strong cryptography, not all distributions include FreeS/WAN. Moreover, the standard kernel does not include the kernel parts of FreeS/WAN. Many people will need to install FreeS/WAN, including patching and rebuilding their kernel.
The scripts are designed so that a re-install -- to upgrade to a later FreeS/WAN version or to a later kernel version -- can be done in exactly the same way as an original install.
The scripts know enough, for example, not to apply the same kernel patch twice and not to overwrite your ipsec.conf or ipsec.secrets files. However, they will overwrite the _updown script. If you have modified that, save your version under another name before doing the install.
Also, they may not always work exactly as designed. Check the BUGS file for any caveats in the current version.
Configure, compile, install, and test a Linux kernel, without FreeS/WAN.
If you have not done this before, you will need to read the Kernel HowTo.
Many users can continue to run kernels from the 2.2 series of Linux production kernels.
At time of writing (June 2001), the latest version is 2.2.19. If you are going to use a 2.2 kernel, we strongly recommend 2.2.19 since:
2.4 has new firewalling code called netfilter. This may provide good reasons to move to 2.4, especially on for gateway machines.
In the older 2.0.x kernel series, we no longer support versions earlier than 2.0.38. 2.0.38 has fixes for a number of small security-related glitches, worth having on a security gateway machine. FreeS/WAN has been tested on 2.0.39, and does work there.
Recent versions of FreeS/WAN are not heavily tested on 2.0 kernels. Most of both the development team and the user community are on 2.2, or even 2.4, by now.
We are likely to drop 2.0 support entirely if some problem crops up that would mean retaining it required significant work from our team.
At time of writing, no more 2.3 kernels are being produced and the 2.5 series has not been started yet, so just now development kernels are not an issue. No doubt a 2.5 series will be started in the next few months.
Development kernels are not intended for production use . They change often and include new code which has not yet been thoroughly tested. This regularly breaks things, including FreeS/WAN. The FreeS/WAN team does not have the resources to chase the moving target; our priority is developing FreeS/WAN on stable kernels. If you encounter a problem on a development kernel, please solve it (you are a developer, aren't you?) and send us a patch. Of course, we will happily discuss problems and solutions on the mailing list, but we are unlikely to do much work on actually implementing a solution.
Fortunately we have a user who regularly fixes problems with FreeS/WAN on development kernels (merci, Marc), and we do fix some ourselves. FreeS/WAN often works just fine on a development kernel; it's just that there's no guarantee.
If you are going to test FreeS/WAN with a development kernel, we recommend you use our latest snapshot. This is the FreeS/WAN version most likely to have the patches required to work on a recent development kernel. The released version of FreeS/WAN is likely to be out of date for your purposes.
If you have a CD distribution of Linux, it should include everything you need.
There are some common slips worth avoiding here:
All the major distribution vendors provide kernel source. See for example:
Using a kernel from your distribution vendor may save you some annoyance later.
Different distributions put the kernel in different places (/vmlinuz, /boot/vmlinuz, /boot/vmlinuz-2.2.15 ...) and set lilo (the Linux loader) up differently. With a kernel from your distribution vendor, everything should work right. With other combinations, a newly compiled kernel may be installed in one place while lilo is looking in another. You can of course adjust the kernel Makefile and/or /etc/lilo.conf to solve this problem, but we suggest just avoiding it.
Also, distributions vendors may include patches or drivers which are not part of the standard kernel. If you install a standard kernel, you must either do without those features or download those patches and add them yourself.
Once you have found suitable kernel source, choose a mirror that is close to you and bookmark it.
Kernel source normally resides in /usr/src/linux, whether you load it from a distribution CD or download a tar file into /usr/src and untar it there. Unless you both have unusual requirements and know exactly what you're doing, we recommend you put it there.
You can download FreeS/WAN from our primary site or one of our mirrors.
Put the tarfile under /usr/src and untar it there. The command to use is:
This will give you a directory /usr/src/freeswan<version> .
Note that these methods don't work:
The gateway kernel must be configured before FreeS/WAN is added because some of our utilities rely on the results of configuration.
Note for Redhat 7.1 users: If you are using the
Redhat-supplied kernel, then you must do a
On some distributions, you can get the configuration files for the vendor's standard kernel(s) off the CD, and use that. This allows you to skip this step; you need not configure the kernel if the vendor has and you have the vendor's config file installed. Here is a mailing list message describing the procedure for Redhat:
Subject: Re: [Users] Do I need to recompile kernel 2.2.17-14? Date: Wed, 6 Jun 2001 08:38:38 -0500 From: "Corey J. Steele" <csteele@mtron.com> if you install the corresponding kernel-source-*.rpm, you can actually find the config file used to build that kernel in /usr/src/linux/Configs, just copy the one you want to use (based solely on architecture) to /usr/src/linux/.config, and proceed! It should work.If you have ever configured the kernel yourself on this machine, you can also skip this step.
If the kernel has not been configured, do that now. This is done by giving one of the following commands in /usr/src/linux:
Any of these wiil do the job. If you have no established preference, we suggest trying menuconfig.
For more information on configuring your kernel, see our section on that topic.
You should compile, install and test the kernels as you have configured them, so that you have a known stable starting point. The series of commands involved is usually something like:
Doing this first means that if there is a problem after you add FreeS/WAN, tracking it down is much simpler.
If you need advice on this process, or general Linux background information, try our Linux web references. The most directly relevant document is the Kernel HowTo.
There are several ways to build and install the software. All require that you have kernel source, correctly configured for your machine, as a starting point. If you don't have that yet, see the previous section
Whatever method you choose, it will do all of the following:
You can do the whole install with two commands (recommended in most cases) or get into as much of the detail as you like.
To do everything except install the new kernel, cd into the freeswan directory and become root. Give any one of the following commands:
You must save the new configuration even if you make no changes. This ensures that the FreeS/WAN changes are actually seen by the system.
Our scripts save the output of make commands they call in files with names like out.kbuild or out.kinstall . The last command of each script checks the appropriate out.* file for error messages.
For the above commands, the error files are out.kpatch and out.kbuild.
These scripts automatically build an RSA authentication key pair (a public key and the matching private key) for you, and put the result in /etc/ipsec.secrets. For information on using RSA authentication, see our configuration section. Here, we need only note that generating the key uses random(4) quite heavily and if random(4) runs out of randomness, it will block until it has enough input. You may need to provide input by moving the mouse around a lot, or going to another window and typing random characters, or using some command such as du -s /usr to generate disk activity.
To install the kernel the easy way, just give this command in the FreeS/WAN directory:
Using make kinstall from the FreeS/WAN directory is equivalent to giving the following sequence of commands in /usr/src/linux:
If you prefer that sequence, use it instead.
If you have some unusual setup such that the above sequence of commands won't work on your system, then our make kinstall will not work either. Use whatever method does work on your system. See our implementation notes file for additional information that may help in such situations.
Check your lilo.conf(5) file to ensure it points to the right kernel, then run lilo(8) to read lilo.conf(5) and set up the bootloader.
To check that you have a sucessful install, you can reboot and check (by watching messages during boot or by looking at them later with dmesg(8)) that:
You can also try the commands:
Of course any status information at this point should be uninteresting since you have not yet configured connections.
See the following section for information on configuring connections.
Alternately, you might want to look at background material on the protocols used before trying configuration.
This section describes setting up and testing Linux FreeS/WAN.
Before attempting this, you should:
You also need to set up and test IP networking on all the machines you plan to install FreeS/WAN on or to use in testing, before trying to set up FreeS/WAN. This is discussed in more detail after the description of our example networks.
For our examples, we assume that there are only three networks involved, two that want to talk to each other plus the Internet in the middle. The idea is to build an encrypted tunnel across the Internet so the two networks can talk securely. Once you have this working between two network gateways, extending it to three or more is straightforward.
In our examples, we'll call the two gateways East and West. We'll have only one client machine on each net: Sunrise in the East and Sunset in the West.
A diagram:
Sunset==========West------------------East=========Sunrise
local net untrusted net local net
Our goal here is to tell you how to set up the two gateways, East and West. We assume your goal is to ensure that East and West encrypt all traffic between them, or at least all that your security policies require them to encrypt.
Of course one does not always have a security gateway separate from the client machine. Especially for road warriors, a network that looks like this is common:
telecommuter's PC or
corporate LAN traveller's laptop
Sunset==========West------------------East
local net untrusted net
and this is possible:
West------------------East
untrusted net
In our configuration files, and in this discussion, we treat the two simpler setups as degenerate cases of the network-to-network link. For all the diagrams above, for example, we speak of "the subnet behind East". In two of the diagrams, of course, that "subnet" is just the machine itself.
This may take some getting used to, but we hope it is less confusing than continually having to say things like "the subnet behind East (or the East machine itself if there is no client subnet)".
Many users just want to get IPSEC installed on a few machines. They can skip this section.
Others may want to build a testbed network, for any of a number of reasons. For them, we have some suggestions.
The ideal test setup for IPSEC is something like:
Sunset==========West-----eth0 eth1-----East=========Sunrise
local net test machine local net
The test machine routes packets between the two gateways. This makes things more complicated than if you just connected the two gateway machines directly to each other, but it also makes your test setup much more like the environment you actually use IPSEC in. Those environments nearly always involve routing, and quite a few apparent IPSEC failures turn out to be problems with routing or with firewalls dropping packets. This approach lets you deal with those problems on your test setup.
Also, the test machine is in the ideal position to run diagnostic software (such as tcpdump(8)) for checking IPSEC packets. Such software is likely to misbehave if run on the gateways themselves. It is designed to look into a normal IP stack and may become confused if you ask it to display data from a stack which has IPSEC in play.
For more detailed testbed information see these mailing list messages:
Before trying to get FreeS/WAN working, you should configure and test IP networking on both gateways and on at least one client machine behind each of them. IPSEC cannot work without a working IP network beneath it. Many reported "FreeS/WAN problems" turn out to actually be problems with routing or firewalling. If any actual IPSEC problems turn up, you often cannot even recognise them (much less debug them) unless the underlying network is right.
If you need advice on this, your best sources are likely:
See also our bibliography.
Here is our network diagram again:
Sunset==========West------------------East=========Sunrise
local net untrusted net local net
The client machines, Sunrise and Sunset in our example, may have assigned routable IP addresses, or they may be using private non-routable addresses (as defined in RFC 1918) with the gateways doing IP masquerade. It doesn't matter which, as long as whatever it is works correctly.
Note, however, that the two subnets must have distinct addresses. You cannot have them both masqueraded to the same range of RFC 1918 addresses.
In any case, it is not enough to just test that East and West can communicate.
Some systems turn off packet forwarding by default, even for kernels in which it has been enabled. This is the safe default. You don't want systems forwarding packets in uncontrolled ways.
To turn forwarding on temporarily, use the following command as root:
echo "1" > /proc/sys/net/ipv4/ip_forward
Turning it on permanently is also possible. The exact method varies
from distribution to distribution:
A gateway machine needs forwarding enabled or it will not route packets between the two networks it is attached to. The simplest way to ensure this is to enable forwarding using whatever method your distribution provides. See list above.
A more conservative approach is to disable forwarding in your system configuration, then enable from your boot scripts after appropriate firewall scripts are in place.
Configure and test any other software you will want to use for testing once IPSEC is up. For example, you might put an HTTP daemon on Sunset and a browser on Sunrise. Make sure these work without IPSEC.
If these tests fail, figure out why and fix it. Do not proceed until it works.
As with most things on any Unix-like system, most parts of Linux FreeS/WAN are documented in online manual pages. We provide a list of FreeS/WAN man pages, with links to HTML versions of them.
The man pages describing configuration files are:
Man pages for commands used in this document include:
You can read these either in HTML using the links above or with the man(1) command.
RSA keys come in matched pairs. Each pair includes:
For FreeS/WAN, both keys for your system are in the ipsec.secrets(5) file. Maintaining security of this file is essential since it holds your private key.
Public keys for systems you communicate with are placed in ipsec.conf(5). Security here is less vital (unless you are using manual keying as well, in which case the file may have secret keys). It does not matter if an enemy knows the public keys, as long as the private keys are protected.
If you installed FreeS/WAN yourself, then the installation process has already generated an RSA key pair for you and placed it in the ipsec.secrets(5) file.
If not, you need to:
: RSA {
<stuff generated by rsasigkey>
}
Note that:
This means "always use this as my private RSA key". For other options, for example if you want to use different keys with different partners, see the man pages.
The RSA keys we generate are suitable only for authentication, not for encryption. IPSEC uses them only for authentication. See our IPSEC section for details.
It is also possible to use keys in other formats, not generated by FreeS/WAN. This may be necessary for interoperation with other IPSEC implementations. See our links to patches which add support for keys generated by PGP or embedded in X.509 certificates.
The next step is to send your public key to everyone you need to set up connections with, and collect their public keys. The public key is the line in the output of rsasigkey starting "#pubkey=0x".
Public keys need not be protected as fanatically as private keys. They are intended to be made public; the system is designed to work even if an enemy knows all the public keys used.
Note, however, that authentication of public keys is critical. It does not matter if an enemy knows your public keys, but if you can be tricked into trusting a public key supplied by an enemy, you are in deep trouble.
For example, consider the fellow who wants to communicate with his mistress, keeping messages secret from his wife.
You must authenticate any public keys received before using them. For remote sites, the simplest method is to exchange them using PGP-signed email (taking appropriate steps to authenticate the signing keys). For nearby machines, a floppy disk or trusted network is fine.
For each system you will communicate with, you need an RSA public key and an identifier associated with it. The identifiers go in the leftid= and rightid= lines of connection descriptions in ipsec.conf(5). They are the names the systems use to identify themselves during connection negotiation.
There are four possible forms for these identifiers:
We recommend that only the @FQDN form be used in most applications. IP addresses make remarkably uninteresting names. Resolving a name to an IP address is not interesting in this context, and attempting to resolve it may cause problems if DNS is down or if someone subverts a DNS server which you rely on.
If your domain is example.com, the names you use should be of three types:
In order to facilitate distributing keys through DNS, we recommend avoiding
For example, if you have a server alice.example.com, then you should not use "@alice.example.com" to identify Alice's laptop for IPSEC.
FreeS/WAN uses a configuration file, ipsec.conf(5).
This section describes setting up the parts of that file that apply to all connections:and gives an introduction to the parts of the file that specify the actual connections. The following section covers setting up three common types of connection, all using automatic keying with RSA authentication of the gateways:
Setup is quite similar for each of these, but details differ.
Other types of connections are covered in later sections.
The easiest way to create a connection is by editing one of our examples. Here we will use the one in the installation ipsec.conf file. You could also start with one from our doc/examples file if one of those is closer to what you need to do.
The first section of ipsec.conf(5) contains overall setup parameters for IPSEC, which apply to all connections. In our example file, it is:
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
The variables set here are:
In many cases, the appropriate interface is just your default connection to the world (the Internet, or your corporate network). In these cases, you can use the default setting:
To check what FreeS/WAN sees as the default route, you can use the command ipsec showdefaults. You may need to compare this with the output from route -n to get a more complete picture.
In other cases, you can name one or more specific interfaces to be used by FreeS/WAN. For example:
Note that
If you need to discover interface names, use the command:
ifconfigIf you have PCMCIA or other interfaces that are not available at boot time, special measures are required. See our section on that.
klipsdebug and plutodebug can each be set to "none" or to "all" in most circumstances. There are other options; see the relevant man pages.
plutoload and plutostart can be quoted lists of connection names, but are often set to %search as in our example. Any connection with auto=add in its connection definition is then loaded, and any connection with auto=start is started.
In most cases, you want plutostart=%search here and auto=start in your connection descriptions. That way when a connection is broken, for example if one machine crashes or is taken down for some reason, it will be reliably rebuilt. If only one end is told to start the connection, then if the other end crashes, you may lose the connection for a long time. The end that could rebuild does not know it needs to.
The exception to the above is when you have many road warriors connecting to a single gateway. Having the gateway trying to rebuild tunnels to systems which are offline can waste considerable resources. In this case, the gateway should have auto=add for all connections, and let the remote systems start negotiations.
There is a special name %default that lets you define things that apply to all connections. e.g. our example file has:
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# How to authenticate gateways
authby=rsasig
Variables set here are:
For testing, you might wish to set this to some small number, perhaps even to 1, to avoid wasting resources on incorrectly set up connections. In production, it is often set to zero (retry forever). Keeping the connection up is what machine resources are for, so if a connection is down you night as well waste resources retrying as waste them by sitting idle. Of course some caution should be exercised with this, since it can waste network resources as well.
Once you are finished testing, you can edit these defaults, adding anything that is standard for all gateways in your organisation.
Previous versions of this document said:
Note, however, that setting the auto= parameter in the default connection description does not work. You cannot use auto=start here to get all connections started automatically or auto=add to get them all loaded. You must set that in the individual connection descriptions.This restriction has been removed in FreeS/WAN 1.9. However, if the other end of the tunnel is an older version, the restriction will still apply there, so some caution is still required.
Edit our example connection to match what you want to do. Rename it appropriately for the connection you would like to build: "fred-susan", "reno-van" or whatever. The name is the second string in the line that begins with "conn", for example in:
conn snt
The connection name is "snt" (subn et tunnel) and to define another connection you make a copy with a new name such as:
conn reno-van
A sample connection description is:
# sample tunnel
# The network here looks like:
# leftsubnet====left----leftnexthop......rightnexthop----right====rightsubnet
# If left and right are on the same Ethernet, omit leftnexthop and rightnexthop.
conn sample
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if there is no subnet)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
auto=start
We omit here the variables we have shown as set in the default
connection above. All of them could also be set here. If they are set
in both places, settings here take precedence. Defaults are used only
if the specific connection description has no value set.
The network described above looks like this:
subnet 172.16.0.0/24 =leftsubnet
|
interface 172.16.0.something
left gateway machine
interface 10.0.0.1 =left
|
interface 10.44.55.66 =leftnexthop
router
interface we don't know
|
INTERNET
|
interface we don't know
router
interface 10.88.77.66 =rightnexthop
|
interface 10.12.12.1 =right
right gateway machine
interface 192.168.0.something
|
subnet 192.168.0.0/24 =rightsubnet
You need to edit the connection description, inserting appropriate IP
addresses and subnet descriptions so that it describes your network.
In most cases, you should use numeric IP addresses, not names, here. The file syntax allows names to be used, but this creates an additional risk. If someone can subvert the DNS service, then they can redirect packets whose addresses are looked up via that service.
Many of the variables in this file come in pairs such as "leftsubnet: and "rightsubnet", one for each end of the connection. The variables on the left side are:
This need not always be set.
(Yes, we know that design is not ideal, and we plan to change it. See extensive discussions on the mailing list, mostly with "routing" or "KLIPS 2" in the subject lines.)
For more detail, including ways to invoke your own customised script instead, see our FreeS/WAN and firewalls section.
If the conn setup section has plutostart=%search , then all connections marked auto=start are started when Pluto starts.
Initially, we suggest using auto=add on all connections. This lets you start them manually during testing. Once they are tested, you can change many of them to auto=start.
For each left* parameter, there is a corresponding right* parameter.
Note that a connection to a subnet behind left does not include left itself. The tunnel described above protects packets going from one subnet to the other. It does not apply to packets which either begin or end their journey on one of the gateways. If you need to protect those packets, you must build separate tunnel descriptions for them.
It is a common error to attempt testing a subnet-to-subnet connection by pinging from one of the gateways to the far end or vice versa. This does not work, even if the connection is functioning perfectly, because traffic to or from the gateway itself is not sent on that connection. If you want to protect traffic originating or terminating on the gateway, then you need a separate tunnel for that in addition to the subnet's tunnel. See the section on multiple tunnels below.
Which security gateway is "left" and which is "right" is arbitrary.
We suggest that you name connections by their ends. For example, name the link between Fred and Susan's machines "fred-susan" or the link between your Reno and Vancouver offices "reno-van". You can then let "left" refer to the left half of the name, "fred" or "reno" in our examples, and "right" to the other half.
To simplify administration, we recommend that you use the same names in the ipsec.conf files on both ends. The name "reno", for example, should refer to the machine in Reno, no matter which city the file is in, and if "reno" is "left" in the reno-van description in Reno, then "reno" should be "left" in that description on the Vancouver machine as well.
Then when you copy the file from one machine to the other, the only change you should make on the second machine is changing the interfaces= line to match the interface that machine uses for IPSEC.
Of course the software does not actually require this. The names are just arbitrary strings to it. If your administrator in Reno wants to refer to the machines as "Phobos" and "Demios" while the Vancouver admin calls them "George" and "Gracie", things should still work.
In this section we show examples of three common setups:
We use a, b, c ... to indicate components of IP addresses. Each letter is some number in the range 0 to 255, inclusive.
For additional examples, see our examples file.
In this example, the network looks like this:
subnet a.b.c.0/24 =leftsubnet
| (head office has routable IP addresses)
interface a.b.c.d
left gateway machine
interface e.f.g.h =left
| (external address outside a.b.c.0 subnet)
interface e.f.g.i =leftnexthop
router
interface we don't know
|
INTERNET
|
interface we don't know
router
interface j.k.l.m =rightnexthop
|
interface j.k.l.n =right
right gateway machine
interface 192.168.0.something
| (branch office uses private IP addresses)
subnet 192.168.0.0/24 =rightsubnet
The ipsec.conf(5) file might look like this (with RSA keys shortened for easy display):
# basic configuration
config setup
interfaces=eth0
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
# defaults that apply to all connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# How to authenticate gatways
authby=rsasig
# VPN connection for head office and branch office
conn head-branch
# identity we use in authentication exchanges
leftid=@head.example.com
leftrsasigkey=0x175cffc641f...
# left security gateway (public-network address)
left=e.f.g.h
# next hop to reach right
leftnexthop=e.f.g.i
# subnet behind left (omit if there is no subnet)
leftsubnet=a.b.c.0/24
# right s.g., subnet behind it, and next hop to reach left
rightid=@branch.example.com
rightrsasigkey=0xfc641fd6d9a24...
right=j.k.l.n
rightnexthop=j.k.l.m
rightsubnet=192.168.0.0/24
# right is masquerading
rightfirewall=yes
auto=start
The versions of this file at the two ends should be identical, except that each must have an interfaces= line appropriate for the local machine.
RFC 1918 reserves three groups of addresses for use on private networks:
Addresses in these ranges will never be assigned to anything on the Internet. Many routers automatically drop any packet with one of these addresses as either source or destination.
You can use FreeS/WAN to route between two such networks, using for example leftsubnet=192.168.47.0/24 and rightsubnet=192.168.48.0/24. These addresses still do not appear on the Internet; they are encapsulated inside IPSEC packets which have the gateways' external addresses (from the left and right parameters of the connection description) in their headers.
For our purposes, a "road warrior" is any machine that does not have a fixed IP address where it can normally be expected to be on line. This includes:
The configuration for road warrior support looks slightly different from a VPN configuration. We cannot use the road warrior's IP address in the configuration file since we don't know it, and we don't want to have our server retrying connections to road warriors that are no longer online.
In this example, the network looks like this:
subnet a.b.c.0/24 =leftsubnet
| (head office has routable IP addresses)
interface a.b.c.d
left gateway machine
interface e.f.g.h =left
| (external address outside a.b.c.0 subnet)
interface e.f.g.i =leftnexthop
router
|
INTERNET
|
interface with dynamic IP address
road warrior machine
Here the ipsec.conf(5) files on the two ends are slightly different. The one at the office might have exactly the same config setuo and conn %default sections as in the VPN example.
# basic configuration
config setup
interfaces=eth0
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
# defaults that apply to all connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# How to authenticate gatways
authby=rsasig
Then add a description for the road warrior connection:
# Connection for road warrior Fred
conn head-fred
# identity we use in authentication exchanges
leftid=@head.example.com
leftrsasigkey=0x175cffc641f...
# left security gateway (public-network address)
left=e.f.g.h
# next hop to reach right
leftnexthop=e.f.g.i
# subnet behind left (omit if there is no subnet)
leftsubnet=a.b.c.0/24
# accept any address for right
right=%any
# any address, provided authentication works
rightid=@fred.example.com
rightrsasigkey=0xd9a24765fe...
# no subnet for a typical road warrior
# it is possible, but usually not needed
# let the road warrior start the connection
auto=add
# override the default retry for road warriors
# we don't want to retry if IP connectivity is gone
keyingtries=1
On the gateway end we use
The file on the road warrior end is nearly identical, except that it has:
Additional road warriors can be added as required. Each should have his or her own connection description with unique settings for rightid and rightrsasigkey.
Jean-Francois Nadeau's Practical Configurations document also has an example of using RSA authentication for road warriors.
The idea is that each gateway check the destinations of outgoing packets, see if an encrypted connection is possible and, if so, take the opportuntity to encrypt. The opportunity will exist whenever the admins on both ends have set their systems up for opportunistic encryption.
This makes encryption the default behaviour, and could greatly increase the overall security of the Internet if it were widely enough adopted. See our documents:
The gateways must be able to authenticate each other for IPSEC to be secure. For opportunistic encryption, we rely on the domain name system, DNS, to provide the RSA keys needed for this authentication. Note, that currently this is not entirely secure because the DNS mechanism it relies on is not fully secure. Eventually, as secure DNS becomes widely deployed, this will change.
The main documentation items so far are:
Note that both software and documentation for this are changing quickly. You may want the latest snapshot for opportunism experiments.
We do not yet recommend this code for production use . You should still protect your critical data with explicitly configured IPSEC tunnels, rather than relying on opportunistic for everything at this stage.
conn subnet-to-anyone # for our client subnet
leftsubnet=10.42.42.0/24 # any single client in our subnet
left=%defaultroute # our SG (defaults leftnexthop too)
right=%opportunistic
The public key, in our format, must be in a KEY record of the appropriate DNS entry for this to work.
Each opportunistic connection supports a single source/destination pair of IP addresses. There is no way to build an opportunistic connection for a larger subnet. Specifying a subnet in the connection description, as in the example above, just means that any host in that subnet may have opportunistic connections.
Opportunism requires that the gateway systems be able to fetch public keys, and other IPSEC-related information, from each other's DNS (domain name service) records.
DNS is a distributed database that maps names to IP addresses and vice versa. A system named gateway.example.com with IP address 10.20.30.40 should have at least two DNS records:
To be more precise, quoting the Opportunism Design document:
For reference, the minimum set of DNS records needed to make
this all work is either:
1. TXT in Destination reverse map, identifying Responder
and providing public key.
2. KEY in Initiator reverse map, providing public key.
3. TXT in Source reverse map, verifying relationship to
Initiator.
or:
1. TXT in Destination reverse map, identifying Responder.
2. KEY in Responder reverse map, providing public key.
3. KEY in Initiator reverse map, providing public key.
4. TXT in Source reverse map, verifying relationship to
Initiator.
Slight complications ensue for dynamic addresses, lack of
control over reverse maps, etc.
The client systems will be either Source or Destination, so they must have:
1. TXT in Destination reverse map, identifying Responder
and providing public key.
2. ...
3. TXT in Source reverse map, verifying relationship to
Initiator.
or:
1. TXT in Destination reverse map, identifying Responder.
2. ...
3. ...
4. TXT in Source reverse map, verifying relationship to
Initiator.
If you control the gateway's reverse map, example client records would
look like this:
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com. 42.42.42.10.in-addr.arpa. IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"which can also be written as just:
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
This provides the IP address of the security gateway and the public
key which the gateway will use to authenticate itself. This is the
preferred method.
1. ... 2. KEY in Initiator reverse map, providing public key. 3. ... or: 1. ... 2. KEY in Responder reverse map, providing public key. 3. KEY in Initiator reverse map, providing public key. 4. ...
If you control the gateway's reverse map, you just add a KEY record there. That is all the gateway reverse map needs, whether it is working as Initiator or Responder.
Here is an example, with many characters of the key itself left out:
40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8This allows lookups on the IP address of the gateway to retrieve the key.
However, suppose a friend over at example.org will let you put things in their maps. That will allow you to set your gateway up to handle opportunistic connections for which it is the initiator.
You still need to be able to put data in the reverse map for your clients. However, that data is slightly different:
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
IN TXT "X-IPsec-Server(10)=something.example.org"
Over at example.org, your friend puts these lines in the DNS data
files:
something.example.org. IN A 10.20.30.40 something.example.org. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8Your gateway must identify itself in IKE as something.example.org, not as gateway.example.com. You set that up via leftid= or rightid= entries in ipsec.conf(5).
With this arrangement, the remote gateway receives an ID payload early in IKE with your (bogus) gateway name "something.example.org". Then it looks up that name to get the IP address and key for the gateway.
We provide several features in the syntax of the ipsec.conf(5) file that are intended to simplify the work of managing complex multi-connection setups:
These can be combined in whatever way suits your application. One example is this ipsec.conf file for a gateway supporting multiple road warriors, all using RSA authentication:
conn %default
type=tunnel
pfs=yes
keylife=2h
authby=rsasig # all connections use RSA authentication
keyingtries=1 # road warrior can retry, we shouldn't
# some parameters are common to all remote systems
right=%any # accept from any address
# pick up all remote system descriptions
# uses shell wildcards
include /etc/ipsec/remote.*.conn
# left side of all connections is the same
# define it after the descriptions which use it
conn leftstuff
left=101.101.101.101
leftnexthop=101.101.101.1
leftsubnet=202.202.202.0/24
leftid=@gateway.example.org
On the left gateway, we can omit leftrsasig. That gateway uses the private key stored in ipsec.secrets(5) and has no need for its own public key. Similarly, the road warriors need not have their own public keys in ipsec.conf(5), only the gateway's public key.
The remote connection descriptions in /etc/ipsec/remote.*.conn need then have only a few lines each:
conn myname
# pick up common info for all connections
also=leftstuff
# identify the remote machine
rightid=@myname.example.org
rightrsasigkey=0xfc641fd6d9a24...
# we cannot use auto= in default or an also= section
# so do it here
auto=add # load, but don't start
Note that if auto=add or auto=start parameters are used, they must be in the actual connection descriptions. Neither putting them in the conn default section nor including them via an also= line will work.
Also, be careful with the order of sections in this file. The parser used requires that a definition comes after the also= line which uses it. In our example, the include inserts the files with the also=leftstuff lines before the definition of conn leftstuff so things are parsed in the correct order.
If firewall packet filtering is being done on either of the FreeS/WAN gateway machines, or on any machine on the path between them, then you will probably need to adjust the filters before FreeS/WAN can work. The filters must allow:
For more detail, see our IPSEC and firewalls document.
This section covers testing connections once you have FreeS/WAN installed and your ipsec.conf(5) file set up.
We assume all your connection descriptions use auto=add so that ipsec_pluto(8) loads the descriptions into its internal database at startup but does not attempt to start the connections until you tell it to.
It is important that the numbers in your connection descriptions match the network configuration. FreeS/WAN is almost certain to fail if they do not.
Suppose you are at the Reno office and your ipsec.conf file now has, among others, these lines:
config setup
interfaces="ipsec0=eth0"
conn reno-van
left=101.101.101.101
right=202.202.202.202
When you tell FreeS/WAN to start the reno-van connection, it doesn't automagically know that it is in Reno, or that it is left in the configuration. It discovers that by comparing the IP address for ipsec0 (and, if it is set, for ipsec1) to the addresses for left and right. ipsec0 inherits its address from the underlying device, eth0 in our example.
So in our example, if eth0 has IP address 101.101.101.101 then ipsec0 inherits that address, the correct match is found, and this FreeS/WAN discovers that it is left. (If no match is found, Pluto reports "unable to orient connection".) It then sets itself up with any other left* parameters in use -- some of leftnexthop, leftsubnet, leftfirewall and leftid.
Once it has these parameters, FreeS/WAN sets things so that
All should be well.
Of course, there must also be interfaces and routes set up so that this machine can exchange IP packets both with the right gateway and with clients on leftsubnet. This is done with standard Linux utilities such as ifconfig(8) and route(8). Also, things must be correct on right in Vancouver. It takes two to tunnel.
A data mismatch anywhere in this configuration will cause FreeS/WAN to fail and to log various error messages. Depending on just how confused FreeS/WAN is and about what, the error messages may be somewhat confusing. See our troubleshooting section to get help interpreting them if required.
We recommend double-checking for consistency here before starting actual tests..
Reboot both gateways to get FreeS/WAN started. No connections are actually made yet, but the stage is set.
Examine /var/log/messages for any signs of trouble.
On both gateways, the following entries should now exist in the /proc/net/ directory:
and the IPSEC interfaces should be attached on top of the specified physical interfaces. Confirm that with:
cat /proc/net/ipsec_tncfg
You should see at least device ipsec0, and each ipsec device should point to a physical device, eg. 'ipsec0 -> eth0 mtu=16260 -> 1500'. Routing connections through this pseudo-device with our eroute(8) utility causes the data to be encrypted before being delivered to the underlying network interface.
Don't be surprised when you cannot find that /dev/ipsec0 or /dev/ipsec1. They do not exist. Other network pseudo-devices such as eth0 and eth1 do not have entries in /dev either. In general, network devices do not need such entries.
On one gateway, start IPSEC with:
ipsec auto --up name
replacing name with the connection name you used in ipsec.conf(5).
Note that to shut down a connection, you must do:
ipsec auto --down name
on both gateway machines, even though you only start it from one.
If the ipsec auto --up command doesn't generate any errors, do
ipsec look
and see if the output looks something like this:
foo.spsystems.net Wed Nov 25 22:51:45 EST 1998 ------------------------- 10.0.1.0/24 -> 11.0.1.0/24 => tun0x200@11.0.0.1 esp0x202@11.0.0.1 ------------------------- tun0x200@11.0.0.1 IPv4_Encapsulation: dir=out 10.0.0.1 -> 11.0.0.1 esp0x203@10.0.0.1 3DES-MD5-96_Encryption: dir=in iv=0xc2cbca5ba42ffbb6 seq=0 bit=0x00000000 win=0 flags=0x0<> esp0x202@11.0.0.1 3DES-MD5-96_Encryption: dir=out iv=0xc2cbca5ba42ffbb6 seq=0 bit=0x00000000 win=0 flags=0x0<> Destination Gateway Genmask Flags MSS Window irtt Iface 11.0.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth1 11.0.1.0 11.0.0.1 255.255.255.0 UG 1404 0 0 ipsec0
If it does, you're probably in business.
This example shows:
a tunnel tun0x200 going to 11.0.0.1
outgoing connection esp0x202
incoming connection esp0x203
Both connections use ESP with 3DES encryption and MD5 authentication.
The routing is:
11.0.0.0 via eth1 and the Internet
11.0.1.0 via ipsec0 which encrypts and then sends to 11.0.0.1
This routes all traffic to the protected network 11.0.1.0/24 through an IPSEC tunnel to the gateway 11.0.0.1.
If that works, test whether Sunrise can ping Sunset and vice versa. Our example setup again is:
Sunset==========West------------------East=========Sunrise
local net untrusted net local net
There is no point in testing to or from the gateways themselves; the goal is to secure traffic between the subnets, not between the security gateways themselves.
In general, pings or other tests using the public interfaces of East and/or West are entirely useless. The IPSEC tunnel is for packets between the two protected subnets and the outside interfaces are not on those subnets. Depending on your routing configuration, test packets sent via those interfaces will be:
In either case, they tell you nothing about the tunnel .
Sometimes it will be inconvenient to use the client machines (Sunrise and Sunset in our example) for testing. In these cases, use a command such as:
traceroute -i eth0 -f 20 192.168.7.1
where each of the interfaces specified (eth0 and 192.168.7.1 in the example) are on one of the protected subnets, eth0 being the local gateway's interface on that side and 192.168.7.1 the remote gateway's subnet interface. This forces the packets through the IPSEC tunnel you want to test.
For information on setting things up so that gateways can do IPSEC to each other or to remote subnets, see below .
If you have other software set up, test with it as well. Telnet from Sunrise to Sunset, browse a web server on the remote net and so on.
To verify that all is working, run tcpdump(8) on a machine which can listen to the traffic between the gateways.
This is most easily done from a third machine, rather than from one of the gateways. On the gateways you may see packets at intermediate stages of processing and the result may be confusing.
If the results make no sense at all, or you see "bad physical medium" error messages, you probably have an outdated version of tcpdump(8) that does not handle IPSEC at all. See our FAQ.
The packets should, except for some of the header information, be utterly unintelligible. The output of good encryption looks exactly like random noise.
You can put recognizable data in the ping packets with something like:
ping -p feedfacedeadbeef 11.0.1.1
"feedfacedeadbeef" is a legal hexadecimal pattern that is easy to pick out of hex dumps.
For many other protocols, you need to check if you have encrypted data or ASCII text. Encrypted data has approximately equal frequencies for all 256 possible characters. ASCII text has most characters in the printable range 0x20-0x7f, a few control characters less than 0x20, and none at all in the range 0x80-0xff.
0x20, space, is a good character to look for. In normal English text space occurs about once in seven characters, versus about once in 256 for random or encrypted data. You can put long sequences of spaces in your data and look for 0x20202020 in output, but this is not usually necessary.
If packets look like total garbage, nothing recognizable, all is well.
Note that to shut down a connection, you must do:
ipsec auto --down name
on both gateway machines, even though you only start it from one.
Again, you can verify with the same commands.
Repeat the ping test. Repeat the tcpdump test.
If everything succeeds, congratulations.
You now have a working Linux FreeS/WAN installation.
At this point you should have a working FreeS/WAN setup. If not, you could go back and doublecheck various things above or try:
If all is well so far, you could continue with this section to explore other ways to configure FreeS/WAN connections or branch out to:
Of course you might just go off for a beverage or meal at this point as well.
The rest of this section describes various less-used options for FreeS/WAN.
The first major decision you need to make before configuring additional connections is what type or types of connections you will use. There are several options, and you can use more than one concurrently.
IPSEC allows two types of connections, with manual or automatic keying. FreeS/WAN starts them with commands such as:
ipsec manual --start name
ipsec auto --up name
The difference is in how they are keyed.
Manually keyed connections provide weaker security than automatically keyed connections. An opponent who gets a key gets all data encrypted by it. We discuss using manual keying in production below, but this is not recommended except in special circumstances, such as needing to communicate with some implementation that offers no auto-keyed mode compatible with FreeS/WAN. Manual keying is useful for testing.
With automatically-(re)-keyed connections, the keys change often so an opponent who gets one key does not get a large amount of data. An opponent who gets a shared secret, or your private key if public key authentication is used, does not automatically gain access to any encryption keys or any data. Once your authentication mechanism has been subverted you have no way to prevent the attacker getting keys and data, but the attacker still has to work for them.
The IKE protocol which Pluto uses to negotiate connections between gateways must use some form of authentication of peers. A gateway must know who it is talking to before it can create a secure connection. We currently support two methods for this authentication:
See our links section for information on user-contributed patches which provide a third mechanism:
As a long-term goal, FreeS/WAN plans to support distribution of public keys for authentication via secure DNS. This would allow us to support opportunistic encryption . Any two FreeS/WAN gateways could provide secure communication, without either of them having any preset information about the other.
This is not implemented in this release.
Authentication with a public key method such as RSA has some important advantages over using shared secrets.
If the branch offices need to talk to each other, this becomes
problematic. You need another
For larger numbers of branches, the number of connections and secrets increases quadratically and managing them becomes a nightmare. A 1000-gateway fully connected network needs 499,500 secrets, each known to exactly two players. There are ways to reduce this problem, for example by introducing a central key server, but these involve additional communication overheads, more administrative work, and new threats that must be carefully guarded against.
As network size increaes, the number of public keys used increases linearly with the number of nodes. This still requires careful administration in large applications, but is nothing like the disaster of a quadratic increase. On a 1000-gateway network, you have 1000 private keys, each of which must be kept secure on one machine, and 1000 public keys which must be distributed. This is not a trivial problem, but it is manageable.
There is also a disadvantage:
This is partly counterbalanced by the fact that the key is never transmitted and remains under your control at all times. It is likely necessary, however, to take account of this in setting security policy. For example, you should change gateway keys when an administrator leaves the company, and should change them periodically in any case.
Overall, public key methods are more secure, more easily managed and more flexible. We recommend that they be used for all connections, unless there is a compelling reason to do otherwise.
Generally, public key methods are preferred for reasons given above, but shared secrets can be used with no loss of security, just more work and perhaps more need to take precautions.
If shared secrets are to be used to authenticate communication for the Diffie-Hellman key exchange in the IKE protocol, then those secrets must be stored in /etc/ipsec.secrets. For details, see the ipsec.secrets(5) man page.
A few considerations are vital:
Each line has the IP addresses of the two gateways plus the secret. It should look something like this:
10.0.0.1 11.0.0.1 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"
PSK indicates the use of a pre-s hared key. The quotes and the whitespace shown are required.
You can use any character string as your secret. For security, it should be both long and extremely hard to guess. We provide a utility to generate such strings, ipsec_ranbits(8).
You want the same secret on the two gateways used, so you create a line with that secret and the two gateway IP addresses. The installation process supplies an example secret, useful only for testing. You must change it for production use.
You must deliver this file, or the relevant part of it, to the other gateway machine by some secure means. Don't just FTP or mail the file! It is vital that the secrets in it remain secret. An attacker who knew those could easily have all the data on your "secure" connection.
This file must be owned by root and should have permissions rw-------.
You can use a shared secret to support a single road warrior connecting to your gateway, and this is a reasonable thing to do in some circumstances. Public key methods have advantages, discussed above, but they are not critical in this case.
To do this, the line in ipsec.secrets(5) is something like:
10.0.0.1 0.0.0.0 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"
where the 0.0.0.0 means that any IP address is acceptable.
For more than one road warrior, shared secrets are not recommended. If shared secrets are used, then when the responder needs to look up the secret, all it knows about the sender is an IP address. This is fine if the sender is at a fixed IP address specified in the config file. It is also fine if only one road warrior uses the wildcard 0.0.0.0 address. However, if you have more than one road warrior using shared secret authentication, then they must all use that wildcard and therefore all road warriors using PSK autentication must use the same secret. Obviously, this is insecure.
For multiple road warriors, use public key authentication. Each roadwarrior can then have its own identity (our leftid= or rightid= parameters), its own public/private key pair, and its own secure connection.
Generally, automatic keying is preferred over manual keying for production use because it is both easier to manage and more secure. Automatic keying frees the admin from much of the burden of managing keys securely, and can provide perfect forward secrecy.
However, it is possible to use manual keying in production if that is what you want to do. This might be necessary, for example, in order to interoperate with some device that either does not provide automatic keying or provides it in some version we cannot talk to.
Note that with manual keying all security rests with the keys. If an adversary acquires your keys, you've had it. He or she can read everything ever sent with those keys, including old messages he or she may have archived. You need to be really paranoid about keys if you're going to rely on manual keying for anything important.
Linux FreeS/WAN provides some facilities to help with this. In particular, it is good policy to keep keys in separate files so you can edit configuration information in /etc/ipsec.conf without exposing keys to "shoulder surfers" or network snoops. We support this with the also= and include syntax in ipsec.conf(5).
See the last example in our examples file. In the /etc/ipsec.conf conn samplesep section, it has the line:
also=samplesep-keys
which tells the "ipsec manual" script to insert the configuration description labelled "samplesep-keys" if it can find it. The /etc/ipsec.conf file must also have a line such as:
include ipsec.*.conf
which tells it to read other files. One of those other files then might contain the additional data:
conn samplesep-keys spi=0x200 esp=3des-md5-96 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0 espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
The first line matches the label in the "also=" line, so the indented lines are inserted. The net effect is exactly as if the inserted lines had occurred in the original file in place of the "also=" line.
Variables set here are:
Note that the example keys we supply are intended only for testing. For real use, you should go to automatic keying. If that is not possible, create your own keys for manual mode and keep them secret
Of course, any files containing keys must have 600 permissions and be owned by root.
If you connect in this way to multiple sites, we recommend that you keep keys for each site in a separate file and adopt some naming convention that lets you pick them all up with a single "include" line. This minimizes the risk of losing several keys to one error or attack and of accidentally giving another site admin keys which he or she has no business knowing.
Also note that if you have multiple manually keyed connections on a single machine, then the spi parameter must be different for each one. Any 3-digit hex number is OK, provided they are different for each connection. We reserve the range 0x100 to 0xfff for manual connections. Pluto assigns SPIs from 0x1000 up for automatically keyed connections.
If ipsec.conf(5) contains keys for manual mode connections, then it too must have permissions rw-------. We recommend instead that, if you must manual keying in production, you keep the keys in separate files.
Note also that ipsec.conf is installed with permissions rw-r--r--. If you plan to use manually keyed connections for anything more than initial testing, you must:
We recommend the latter method for all but the simplest configurations.
You can create new random keys with the ranbits(8) utility. For example, the commands:
umask 177
ipsec ranbits 192 > temp
ipsec ranbits 128 >> temp
create keys in the sizes needed for our default algorithms:
If you want to use SHA instead of MD5, that requires a 160-bit key
Note that any temporary files used must be kept secure since they contain keys. That is the reason for the umask command above. The temporary file should be deleted as soon as you are done with it. You may also want to change the umask back to its default value after you are finished working on keys.
The ranbits utility may pause for a few seconds if not enough entropy is available immediately. See ipsec_ranbits(8) and random(4) for details. You may wish to provide some activity to feed entropy into the system. For example, you might move the mouse around, type random characters, or do du /usr > /dev/null in the background.
You can tell the system to set up connections automatically at boot time by putting suitable stuff in /etc/ipsec.conf on both systems. The relevant section of the file is labelled by a line reading config setup.
Details can be found in the ipsec.conf(5) man page. We also provide a file of example configurations.
The most likely options are something like:
Note that for PPP, you give the ppp[0-9] device name here, not the underlying device such as modem (or eth1 if you are using PPPoE).
Note that Pluto does not currently pay attention to this variable. The variable controls setup messages only.
"yes" is strongly recommended for production use so that the keying daemon (Pluto) will automatically re-key the connections regularly. The ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow give you control over frequency of rekeying.
If plutoload is "%search", Pluto will load any connections whose description includes "auto=add" or "auto=start".
If plutostart is "%search", Pluto will start any connections whose description includes "auto=start".
Note that, for a connection intended to be permanent, both gateways should be set try to start the tunnel. This allows quick recovery if either gateway is rebooted or has its IPSEC restarted. If only one gateway is set to start the tunnel and the other gateway restarts, the tunnel may not be rebuilt.
The example assumes you are at the Reno office and will use IPSEC to Vancouver, New York City and Amsterdam.
Consider a pair of subnets, each with a security gateway, connected via the Internet:
192.168.100.0/24 left subnet
|
192.168.100.1
North Gateway
101.101.101.101 left
|
101.101.101.1 left next hop
[Internet]
202.202.202.1 right next hop
|
202.202.202.202 right
South gateway
192.168.200.1
|
192.168.200.0/24 right subnet
A tunnel specification such as:
conn northnet-southnet
left=101.101.101.101
leftnexthop=101.101.101.1
leftsubnet=192.168.100.0/24
leftfirewall=yes
right=202.202.202.202
rightnexthop=202.202.202.1
rightsubnet=192.168.200.0/24
rightfirewall=yes
will allow machines on the two subnets to talk to each other. You
might test this by pinging from polarbear (192.168.100.7) to penguin
(192.168.200.5).
However, this does not cover other traffic you might want to secure. To handle all the possibilities, you might also want these connection descriptions:
conn northgate-southnet
left=101.101.101.101
leftnexthop=101.101.101.1
right=202.202.202.202
rightnexthop=202.202.202.1
rightsubnet=192.168.200.0/24
rightfirewall=yes
conn northnet-southgate
left=101.101.101.101
leftnexthop=101.101.101.1
leftsubnet=192.168.100.0/24
leftfirewall=yes
right=202.202.202.202
rightnexthop=202.202.202.1
Without these, neither gateway can do IPSEC to the remote subnet. There is no IPSEC tunnel or eroute set up for the traffic.
In our example, with the non-routable 192.168.* addresses used, packets would simply be discarded. In a different configuration, with routable addresses for the remote subnet, they would be sent unencrypted since there would be no IPSEC eroute and there would be a normal IP route.
You might also want:
conn northgate-southgate
left=101.101.101.101
leftnexthop=101.101.101.1
right=202.202.202.202
rightnexthop=202.202.202.1
This is required if you want the two gateways to speak IPSEC to each other.
This requires a lot of duplication of details. Judicious use of also= and include can reduce this problem.
Note that, while FreeS/WAN supports all four tunnel types, not all implementations do. In particular, some versions of Windows 2000 and the freely downloadable version of PGP provide only "client" functionality. You cannot use them as gateways with a subnet behind them. To get that functionality, you must upgrade to Windows 2000 server or the commercially available PGP products.
Subject: Re: linux-ipsec: IPSec packets not entering tunnel? Date: Mon, 20 Nov 2000 From: Justin Guyett <jfg@sonicity.com> On Mon, 20 Nov 2000, Claudia Schmeing wrote: > Right Left > "home" "office" > 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24 > > I've created all four tunnels, and can ping to test each of them, > *except* homegate-officenet. I keep wondering why people create all four tunnels. Why not route traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2? And 99% of the time you don't need to access "office" directly, which means you can eliminate all but the subnet<->subnet connection.and FreeS/WAN technical lead Henry Spencer's comment:
> I keep wondering why people create all four tunnels. Why not route > traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2? This is feasible, given some iproute2 attention to source addresses, but it isn't something we've documented yet... (partly because we're still making some attempt to support 2.0.xx kernels, which can't do this, but mostly because we haven't caught up with it yet). > And 99% of the time you don't need to access "office" directly, which > means you can eliminate all but the subnet<->subnet connection. Correct in principle, but people will keep trying to ping to or from the gateways during testing, and sometimes they want to run services on the gateway machines too.
FreeS/WAN allows a single gateway machine to build tunnels to many others. There may, however, be some problems for large numbers as indicated in this message from the mailing list:
Subject: Re: Maximum number of ipsec tunnels? Date: Tue, 18 Apr 2000 From: "John S. Denker" <jsd@research.att.com> Christopher Ferris wrote: >> What are the maximum number ipsec tunnels FreeS/WAN can handle?? Henry Spencer wrote: >There is no particular limit. Some of the setup procedures currently >scale poorly to large numbers of connections, but there are (clumsy) >workarounds for that now, and proper fixes are coming. 1) "Large" numbers means anything over 50 or so. I routinely run boxes with about 200 tunnels. Once you get more than 50 or so, you need to worry about several scalability issues: a) You need to put a "-" sign in syslogd.conf, and rotate the logs daily not weekly. b) Processor load per tunnel is small unless the tunnel is not up, in which case a new half-key gets generated every 90 seconds, which can add up if you've got a lot of down tunnels. c) There's other bits of lore you need when running a large number of tunnels. For instance, systematically keeping the .conf file free of conflicts requires tools that aren't shipped with the standard freeswan package. d) The pluto startup behavior is quadratic. With 200 tunnels, this eats up several minutes at every restart. I'm told fixes are coming soon. 2) Other than item (1b), the CPU load depends mainly on the size of the pipe attached, not on the number of tunnels.
It is worth noting that item (1b) applies only to repeated attempts to re-key a data connection (IPSEC SA, Phase 2) over an established keying connection (ISAKMP SA, Phase 1). There are two ways to reduce this overhead using settings in ipsec.conf(5):
The overheads for establishing keying connections (ISAKMP SAs, Phase 1) are lower because for these Pluto does not perform expensive operations before receiving a reply from the peer.
What we call extruded subnets are a special case of VPNs.
If your buddy has some unused IP addresses, in his subnet far off at the other side of the Internet, he can loan them to you... provided that the connection between you and him is fast enough to carry all the traffic between your machines and the rest of the Internet. In effect, he "extrudes" a part of his address space over the network to you, with your Internet traffic appearing to originate from behind his Internet gateway.
Suppose your friend has a.b.c.0/24 and wants to give you a.b.c.240/28. The initial situation is:
subnet gateway Internet a.b.c.0/24 a.b.c.1 p.q.r.swhere anything from the Internet destined for any machine in a.b.c.0/24 is routed via p.q.r.s and that gateway knows what to do from there.
Of course it is quite normal for various smaller subnets to exist behind your friend's gateway. For example, your friend's company might have a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The Internet neither knows not cares about this; it just delivers packets to the p.q.r.s and lets the gateway do whatever needs to be done from there.
What we want to do is take a subnet, perhaps a.b.c.240/28, out of your friend's physical location while still having your friend's gateway route to it. As far as the Internet is concerned, you remain behind that gateway.
subnet gateway Internet your gate extruded
a.b.c.0/24 a.b.c.1 p.q.r.s d.e.f.g a.b.c.240/28
========== tunnel ==========
The extruded addresses have to be a complete subnet.
In our example, the friend's security gateway is also his Internet gateway, but this is not necessary. As long as all traffic from the Internet to his addresses passes through the Internet gate, the security gate could be a machine behind that. The IG would need to route all traffic for the extruded subnet to the SG, and the SG could handle the rest.
First, configure your subnet using the extruded addresses. Your security gateway's interface to your subnet needs to have an extruded address (possibly using a Linux virtual interface , if it also has to have a different address). Your gateway needs to have a route to the extruded subnet, pointing to that interface. The other machines at your site need to have addresses in that subnet, and default routes pointing to your gateway.
If any of your friend's machines need to talk to the extruded subnet, they need to have a route for the extruded subnet, pointing at his gateway.
Then set up an IPSEC subnet-to-subnet tunnel between your gateway and his, with your subnet specified as the extruded subnet, and his subnet specified as "0.0.0.0/0". Do it with manual keying first for testing, and then with automatic keying for production use.
The tunnel description should be:
conn extruded
left=p.q.r.s
leftsubnet=0.0.0.0/0
right=d.e.f.g
rightsubnet=a.b.c.0/28
If either side was doing firewalling for the extruded subnet before the IPSEC connection is set up, ipsec_manual and ipsec_auto need to know about that (via the {left|right}firewall parameters) so that it can be overridden for the duration of the connection.
And it all just works. Your SG routes traffic for 0.0.0.0/0 -- that is, the whole Internet -- through the tunnel to his SG, which then sends it onward as if it came from his subnet. When traffic for the extruded subnet arrives at his SG, it gets sent through the tunnel to your SG, which passes it to the right machine.
Remember that when ipsec_manual or ipsec_auto takes a connection down, it does not undo the route it made for that connection. This lets you take a connection down and bring up a new one, or a modified version of the old one, without having to rebuild the route it uses and without any risk of packets which should use IPSEC accidentally going out in the clear. Because the route always points into KLIPS, the packets will always go there. Because KLIPS temporarily has no idea what to do with them (no eroute for them), they will be discarded.
If you do want to take the route down, this is what the "unroute" operation in manual and auto is for. Just do an unroute after doing the down.
Note that the route for a connection may have replaced an existing non-IPSEC route. Nothing in Linux FreeS/WAN will put that pre-IPSEC route back. If you need it back, you have to create it with the route command.
Here is a mailing list message about another way to configure for road warrior support:
Subject: Re: linux-ipsec: understanding the vpn
Date: Thu, 28 Oct 1999 10:43:22 -0400
From: Irving Reid <irving@nevex.com>
> local-------linux------internet------mobile
> LAN box user
> ...
> now when the mobile user connects to the linux box
> it is given a virtual IP address, i have configured it to
> be in the 10.x.x.x range. mobile user and linux box
> have a tunnel between them with these IP addresses.
> Uptil this all is fine.
If it is possible to configure your mobile client software *not* to
use a virtual IP address, that will make your life easier. It is easier
to configure FreeS/WAN to use the actual address the mobile user gets
from its ISP.
Unfortunately, some Windows clients don't let you choose.
> what i would like to know is that how does the mobile
> user communicate with other computers on the local
> LAN , of course with the vpn ?
> what IP address should the local LAN
> computers have ? I guess their default gateway
> should be the linux box ? and does the linux box need
> to be a 2 NIC card box or one is fine.
As someone else stated, yes, the Linux box would usually be the default
IP gateway for the local lan.
However...
If you mobile user has software that *must* use a virtual IP address,
the whole picture changes. Nobody has put much effort into getting
FreeS/WAN to play well in this environment, but here's a sketch of one
approach:
Local Lan 1.0.0.0/24
|
+- Linux FreeS/WAN 1.0.0.2
|
| 1.0.0.1
Router
| 2.0.0.1
|
Internet
|
| 3.0.0.1
Mobile User
Virtual Address: 1.0.0.3
Note that the Local Lan network (1.0.0.x) can be registered, routable
addresses.
Now, the Mobile User sets up an IPSec security association with the
Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
negotiation, which needs to work outside of the IPSec tunnel.
On the Linux side, there's a bunch of stuff you need to do by hand (for
now). FreeS/WAN should correctly handle setting up the IPSec SA and
routes, but I haven't tested it so this may not work...
The FreeS/WAN conn should look like:
conn mobile
right=1.0.0.2
rightsubnet=1.0.0.0/24
rightnexthop=1.0.0.1
left=0.0.0.0 # The infamous "road warrior"
leftsubnet=1.0.0.3/32
Note that the left subnet contains *only* the remote host's virtual
address.
Hopefully the routing table on the FreeS/WAN box ends up looking like
this:
% netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
1.0.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo
0.0.0.0 1.0.0.1 0.0.0.0 UG 1500 0 0 eth0
1.0.0.3 1.0.0.1 255.255.255.255 UG 1433 0 0 ipsec0
So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
get bundled up and sent through the tunnel. To get the packets for
1.0.0.3 to the Linux box in the first place, you need to use "proxy
ARP".
How this works is: when a host or router on the local Ethernet segment
wants to send a packet to 1.0.0.3, it sends out an Ethernet level
broadcast "ARP request". If 1.0.0.3 was on the local LAN, it would
reply, saying "send IP packets for 1.0.0.3 to my Ethernet address".
Instead, you need to set up the Linux box so that _it_ answers ARP
requests for 1.0.0.3, even though that isn't its IP address. That
convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
box, where the usual FreeS/WAN processing and routing take over.
% arp -i eth0 -s 1.0.0.3 -D eth0 pub
This says, if you see an ARP request on interface eth0 asking for
1.0.0.3, respond with the Ethernet address of interface eth0.
Now, as I said at the very beginning, if it is *at all* possible to
configure your client *not* to use the virtual IP address, you can avoid
this whole mess.
Sometimes you have to cope with a situation where the network interface(s) aren't all there at boot. The common example is notebooks with PCMCIA.
The key issue here is that the config setup section of the /etc/ipsec.conf configuration file lists the connection between ipsecN and hardware interfaces, in the interfaces= variable. At any time when ipsec setup start or ipsec setup restart is run this variable must correspond to the current real situation. More precisely, it must not mention any hardware interfaces which don't currently exist. The difficulty is that an ipsec setup start command is normally run at boot time so interfaces that are not up then are mis-handled.
Normally, an ipsec setup start is run at boot time. However, if the hardware situation at boot time is uncertain, one of two things must be done.
chkconfig --level 2345 ipsec offThat's for modern Red Hats or other Linuxes with chkconfig. Systems which lack this will require fiddling with symlinks in /etc/rc.d/rc?.d or the equivalent.
interfaces=
in the configuration file. KLIPS and Pluto will be started, but won't
do anything.
When the hardware *is* in place, IPSEC has to be made aware of it. Someday there may be a nice way to do this.
Right now, the way to do it is to fix the /etc/ipsec.conf file appropriately, so interfaces reflects the new situation, and then restart the IPSEC subsystem. This does break any existing IPSEC connections.
If IPSEC wasn't brought up at boot time, do
ipsec setup startwhile if it was, do
ipsec setup restartwhich won't be as quick.
If some of the hardware is to be taken out, before doing that, amend the configuration file so interfaces no longer includes it, and do
ipsec setup restart
Again, this breaks any existing connections.
Sometimes you might want to create a tunnel without encryption. Often this is a bad idea, even if you have some data which need not be private. See this discussion.
The IPSEC protocols provide two ways to do build such tunnels:
There are several ways to handle this.
Note that if Alice and Bob want end-to-end security, they must build a tunnel end-to-end between their machines or use some other end-to-end tool such as PGP or SSL that suits their data. The only question is whether the admins build some special unencrypted tunnel for those already-encrypted packets.
The various components of Linux FreeS/WAN are of course documented in standard Unix manual pages, accessible via the man(1) command.
Links here take you to an HTML version of the man pages.
These files are also discussed in the configuration section.
Many users will never give most of the FreeS/WAN commands directly. Configure the files listed above correctly and everything should be automatic.
One exception is:
Note that:
The following commands are fairly likely to be used, if only for testing and status checks:
The lower-level utilities listed below are normally invoked via scripts listed above, but they can also be used directly when required.
FreeS/WAN, or other IPSEC implementations, frequently run on gateway machines, the same machines running firewall or packet filtering code. This document discusses the relation between the two.
IPSEC uses three main types of packet:
All of those packets should have appropriate IPSEC gateway addresses in both the to and from IP header fields. Firewall rules can check this if you wish, though it is not strictly necessary. This is discussed in more detail later.
IPSEC processing of incoming packets authenticates them then removes the ESP or AH header and decrypts if necessary. Successful processing exposes an inner packet which is then delivered back to the firewall machinery, marked as having arrived on an ipsec[0-3] interface. Firewall rules can use that interface label to distinguish these packets from unencrypted packets which are labelled with the physical interface they arrived on (or perhaps with a non-IPSEC virtual interface such as ppp0).
One of our users sent a mailing list message with a diagram of the packet flow.
Some protocols, such as TCP and UDP, have the notion of ports. Others protocols, including ESP and AH, do not. Quite a few IPSEC newcomers have become confused on this point. There are no ports in the ESP or AH protocols, and no ports used for them. For these protocols, the idea of ports is completely irrelevant.
The protocol numbers for ESP or AH are used in the 'next header' field of the IP header. On most non-IPSEC packets, that field would have one of:
Each header in the sequence tells what the next header will be. IPSEC adds headers for ESP or AH near the beginning of the sequence. The original headers are kept and the 'next header' fields adjusted so that all headers can be correctly interpreted.
For example, using [ ] to indicate data protected by ESP and unintelligible to an eavesdropper between the gateways:
Part of the ESP header itself is encrypted, which is why the [ indicating protected data appears in the middle of some lines above. The next header field of the ESP header is protected. This makes traffic analysis more difficult. The next header field would tell an eavesdropper whether your packet was UDP to the gateway, TCP to the gateway, or encapsulated IP. It is better not to give this information away. A clever attacker may deduce some of it from the pattern of packet sizes and timings, but we need not make it easy.
IPSEC allows various combinations of these to match local policies, including combinations that use both AH and ESP headers or that nest multiple copies of these headers.
For example, suppose my employer has an IPSEC VPN running between two offices so all packets travelling between the gateways for those offices are encrypted. If gateway policies allow it (The admins could block UDP 500 and protocols 50 and 51 to disallow it), I can build an IPSEC tunnel from my desktop to a machine in some remote office. Those packets will have one ESP header throughout their life, for my end-to-end tunnel. For part of the route, however, they will also have another ESP layer for the corporate VPN's encapsulation. The whole header scheme for a packet on the Internet might be:
The first ESP (outermost) header is for the corporate VPN. The inner ESP header is for the secure machine-to-machine link.
As a consequence of the above, an IPSEC gateway should have packet filters that allow the following protocols when talking to other IPSEC gateways:
Your gateway and the other IPSEC gateways it communicates with must be able to exchange these packets for IPSEC to work. Firewall rules must allow UDP 500 and at least one of AH or ESP on the interface that communicates with the other gateway.
The preceeding paragraph deals with packets addressed to or sent from your gateway. It is a separate policy decision whether to permit such packets to pass through the gateway so that client machines can build end-to-end IPSEC tunnels of their own. This may not be practical if you are using NAT (IP masquerade) on your gateway, and may conflict with some corporate security policies. Other than that, it is likely a good idea.
It is possible to use firewall rules to restrict UDP 500, ESP and AH packets so that these packets are accepted only from known gateways. This is not strictly necessary since FreeS/WAN will discard packets from unknown gateways. You might, however, want to do it for any of a number of reasons. For example:
It is not possible to use only static firewall rules for this filtering if you do not know the other gateways' IP addresses in advance, for example if you have "road warriors" who may connect from a different address each time or if want to do opportunistic encryption to arbitrary gateways. In these cases, you can accept UDP 500 IKE packets from anywhere, then use the updown script feature of pluto(8) to dynamically adjust firewalling for each negotiated tunnel.
Firewall packet filtering does not much reduce the risk of a denial of service attack on FreeS/WAN. The firewall can drop packets from unknown gateways, but KLIPS does that quite efficiently anyway, so you gain little. The firewall cannot drop otherwise legitmate packets that fail KLIPS authentication, so it cannot protect against an attack designed to exhaust resources by making FreeS/WAN perform many expensive authentication operations.
In summary, firewall filtering of IPSEC packets from unknown gateways is possible but not strictly necessary.
When the IPSEC gateway is also acting as your firewall, other packet filtering rules will be in play. In general, those are outside the scope of this document. See our Linux firewall links for information. There are a few types of packet, however, which can affect the operation of FreeS/WAN or of diagnostic tools commonly used with it. These are discussed below.
ICMP is the Internet C ontrol Message Protocol. It is used for messages between IP implementations themselves, whereas IP used is used between the clients of those implementations. ICMP is, unsurprisingly, used for control messages. For example, it is used to notify a sender that a desination is not reachable, or to tell a router to reroute certain packets elsewhere.
ICMP handling is tricky for firewalls.
ICMP does not use ports. Messages are distinguished by a "message type" field and, for some types, by an additional "code" field. The definitive list of types and codes is on the IANA site.
One expert uses this definition for ICMP message types to be dropped at the firewall.
# ICMP types which lack socially redeeming value. # 5 Redirect # 9 Router Advertisement # 10 Router Selection # 15 Information Request # 16 Information Reply # 17 Address Mask Request # 18 Address Mask Reply badicmp='5 9 10 15 16 17 18'
A more conservative approach would be to make a list of allowed types and drop everything else.
Whichever way you do it, your ICMP filtering rules on a FreeS/WAN gateway should allow at least the following ICMP packet types:
It is fairly common for firewalls to drop ICMP echo packets addressed to machines behind the firewall. If that is your policy, please create an exception for such packets arriving via an IPSEC tunnel, at least during intial testing of those tunnels.
The traceroute(1) utility uses UDP port numbers from 33434 to approximately 33633. Generally, these should be allowed through for troubleshooting.
Some firewalls drop these packets to prevent outsiders exploring the protected network with traceroute(1). If that is your policy, consider creating an exception for such packets arriving via an IPSEC tunnel, at least during intial testing of those tunnels.
For this to work, you must allow UDP protocol 1701 packets coming out of your tunnels to continue to their destination. You can, and probably should, block such packets to or from your external interfaces, but allow them from ipsec0.
See also our Windows 2000 interoperation discussion .
Network Address Translation, also known as IP masquerading, is a method of allocating IP addresses dynamically, typically in circumstances where the total number of machines which need to access the Internet exceeds the supply of IP addresses.
Any attempt to perform NAT operations on IPSEC packets between the IPSEC gateways creates a basic conflict:
For IKE and ESP it is not necessarily fatal, but is certainly an unwelcome complication.
This problem can be avoided by having the masquerading take place on or behind the IPSEC gateway.
This can be done physically with two machines, one physically behind the other. A picture, using SG to indicate IPSEC S ecurity Gateways, is:
clients --- NAT ----- SG ---------- SG
two machines
In this configuration, the actual client addresses need not be given in the leftsubnet= parameter of the FreeS/WAN connection description. The security gateway just delivers packets to the NAT box; it needs only that machine's address. What that machine does with them does not affect FreeS/WAN.
A more common setup has one machine performing both functions:
clients ----- NAT/SG ---------------SG
one machine
Here you have a choice of techniques depending on whether you want to
make your client subnet visible to clients on the other end:
In this case, no masquerading is done. Packets to or from the client subnet are encrypted or decrypted without any change to their client subnet addresses, although of course the encapsulating packets use gateway addresses in their headers. Clients behind the right security gateway see a route via that gateway to the left subnet.
We recommend not trying to build IPSEC connections which pass through a NAT machine. This setup poses problems:
clients --- SG --- NAT ---------- SG
If you must try it, some references are:
The ipsec.conf configuration file has three pairs of parameters used to specify an interface between FreeS/WAN and firewalling code.
Note that using these is not required if you have a static firewall setup. In that case, you just set your firewall up at boot time (in a way that permits the IPSEC connections you want) and do not change it thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN will not attempt to adjust firewall rules at all. See below for some information on appropriate scripts.
However, if you want your firewall rules to change when IPSEC connections change, then you need to use these parameters.
One pair of parmeters are set in the config setup section of the ipsec.conf(5) file and affect all connections:
They can also be used in other ways. For example, you might have prepluto add a module to your kernel for the secure network interface or make a dialup connection, and then have postpluto remove the module or take the connection down.
The other parameters are set in connection descriptions. They can be set in individual connection descriptions, and could even call different scripts for each connection for maximum flexibility. In most applications, however, it makes sense to use only one script and to call it from conn %default section so that it applies to all connections.
You can either set [left|right]firewall=yes to use our supplied default script or assign a name in a [left|right]updown= line to use your own script.
For details of when Pluto calls these scripts, what arguments it passes to them, and what the default script does with those arguments, see the ipsec_pluto(8) man page.
Note that only one of these should be used. You cannot sensibly use both.
In developing your own script, you can of course use our scripts (either the default _updown or the ipchains-based example given below) as a starting point. Note, however, that you should not modify our _updown script in place. If you did that, then upgraded FreeS/WAN, the upgrade would install a new default script, overwriting your changes.
Our _updown is for firewalls using ipfwadm(8) . If you are using the more recent package ipchains(8), you must do one of:
We provide an example script for use with ipchains(8) below.
Here are some mailing list comments from pluto(8) developer Hugh Redelmeier on an earlier draft of this document:
There are many important things left out
- firewalling is important but must reflect (implement) policy. Since
policy isn't the same for all our customers, and we're not experts,
we should concentrate on FW and MASQ interactions with FreeS/WAN.
- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
IKE, IPsec, FW, and MASQ are all done on that machine. The flow is
obvious if the components are run on different machines (trace the
cables).
IKE input:
+ packet appears on public IF, as UDP port 500
+ input firewalling rules are applied (may discard)
+ Pluto sees the packet.
IKE output:
+ Pluto generates the packet & writes to public IF, UDP port 500
+ output firewalling rules are applied (may discard)
+ packet sent out public IF
IPsec input, with encapsulated packet, outer destination of this host:
+ packet appears on public IF, protocol 50 or 51. If this
packet is the result of decapsulation, it will appear
instead on the paired ipsec IF.
+ input firewalling rules are applied (but packet is opaque)
+ KLIPS decapsulates it, writes result to paired ipsec IF
+ input firewalling rules are applied to resulting packet
as input on ipsec IF
+ if the destination of the packet is this machine, the
packet is passed on to the appropriate protocol handler.
If the original packet was encapsulated more than once
and the new outer destination is this machine, that
handler will be KLIPS.
+ otherwise:
* routing is done for the resulting packet. This may well
direct it into KLIPS for encoding or encrypting. What
happens then is described elsewhere.
* forwarding firewalling rules are applied
* output firewalling rules are applied
* the packet is sent where routing specified
IPsec input, with encapsulated packet, outer destination of another host:
+ packet appears on some IF, protocol 50 or 51
+ input firewalling rules are applied (but packet is opaque)
+ routing selects where to send the packet
+ forwarding firewalling rules are applied (but packet is opaque)
+ packet forwarded, still encapsulated
IPsec output, from this host or from a client:
+ if from a client, input firewalling rules are applied as the
packet arrives on the private IF
+ routing directs the packet to an ipsec IF (this is how the
system decides KLIPS processing is required)
+ if from a client, forwarding firewalling rules are applied
+ KLIPS eroute mechanism matches the source and destination
to registered eroutes, yielding a SPI group. This dictates
processing, and where the resulting packet is to be sent
(the destinations SG and the nexthop).
+ output firewalling is not applied to the resulting
encapsulated packet
- Until quite recently, KLIPS would double encapsulate packets that
didn't strictly need to be. Firewalling should be prepared for
those packets showing up as ESP and AH protocol input packets on
an ipsec IF.
- MASQ processing seems to be done as if it were part of the
forwarding firewall processing (this should be verified).
- If a firewall is being used, it is likely the case that it needs to
be adjusted whenever IPsec SAs are added or removed. Pluto invokes
a script to do this (and to adjust routing) at suitable times. The
default script is only suitable for ipfwadm-managed firewalls. Under
LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
but ipchains more powerful if manipulated using the ipchains command.
In this case, a custom updown script must be used.
We think that the flexibility of ipchains precludes us supplying an
updown script that would be widely appropriate.
We do provide a sample script in the next section. It is essentially a
transliteration of the version we supply for ipfwadm. Because it
doesn't process the command line argument, it cannot be directly
subsituted -- it won't support the semantics of *firewall=no. It can be
used in [left|right]updown=.
Here is an example updown script for use with ipchains. It is intended to be called via an updown= statement in ipsec.conf.
#! /bin/sh
# sample updown script for ipchains
# Copyright (C) 2000 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See .
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: firewall.html,v 1.20 2001/06/12 05:14:54 sandy Exp $
# check interface version
case "$PLUTO_VERSION" in
1.0) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >2 exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
*) echo "$0: parameters unexpected" >2 exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
# the big choice
case "$PLUTO_VERB" in
prepare-host|prepare-client)
# delete possibly-existing route (preliminary to adding a route)
oops="`route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>1"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error in route command, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process')
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
status=0
;;
esac
exit $status
;;
route-host|route-client)
# connection to this host or client being routed
uproute
;;
unroute-host|unroute-client)
# connection to this host or client being unrouted
downroute
;;
up-host)
# connection to this host coming up
;;
down-host)
# connection to this host going down
;;
up-client)
# connection to client subnet, through forwarding firewall, coming up
ipchains -I forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client)
# connection to client subnet, through forwarding firewall, going down
ipchains -D forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >2 exit 1
;;
esac
It is also possible to set up both firewalling and IPSEC with appropriate scripts at boot and then not use leftupdown= and rightupdown=, or use them only for simple up and down operations.
Basically, the technique is
Firewall rules can recognise packets emerging from IPSEC. They are marked as arriving on an interface such as ipsec0, rather than eth0, ppp0 or whatever.
While it is possible to create such rules yourself (please let us know via the mailing list if you do), it may be both easier and more secure to use a set which has already been published and tested. Those we know of are described below.
One user, Rob Hutton, posted his boot time scripts to the mailing list, and we included them in previous versions of this documentation. They are still available from our web site. However, they were for an earlier FreeS/WAN version so we no longer recommend them. Also, they had some bugs. See this message.
Those scripts were based on David Ranch's scripts for his "Trinity OS" for setting up a secure Linux. Check his home page for the latest version and for information on his book on securing Linux. If you are going to base your firewalling on Ranch's scripts, we recommend using his latest version, and sending him any IPSEC modifications you make for incorporation into later versions.
This is a collection of notes on various aspects of debugging FreeS/WAN setup and connections. Other sources of information are:
For how to report problems, see the file doc/prob.report.
Error messages generated by KLIPS during the boot sequence are accessible with the dmesg command.
Pluto logs to:
Check both places to get full information. If you find nothing, check your syslogd.conf(5) to see where your system is putting things.
Other man pages are on
this list and in
From a message posted to the mailing list Jan 14 2000 by Pluto developer Hugh Redelmeier:
Until ipsec auto and whack/pluto get fixed:
When puzzled by Pluto behaviour, always look in
/var/log/secure -- that's the unadulterated story.
To get the whole whack output (almost a subset of
the story from Pluto), give auto the --verbose flag
on each invocation. Eg:
ipsec auto --verbose --up sadaisy
Bonus hint: problems snowball. So look for the first problem first,
it is likely to be the cause of later problems.
And a final hint: If one side keeps retrying to no avail, it may be
because the other is unhappy about something and won't reply. Go look
at the other side to figure out what it doesn't like.
Various error messages from Pluto are discussed in the
FAQ and the ipsec_pluto(8)
man page.
Here are the Pluto developer's suggestions for doing this:
Can you get a core dump and use gdb to find out what Pluto was doing
when it died?
To get a core dump, you will have to set dumpdir to point to a
suitable directory (see ipsec.conf(5)).
To get gdb to tell you interesting stuff:
$ script
$ cd dump-directory-you-chose
$ gdb /usr/local/lib/ipsec/pluto core
(gdb) where
(gdb) quit
$ exit
The resulting output will have been captured by the script command in
a file called "typescript". Send it to the list.
Do not delete the core file. I may need to ask you to print out some
more relevant stuff.
Note that the dumpdir parameter takes effect only when the
IPsec subsystem is restarted -- reboot or ipsec setup restart
.
From a mail message from our KLIPS developer:
Here is a catalogue of the types of errors that can occur for which
statistics are kept when transmitting and receiving packets via klips.
I notice that they are not necessarily logged in the right counter.
. . .
Sources of ifconfig statistics for ipsec devices
rx-errors:
- packet handed to ipsec_rcv that is not an ipsec packet.
- ipsec packet with payload length not modulo 4.
- ipsec packet with bad authenticator length.
- incoming packet with no SA.
- replayed packet.
- incoming authentication failed.
- got esp packet with length not modulo 8.
tx_dropped:
- cannot process ip_options.
- packet ttl expired.
- packet with no eroute.
- eroute with no SA.
- cannot allocate sk_buff.
- cannot allocate kernel memory.
- sk_buff internal error.
The standard counters are:
struct enet_statistics
{
int rx_packets; /* total packets received */
int tx_packets; /* total packets transmitted */
int rx_errors; /* bad packets received */
int tx_errors; /* packet transmit problems */
int rx_dropped; /* no space in linux buffers */
int tx_dropped; /* no space available in linux */
int multicast; /* multicast packets received */
int collisions;
/* detailed rx_errors: */
int rx_length_errors;
int rx_over_errors; /* receiver ring buff overflow */
int rx_crc_errors; /* recved pkt with crc error */
int rx_frame_errors; /* recv'd frame alignment error */
int rx_fifo_errors; /* recv'r fifo overrun */
int rx_missed_errors; /* receiver missed packet */
/* detailed tx_errors */
int tx_aborted_errors;
int tx_carrier_errors;
int tx_fifo_errors;
int tx_heartbeat_errors;
int tx_window_errors;
};
of which I think only the first 6 are useful.
Sometimes you need to test the tunnel between two security gateways. This can be done by having a machine behind one gateway ping a machine behind the other gateway, but this is not always convenient or even possible.
Simply pinging one gateway from the other is not useful. Such a ping does not normally go through the tunnel. The tunnel handles trafiic between the two protected subnets, not between the gateways . Depending on the routing in place, a ping might
Neither event tells you anything about the tunnel. You can explicitly create an eroute to force such packets through the tunnel, or you can create additional tunnels as described in our configuration document, but those may be an unnecessary complications in your situation.
The trick is to explicitly use an IP address for the subnet-side interface of one gateway machine, either as the target of a ping or as the origin of a traceroute. Since that interface is on the protected subnet, the resulting packets do go via the tunnel.
From the mailing list:
>; > ;I have two gateways, SG1 and SG2, with I/Fs i and e (for internal and >; > ;external), and two hosts, H1 and H2 set up as: >; > ; >; > ; H1-----(i)SG1(e)===========(e)SG2(i)------H2 >; > ; >; > ;And I want to test a tunnel set up between the H1 subnet and the H2 >; > ;subnet, but the H2 host may not exist yet, or may not be responding. >; > ; >; > ;If I ping SG2i from H1, all traffic in both directions is encrypted, >; > ;testing the tunnel. ..... >; > ;If I understand correctly, this could be accomplished by the 'ping -I' >; > ;feature of which you spoke earlier or 'traceroute -i'? >; >; Indeed, >; traceroute -i eth0 -f 20 otherSG >; appears to give me a solution using only N machines, the SGs themselves. >; This is very nice. Note that in this example, eth0 is the *private* (i) >; interface. If you try it with the (e) interface or the ipsec0 interface, >; you won't get the desired result. If you leave off the -f 20, the trace >; will hang in some totally bizarre way.
Some older Linux distributions did not support ping -I, according to mailing list comments. More recent comments indicate that this does now work. For example, you can do:
ping -I 192.168.10.250 192.168.0.11to test between the interfaces on the two protected subnets.
Your mail has inspired me to write a little trouble shooting guide to supplement and connect the existing docs on the subject. Here's v. 1. Comments are welcome. Steps in Troubleshooting Linux FreeS/WAN: - ----------------------------------------- Finding the Error - ----------------- First, try to find verbose text that describes how things are going wrong or creating unexpected results. Here's how: While the dialog from ipsec auto --up myconn (or whatever) will tell you where the process fails, it is often not very specific. And for errors that have to do with the use of a conn, you may not even have this. More information can be gleaned from the log files, usually /var/log/messages or /var/log/secure. On some systems, the logfiles are differently named. To find your error messages, check where your /etc/syslog.conf or equivalent is directing authpriv. The amount of your error's description in your logs depends on your debug settings, klipsdebug= and plutodebug=, in ipsec.conf. See man ipsec.conf for details. Note that usually, either 'none' or 'all' will be what you want; you don't need to worry about the nuances of the debug options. If you're having an negotiation problem (as you are, above) plutodebug is most relevant. If you have a connection established but the packets aren't doing what you think they should, play with klipsdebug. See also /doc/ipsec.html#parts for the division of duties within Linux FreeS/WAN. After raising your debug levels, restart Linux FreeS/WAN to ensure that the conf file is re-read, then re-create the error to generate verbose logs. Proceed to the failure point in the logs and find the handful of lines which succinctly describe how things are going wrong or contrary to your expectation. Interpreting the Error - ---------------------- To interpret this text, use the following resources: * the FAQ, doc/faq.html. Since the FAQ is constantly being updated, the snapshot may have a new entry relevant to your problem. For example, the faq in today's snapshot, addresses several more questions than the version on the site. * doc/config.html. Instructions for some configurations you can make with Linux FreeS/WAN. See especially doc/config.html#multitunnel, which is useful in a large proportion of the questions we see on the list. * doc/trouble.html. Debugging instructions and notes. Note that most people now test automatic keying only if that's what they're using in the field, and only revert to manual testing to test unexpected behaviour that seems to be occurring at a very basic level. * the list archives. There are three: sandelman nexial, as listed at mail.html, and the archive for the filtered list at exim.org: http://www.exim.org/pipermail/linux-ipsec/ (also listed in the upcoming docs). Each of them works differently, so it's worth checking each. Take a snippet of the text of your error which doesn't include anything site specific, ex. "No connection is known for", and search on this. It's likely you'll find the same answer to someone else's question this way, and it's faster than asking real-time humans ;-) * Sometimes a quick peek into the code where the error is being generated can be helpful. The pluto code is pretty well documented with comments and meaningful variable names. Asking for Help - --------------- A combination of the freeswan.org pages mentioned above and an archive search will address nearly every problem. But for those times when you've found something unusual, or your forehead is sore from banging it on your monitor, there's always the mailing list ;-) When writing the list, remember that more is more -- While sometimes an initial query with a quick description of your intent and error will twig someone's memory of a similar problem, it's often necessary to send a second mail with a complete problem report. See doc/prob.report for details. Lastly, as a kindness to other list members, you might post a link to a website where you've published your barf file rather than the entire file, if that option's available to you. Happy trouble shooting, Claudia
This section lists many of the options available when configuring a Linux kernel, and explains how they should be set on a FreeS/WAN IPSEC gateway.
Note that in many cases you do not need to mess with these.
You may have a Linux distribution which comes with FreeS/WAN installed (see this list). In that case, you need not do a FreeS/WAN installation or a kernel configuration. Of course, you might still want to configure and rebuild your kernel to improve performance or security. This can be done with standard tools described in the Kernel HowTo.
If you need to install FreeS/WAN, then you do need to configure a kernel. However, you may choose to do that using the simplest procedure:
This document is for those who choose to configure their FreeS/WAN kernel themselves.
Help text for most kernel options is included with the kernel files, and is accessible from within the configuration utilities. We assume you will refer to that, and to the Kernel HowTo, as necessary. This document covers only the FreeS/WAN-specific aspects of the problem.
To avoid duplication, this document section does not cover settings for the additional IPSEC-related kernel options which become available after you have patched your kernel with FreeS/WAN patches. There is help text for those available from within the configuration utility.
We assume a common configuration in which the FreeS/WAN IPSEC gateway is also doing ipchains(8) firewalling for a local network, and possibly masquerading as well.
Some suggestions below are labelled as appropriate for "a true paranoid". By this we mean they may cause inconvenience and it is not entirely clear they are necessary, but they appear to be the safest choice. Not using them might entail some risk. Of course one suggested mantra for security administrators is: "I know I'm paranoid. I wonder if I'm paranoid enough."
Six labels are used to indicate how options should be set. We mark the labels with [square brackets]. For two of these labels, you have no choice:
those must be set correctly or FreeS/WAN will not work
FreeS/WAN should work with any settings of the others, though of course not all combinations have been tested. We do label these in various ways, but these labels are only suggestions.
Of course complexity is an enemy in any effort to build secure systems. For maximum security, any feature that can reasonably be turned off should be. "If in doubt, leave it out."
Indentation is based on the nesting shown by 'make menuconfig' with a 2.2.16 kernel for the i386 architecture.
For most FreeS/WAN work, no is the preferred setting. Using new or untested components is too risky for a security gateway.
However, for some hardware (such as the author's network cards) the only drivers available are marked new/experimental. In such cases, you must enable this option or your cards will not appear under "network device support". A true paranoid would leave this option off and replace the cards.
With modules disabled, an attacker cannot install a bogus module. The only way he can achieve the same effects is to install a new kernel and reboot. This is considerably more likely to be noticed.
Many FreeS/WAN gateways run with modules enabled. This simplifies some administrative tasks and some ipchains features are available only as modules. Once an enemy has root on your machine your security is nil, so arguably defenses which come into play only in that situation are pointless.
echo 1 > /proc/sys/net/ipv4/ipforwardturns IP forwarding on.
Disabling this option breaks many firewall scripts. A true paranoid would disable it anyway since it might conceivably be of use to an attacker.
Even if the IPSEC gateway is not your primary firewall, we suggest setting this so that you can protect the gateway with at least basic local packet filters.
It should be possible to use IPv4 FreeS/WAN on a machine which also does IPv6. This combination is not yet well tested. We would be quite interested in hearing results from anyone expermenting with it, via the mailing list.
We do not recommend using IPv6 on production FreeS/WAN gateways until more testing has been done.
We do not recommend this. Keep the software on your gateway as simple as possible. If you need a Linux-based Appletalk or IPX server, use a separate machine.
The development team test almost entirely on 10 or 100 megabit Ethernet and modems. In principle, any device that can do IP should be just fine for IPSEC, but in the real world any device that has not been well-tested is somewhat risky. By all means try it, but don't bet your project on it until you have solid test results.
If you disabled experimental drivers in the Code maturity section above, then those drivers will not be shown here. Check that option before going off to hunt for missing drivers.
If you want Linux to automatically find more than one ethernet interface at boot time, you need to:
append="ether=0,0,eth0 ether=0,0,eth1"to your /etc/lilo.conf file. In some cases you may need to specify parameters such as IRQ or base address. The example uses "0,0" for these, which tells the system to search. If the search does not succeed on your hardware, then you should retry with explicit parameters. See the lilo.conf(5) man page or the LILO mini-HowTo for details.
If you are comfortable with C source code, it is likely a good idea to go in and adjust the #define lines in /usr/src/linux/drivers/char/random.c to ensure that all sources of randomness are enabled. Relying solely on keyboard and mouse randomness is dubious procedure for a gateway machine. You could also increase the randomness pool size from the default 512 bytes (128 32-bit words).
This file is a guide to the locations of files within the FreeS/WAN distribution. Everything described here should be on your system once you download, gunzip, and untar the distribution.
This distribution contains two major subsystems
plus assorted odds and ends.
The top directory has essential information in text files:
The doc directory contains the bulk of the documentation, most of it in HTML format. See the index file for details.
KLIPS is KerneL IP Security. It lives in the klips directory, of course.
The "make insert" step of installation installs the patches and makes a symbolic link from the kernel tree to klips/net/ipsec. The odd name of klips/net/ipsec is dictated by some annoying limitations of the scripts which build the Linux kernel. The symbolic-link business is a bit messy, but all the alternatives are worse.
These are all normally invoked by ipsec(8) with commands such as
ipsec tncfg argumentsThere are section 8 man pages for all of these; the names have "ipsec_" as a prefix, so your man command should be something like:
man 8 ipsec_tncfg
Pluto is our key management and negotiation daemon. It lives in the pluto directory, along with its low-level user utility, whack.
There are no subdirectories. Documentation is a man page, pluto.8. This covers whack as well.
The utils directory contains a growing collection of higher-level user utilities, the commands that administer and control the software. Most of the things that you will actually have to run yourself are in there.
ipsec(8) is normally the only program installed in a standard directory, /usr/local/sbin. It is used to invoke the others, both those listed below and the ones in klips/utils mentioned above.
There are .8 manual pages for these. look is covered in barf.8. The man pages have an "ipsec_" prefix so your man command should be something like:
man 8 ipsec_auto
Examples are in various files with names utils/*.eg
The lib directory is the FreeS/WAN library, also steadily growing,
used by both user-level and kernel code.
It includes section 3 man pages for
the library routines.
Note that this library has its own license, different from the GPL used for other code in FreeS/WAN.
The library includes its own documentation.
Older versions (up to 1.7) of FreeS/WAN included a copy of this library in the FreeS/WAN distribution.
Since 1.8, we have begun to rely on the system copy of GMP.
Most of this document is quoted directly from the Linux FreeS/WAN mailing list. Thanks very much to the community of testers, patchers and commenters there, especially the ones quoted below but also various contributors we haven't quoted.
In general, do not expect Linux FreeS/WAN to do everything yet. This is a work-in-progress and some parts of the IPSEC specification are not yet implemented.
Things we do, as of version 1.9:
In negotiating a keying connection (ISAKMP SA, Phase 1) we propose both groups when we are the initiator, and accept either when a peer proposes them. Once the keying connection is made, we propose only the alternative agreed there for data connections (IPSEC SA's, Phase 2) negotiated over that keying connection.
In negotiations, we propose both of these and accept either.
Some difficulties in interopreation are anticipated with this. The RFC says to leave out some things which many compression libraries put in. We do leave these out, but other implementations may not.
All combinations of implemented transforms are supported. Note that some form of packet-level authentication is required whenever encryption is used. Without it, the encryption will not be secure.
Things we deliberately omit which are required in the RFCs are:
Since these are the only encryption algorithms and DH group the RFCs require, it is possible in theory to have a standards-conforming implementation which will not interpoperate with FreeS/WAN. Such an implementation would be inherently insecure, so we do not consider this a problem. Anyway, most implementations sensibly include more secure options as well, so dropping null encryption, single DES and Group 1 does not greatly hinder interoperation in practice.
We also do not implement some optional features allowed by the RFCs:
In theory, this should cause no interoperation problems since all implementations are required to support the more secure main mode, whether or not they also allow aggressive mode.
In practice, it does sometimes produce problems with implementations such as Windows 2000 where aggressive mode is the default. Typically, these are easily solved with a configuration change that overrides that default.
Things we don't yet do, as of version 1.91:
We expect eventually to do it using DNS. The newer versions of BIND provide much of what we need but they are not yet widespread and our code to communicate with them is not ready.
Update: As of 1.91, we have beta-testable code for opportunistic encryption. See our configuration document.
Currently Triple DES is the only encryption method Pluto will negotiate.
No additional encryption transforms are yet implemented, though the RFCs allow them and some other IPSEC implementations support various of them. We are not eager to add more, since they complicate both our work and that of the gateway administrator without any obvious security improvement. We would certainly not want to incorporate any cryptographic method that had inadequate key length or had not been sujected to intensive review over some time.
Rjindael, which just won the AES competition to choose a successor to the DES standard, is an excellent candidate for inclusion in FreeS/WAN. This might be a good project for a volunteer.
No optional additional authentication transforms are currently implemented and we do not forsee a need to add any soon.
To fully comply with the RFCs, it is not enough just to accept only packets which survive any firewall rules in place to limit what IPSEC packets get in, and then pass KLIPS authentication. That is what FreeS/WAN currently does.
We should also apply additional tests, for example ensuring that all packets emerging from a particular tunnel have sourcen and destination addresses that fall within the subnets defined for that tunnel, and that packets with those addresses that did not emerge from the appropriate tunnel are disallowed.
This will be done as part of the KLIPS rewrite currently in progress. See these links and the design mailing list for discussion.
We use PF-key Version Two for communication between the KLIPS kernel code and the Pluto Daemon. PF-Key v2 is defined by RFC 2367.
The "PF" stands for Protocol Family. PF-Inet defines a kernel/userspace interface for the TCP/IP Internet protocols (TCP/IP), and other members of the PF series handle Netware, Appletalk, etc. PF-Key is just a PF for key-related matters.
Our PF-Key implementation is not yet (mid-July 2000) complete. In particular, it is mostly one-way, used for Pluto to talk to KLIPS but not yet doing much upward communication from kernel to user space. This will change, but is not at the top of our priority list.
PF-Key came out of Berkeley Unix work and is used in the various BSD IPSEC implementations, and in Solaris. This means there is some hope of porting our Pluto(8) to one of the BSD distributions, or of running their photurisd(8) on Linux if you prefer Photuris key management over IKE.
It is, however, more complex than that. The PK-Key RFC deliberately deals only with keying, not policy management. The three PF-Key implementations we have looked at -- ours, OpenBSD and KAME -- all have extensions to deal with security policy, and the extensions are different. There have been discussions aimed at sorting out the differences, perhaps for a version three PF-Key spec. All players are in favour of this, but everyone involved is busy and it is not clear whether or when these discussions might bear fruit.
We develop and test on:
This is what we recommend.
Consider upgrading to the 2.2 kernel series. If you want to stay with the 2.0 series, then we strongly recommend 2.0.39. Some useful security patches were added in 2.0.38.
Various versions of the code have run at various times on most 2.0.xx kernels, but the current version is only lightly tested on 2.0.39, and not at all on older kernels.
Some of our patches for older kernels are shipped in 2.0.37 and later, so they are no longer provided in FreeS/WAN. This means recent versions of FreeS/WAN will probably not compile om anything earlier than 2.0.37.
In general, we suggest the latest 2.2 kernel or 2.4 for production use. At time of writing (early June 2001, just before our 1.91 release) these are 2.2.19 and 2.4.5.
Of course no release can be guaranteed to run on kernels more recent than it is, so quite often there will be no stable FreeS/WAN for the absolute latest kernel. See the FAQ for discussion.
We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 7.1 for 2.4, so minor changes may be required for other distributions.
There are some problems with FreeS/WAN on Redhat 7.0, but they are soluble.
Redhat 7 ships with two compilers.
Kernel Makefiles have gcc as a default, and must be adjusted to use kgcc before a kernel will compile on 7.0. This mailing list message gives details:
Subject: Re: AW: Installing IPSEC on Redhat 7.0 Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST) From: Mads Rasmussen <mads@cit.com.br> > From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1 cd to /usr/src/linux and open the Makefile in your favorite editor. You will need to look for a line similar to this: CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH) This line specifies which C compiler to use to build the kernel. It should be changed to: CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH) for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can proceed with the typical compiling steps.Check the mailing list archive for more recent news.
SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN included.
Here are some notes for an earlier SuSE version.
Date: Mon, 30 Nov 1998
From: Peter Onion <ponion@srd.bt.co.uk>
... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
The mods to the install process are quite simple. From memory and looking at
the files on the SUSE53 machine here at work....
And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
which SUSE use to shut a service down.
A few mods in /etc/init.d/ipsec to cope with the different places that SUSE
put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
/etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
insert ". /etc/rc.config" to pick up the SUSE config info and use
if test -n "$NETCONFIG" -a "$NETCONFIG" != "YAST_ASK" ; then
to replace
[ ${NETWORKING} = "no" ] amp; exit 0
Create /etc/sysconfig as SUSE doesn't have one.
I think that was all (but I prob forgot something)....
You may also need to fiddle initialisation scripts to ensure that /var/run/pluto.pid is removed when rebooting. If this file is present, Pluto does not come up correctly.
Subject: Re: linux-ipsec: Slackware distribution Date: Thu, 15 Apr 1999 12:07:01 -0700 From: Evan Brewer <dmessiah@silcon.com> > Very shortly, I will be needing to install ipsec on at least gateways that > are running Slackware. . . . The only trick to getting it up is that on the slackware dist there is no init.d directory in /etc/rc.d .. so create one. Then, what I do is take the ipsec startup script which normally gets put into the init.d directory, and put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file in init.d. The only file in the dist you need to really edit is the utils/Makefile, setup4: Everything else should be just fine.A year or so later:
Subject: Re: HTML Docs- Need some cleanup? Date: Mon, 8 Jan 2001 From: Jody McIntyre <jodym@oeone.com> I have successfully installed FreeS/WAN on several Slackware 7.1 machines. FreeS/WAN installed its rc.ipsec file in /etc/rc.d. I had to manually call this script from rc.inet2. This seems to be an easier method than Evan Brewer's.
Subject: FreeS/WAN 1.0 on Debian 2.1
Date: Tue, 20 Apr 1999
From: Tim Miller <cerebus+counterpane@haybaler.sackheads.org>
Compiled and installed without error on a Debian 2.1 system
with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
/etc/init.d.
/var/lock/subsys/ doesn't exist on Debian boxen, needs to be
created; not a fatal error.
Finally, ipsec scripts appear to be dependant on GNU awk
(gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
operation appears flawless.
The scripts in question have been modified since this was posted. Awk versions should no longer be a problem.
Subject: Re: HTML Docs- Need some cleanup? Date: Mon, 08 Jan 2001 From: Andy Bradford <andyb@calderasystems.com> On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote: > Intel Linux distributions other than Redhat 5.x and 6.x > Redhat 7.0 > SuSE Linux > SuSE Linux 5.3 > Slackware > Debian Can you please include Caldera in this list? I have tested it since FreeS/Wan 1.1 and it works great with our systems---provided one follows the FreeS/Wan documentation. :-) Thank you, Andy
FreeS/WAN has been run sucessfully on a number of different CPU architectures. If you have tried it on one not listed here, please post to the mailing list.
Subject: linux-ipsec: Netwinder diffs Date: Wed, 06 Jan 1999 From: rhatfield@plaintree.com I had a mistake in my ipsec-auto, so I got things working this morning. Following are the diffs for my changes. Probably not the best and cleanest way of doing it, but it works. . . .
These diffs are in the 0.92 distribution and any snapshot after Feb 20 1999, so these should work out-of-the-box on Netwinder.
Subject: Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC) Date: 11 Dec 1999 From: Darron Froese <darron@fudgehead.com> I'm summarizing here for the record - because it's taken me many hours to do this (multiple times) and because I want to see IPSEC on more linuxes than just x86. Also, I can't remember if I actually did summarize it before... ;-) I'm working too many late hours. That said - here goes. 1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13. <http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2> 2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1 <ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz> 3. Get the gmp src rpm from here: <ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm> 4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm You will see a lot of text fly by and when you start to see the rpm recompiling like this: Executing: %build + umask 022 + cd /usr/src/redhat/BUILD + cd gmp-2.0.2 + libtoolize --copy --force Remember to add `AM_PROG_LIBTOOL' to `configure.in'. You should add the contents of `/usr/share/aclocal/libtool.m4' to `aclocal.m4'. + CFLAGS=-O2 -fsigned-char + ./configure --prefix=/usr Hit Control-C to stop the rebuild. NOTE: We're doing this because for some reason the gmp source provided with FreeS/WAN 1.1 won't build properly on ydl. cd /usr/src/redhat/BUILD/ cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/ cd /usr/src/freeswan-1.1/ rm -rf gmp mv gmp-2.0.2 gmp 5. Open the freeswan Makefile and change the line that says: KERNEL=$(b)zimage (or something like that) to KERNEL=vmlinux 6. cd ../linux/ 7. make menuconfig Select an option or two and then exit - saving your changes. 8. cd ../freeswan-1.1/ ; make menugo That will start the whole process going - once that's finished compiling, you have to install your new kernel and reboot. That should build FreeS/WAN on ydl (I tried it on 1.1).And a later message on the same topic:
Subject: Re: FreeS/WAN, PGPnet and E-mail Date: Sat, 22 Jan 2000 From: Darron Froese <darron@fudgehead.com> on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote: > I have a PowerMac G3 ... The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run FreeS/WAN 1.2patch1 with a couple minor modifications: 1. In the Makefile it specifies a bzimage for the kernel compile - you have to change that to vmlinux for the PPC. 2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to compile. I have gotten around this by getting the gmp src rpm from here: ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm If you rip the source out of there - and place it where the gmp source resides it will compile just fine.
One user reports success on the Mach-based micro kernel Linux.
Subject: Smiles on sparc and ppc Date: Fri, 10 Mar 2000 From: Jake Hill <jah@alien.bt.co.uk> You may or may not be interested to know that I have successfully built FreeS/WAN on a number of non intel alpha architectures; namely on ppc and sparc and also on osfmach3/ppc (MkLinux). I can report that it just works, mostly, with few changes.
Subject: IT WORKS (again) between intel & alpha :-))))) Date: Fri, 29 Jan 1999 From: Peter Onion <ponion@srd.bt.co.uk> Well I'm happy to report that I've got an IPSEC connection between by intel & alpha machines again :-)) If you look back on this list to 7th of December I wrote... -On 07-Dec-98 Peter Onion wrote: -> -> I've about had enuf of wandering around inside the kernel trying to find out -> just what is corrupting outgoing packets... - -Its 7:30 in the evening ..... - -I FIXED IT :-)))))))))))))))))))))))))))))))) - -It was my own fault :-(((((((((((((((((( - -If you ask me very nicly I'll tell you where I was a little too over keen to -change unsigned long int __u32 :-) OPSE ... - -So tomorrow it will full steam ahead to produce a set of diffs/patches against -0.91 - -Peter Onion.
In general (there have been some glitches), FreeS/WAN has been running on Alphas since then.
Several users have reported success with FreeS/WAN on SPARC Linux. Here is one mailing list message:
Subject: Smiles on sparc and ppc Date: Fri, 10 Mar 2000 From: Jake Hill <jah@alien.bt.co.uk> You may or may not be interested to know that I have successfully built FreeS/WAN on a number of non intel alpha architectures; namely on ppc and sparc and also on osfmach3/ppc (MkLinux). I can report that it just works, mostly, with few changes. I have a question, before I make up some patches. I need to hack gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are trivial, but could I also use a different version of gmp? Is it vanilla here? I guess my only real headache is from ipchains, which appears to stop running when IPSec has been started for a while. This is with 2.2.14 on sparc.
This message, from a different mailing list, may be relevant for anyone working with FreeS/WAN on Suns:
Subject: UltraSPARC DES assembler
Date: Thu, 13 Apr 2000
From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
To: coderpunks@toad.com
An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
file is available at http://inet.uni2.dk/~svolaf/des.htm.
This brings DES on UltraSPARC from slower than Pentium at the same
clock speed to significantly faster.
We know FreeS/WAN runs on at least some MIPS processors because Lasat (who host our freeswan.org web site) manufacture an IPSEC box based on an embedded MIPS running Linux with FreeS/WAN. We have no details.
Subject: Re: Crypto hardware support Date: Mon, 03 Jul 2000 From: Dan DeVault <devault@tampabay.rr.com> .... I have been running uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay ( http://www.moretonbay.com ) and it was using a Coldfire processor and was able to do the Triple DES encryption at just about 1 mbit / sec rate....... they put a Hi/Fn 7901 hardware encryption chip on their board and now their system does over 25 mbit of 3DES encryption........ pretty significant increase if you ask me.
FreeS/WAN is designed to work on SMP (symmetric multi-processing) Linux machines and is regularly tested on dual processor x86 machines.
We do not know of any testing on multi-processor machines with other CPU architectures or with more than two CPUs. Anyone who does test this, please report results to the mailing list .
The current design does not make particularly efficient use of multiprocessor machines; some of the kernel work is single-threaded. This issue is being addressed in the KLIPS II redesign.
Supporting hardware cryptography accelerators has not been a high priority for the development team because it raises a number of fairly complex issues:
That said, we have a report of FreeS/WAN working with one crypto accelerator and some work is going on to modify KLIPS to create a clean generic interface to such products. See this web page for some of the design discussion.
The next version of the IP protocol suite is version six, usually abbreviated either as "IPv6" or as "IPng" for "IP: the next generation". For IPv6, IPSEC is a required feature. Any machine doing IPv6 is required to support IPSEC, much as any machine doing (any version of) IP is required to support ICMP.
There is a Linux implementation of IPv6 in Linux kernels 2.2 and above. For details, see the FAQ. It does not yet support IPSEC. The USAGI project are also working on IPv6 for Linux.
FreeS/WAN was originally built for the current standard, IPv4, but we are interested in seeing it work with IPv6. Some progress has been made, but at time of writing (February 2001), the job is not complete. For more recent information, check the mailing list .
The first release of FreeS/WAN (1.8) patched for IPv6 support is now available.
IPv6 has been specified by an IETF working group. The group's page lists over 30 RFCs to date, and many Internet Drafts as well. The overview is RFC 2460. Major features include:
A number of projects are working on IPv6 implementation. A prominent Open Source effort is KAME , a collaboration among several large Japanese companies to implement IPv6 for Berkeley Unix. Other major players are also working on IPv6. For example, see pages at Sun, Cisco and Microsoft. The 6bone (IPv6 backbone) testbed network has been up for some time. There is an active IPv6 user group.
One of the design goals for IPv6 was that it must be possible to convert from v4 to v6 via a gradual transition process. Imagine the mess if there were a "flag day" after which the entire Internet used v6, and all software designed for v4 stopped working. Almost every computer on the planet would need major software changes! There would be huge costs to replace older equipment. Implementers would be worked to death before "the day", systems administrators and technical support would be completely swamped after it. The bugs in every implementation would all bite simultaneously. Large chunks of the net would almost certainly be down for substantial time periods. ...
Fortunately, the design avoids any "flag day". It is therefore a little tricky to tell how quickly IPv6 will take over. The transition has certainly begun. For examples, see announcements from NTT and Nokia. However, it is not yet clear how quickly the process will gain momentum, or when it will be completed. Likely large parts of the Internet will remain with IPv4 for years to come.
The IPSEC protocols are designed to allow interoperation between different implementations. Other sections of this documentation have more detail on:
FreeS/WAN does interoperate successfully with many other implementations. The ones we know about are listed below.
Of course "the devil is in the details" and the IPSEC protocols have a lot of details. At least one critique has argued that the protocols should be simplified. Various of those details can and do cause difficulties for interoperation. Should you encounter such problems, please let us know via the mailing list. We will likely be able to help you, and your report may be useful both to other users and to the implementation teams.
Note: This file is updated often, whenever I notice an interesting interop report on the mailing list. If you are reading the version that ships with a FreeS/WAN release or is posted on the web, and what you need isn't here, consider downloading the latest snapshot to get the latest version of the doc. Perhaps I've added what you need since the last release.
There is additional information on interoperability testing in our web links section.
For example, unmodified FreeS/WAN cannot use RSA keys generated by PGP or keys stored in X.509 certificates, but patches or utilities are available for both those formats. See this list of patches and add-ons .
The IPSEC RFCs are complex and include a number of optional features. There is considerable opportunity for even two correct, standard-conforming, implementations to disagree on details in a way that blocks interoperation. Of course, misinterpretations of the standards and implementation or configuration errors on either end can also foul things up.
That said, FreeS/WAN interoperates successfully with many other implementations. There is a list below.
Known areas where problems may appear are:
In principle this should not be a problem since main mode support is required in all implementations and aggressive mode is optional. In practice, it is sometimes a problem. Some implementations default to aggressive mode unless you configure them for main mode.
You can turn PFS off in FreeS/WAN with the pfs=no setting in ipsec.conf(5), but if possible we suggest you enable it on the other end instead. That is more secure.
The general rule is that to interoperate with FreeS/WAN, the other implementation should be configured for:
This is possible for most implementations.
Linux FreeS/WAN does not support single DES transforms. Neither Pluto's IKE connections nor KLIPS' IPSEC connections can use DES. Since DES is insecure we do not, and will not at any future time, provide it.
DES is, unfortunately, a mandatory part of the IPSEC standard. Despite that, we will not implement DES. We believe it is more important to provide security than to comply with a standard which has been subverted into allowing weak algorithms. See our history and politics section for discussion.
Some implementations may offer DES as the default. In such cases we urge you to change them to Triple DES. If this is not possible, for example because export laws prevent your vendor from offerring you adequate crytography, we urge you to complain vigorously to one or more of:
Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES now.
FreeS/WAN does have DES code in it as a sort of historical accident, since we need it to implement our default (currently, our only) block cipher, Triple DES. However, since DES is insecure, we do not provide any interface to that code.
As a matter of project policy, we will not help anyone subvert FreeS/WAN to provide insecure DES encryption .
The FreeS/WAN team does not have the resources to test with anything like the full range of other IPSEC implementations out there. Fortunately, some of our users are doing a fine job of filling the gap by providing HowTo information:
See also our list of available patches and add-ons .
Most of the information in this section is gleaned from the mailing list. For additional information, search one of the list archives.
A large thank you is in order to all the list contributors. This document would not exist without you.
Anyone who has tested with an implementation not listed here, please report results to the mailing list. I generally include the sender's email address when I quote list messages here; "credit where credit is due". If you would prefer that I not do that with yours, please mention that.
However, if you do encounter a problem involving an older version, we are likely to suggest you upgrade. We do not have the resources to support multiple versions.
The FAQ also discusses this.
This report is from one of the OpenBSD IPSEC developers, a regular participant on our mailing list:
Subject: spi.c bug Date: Tue, 23 Feb 1999 From: Niklas Hallqvist <niklas@appli.se> PS. I don't know if you have an interop list anywhere, but you should know FreeS/WAN interops with OpenBSD both at the IPSec level and at the IKE level.
He has also talked of porting NetBSD's isakmpd(8) to Linux, but has (as of late April '99) made no announcement of availability. This would provide an alternative to our pluto(8) daemon with a somewhat different feature set. Our KLIPS kernel code would still be used.
The OpenBSD FAQ includes information on their IPSEC implementation.
The only reference we have to IPSEC for FreeBSD says their code was ported from OpenBSD.
Here is a mailing list message on FreeBSD interoperation:
Subject: Re: Interop with [Free|Open|Net]BSD Date: Fri, 29 Dec 2000 From: Ghislaine Labouret <Ghislaine.Labouret@hsc.fr> On Thu, 28 Dec 2000 13:53:01 -0500, Sandy Harris wrote: > FreeBSD: > > For FreeBSD, I find list discussion of 3DES key formats, presumably for manual > keying. We have 192-bit, 3 64-bit keys including parity bits, while FreeBSD 4.0 > used 168-bit, 3 56-bit keys without the parity bits. Has FreeBSD changed this? I still don't understand what made Spike Gronim say that KAME wants a 168 bits key; I have always been using 192 bits keys with KAME and had no interoperability problem between KAME and FreeS/WAN using manual keying. > For auto keying, I find reports of sucessful use of pre-shared secrets, but > nothing on RSA authentication. I had KAME (20001023 snapshot) and FreeS/WAN 1.6 successfully interoperate using both PSK and RSA-sig authentication. The config files, certificates and test keys used are available online: http://www.hsc.fr/ipsec/ipsec2000/kame/ http://www.hsc.fr/ipsec/ipsec2000/freeswan/ Not much details though, as this is just a report and not a how-to. Will improve it if I can find spare time. > Does FreeBSD support that? KAME can use RSA-sig and can either exchange certificates online or get them from a file. I tested the latter. No test with the X.509 patch for FreeS/WAN yet, though that's in my short term plans too. > Are the key formats compatible, or has anyone written translation code? KAME wants the keys inside certificates, in PEM format. To extract the keys for FreeS/WAN I used the fswcert utility, but it can be done "by hand" using openssl.
Here is a mailing list message with subject "FreeS/WAN and Cisco 3030 VPN Concentrator" and an attached MS-Word document on the setup.
A sample FreeS/WAN configuration, used in testing with Cisco at an interop conference, is in another list message. Unfortunately, it does not give the matching Cisco configuration.
Here is our first interop success report:
Subject: cisco <-> pluto IKE interop is here........ Date: Thu, 28 Jan 1999 From: Ian Calderbank Ok, tried todays pluto (28 jan) snapshot against a (wait for it) 3des cisco box, one with some more serious grunt for benchmarking when the time comes. And the good news is that pluto and cisco's IKE seem to interoperate. At the end of things both devices seem to be happy that they have IKE and IPSEC SA's. I can't send any traffic over it cos klips seems to be broken (peter seems to be on the case), but fundamentally, pluto seems to be interoperable with cisco for SA negotiation. I've attached some ipsec barf output - pluto still complains a few times, but it gets there :-)
A later message from Ian:
This configuration is provided as-is and with no assistance or guarantee
that it works whatsover. In particular your attention is drawn to the versions
of operating systems and IPSEC that were used in the test. Configurations
for later versions of freeswan and cisco IOS may well be different.
Cisco router: 3640 (R4700 processor), ios 12.0(2a)T1), 3DES IPSEC feature set
( you do need the 3des version).
Linux box: P150, freeswan 29/jan/99 snapshot, Redhat 5.2, kernel 2.0.36.
Interconnect: 10 Base T.
Algorithm: ESP 3des/md5
CPU loadings:
Cisco 3640 : 98%
Freeswan P150 : load average: 0.08, 0.06, 0.01
Throughput: 1.1 Mbit/sec at the application layer, approx 1.2Mbit/sec, 100 packet/sec on
the external network. There were no chokes present, so the limit would
appear to be the 3640, given it was running near flat out.
--------------------------
Freeswan config:
/etc/ipsec-auto
auto ipsec-router-test
type=tunnel
left=x.x.x.x
# x.x.x.x = linux box public ip address
right=y.y.y.y
# y.y.y.y = router public ip address
rightsubnet=192.168.2.0/24
# private network behind the router - host to which throughput testing was done is here.
keyexchange=ike
encrypt=yes
authenticate=no
pfs=no
lifetime=8h
----------------------------
Cisco Router config:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key SECRET-VALUE address x.x.x.x
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map TEST 1 ipsec-isakmp
set peer x.x.x.x
set transform-set 3DES-MD5
match address 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 host x.x.x.x
interface
crypto map TEST
A page on Cisco's site gave this list (early Jan 2000, before new US export regulations went into effect):
| Triple DES Encryption for IPSec | | ... | | This feature is supported only on the following platforms: | | 1720 | 2600 Series | 3600 Series | 4000 Series | 4500 Series | AS5300 Series | 7200 Series | 7500 SeriesA message from another user about using RSA keys with Cisco:
From: jrussi@uol.com.br Subject: Re:Re: Re:Re: [Users] RSA public key and Cisco (3640) Date: Sat, 2 Jun 2001 We use Cisco IOS 12.1.5(T) and freeswan 1.8 Here an example on how I copied the key from cisco: Key Data: 117C311E 16192D86 8886C71D 11111115 11138B11 31881241 11C7E23B D6DB22 18DEC1BD.... Will become 0x117C311E16192D868886C71D1111111511138B113188124111C7E23BD6DB2218DEC1BD... We used at least 1024 bits long keys. But it doesn´t matter. The problem is that cisco doesn´t agree with the RSA schema from freeswan, I think. In Cisco, rsasig is to use with a CA, and rsaencript did not work as well. My case is worse than it. My first intention was to use freeswan in a road warrior config. I really need to use CA, as Cisco needs a fix address to use rsa public key. The public key to cisco is always associated to an IP address ou FQDN. I quit. Will try the X509 patch and the Open CA software. Deyvi >>(off list) > >Yes, I was just going to mention that the Cisco's key should be in >ipsec.conf (just received your correction). > >I think that I have the Cisco side configured correctly ( I can't be sure >because I can't test against the Freeswan). > >Starting from having the IPsec tunnel working with pre-share, I did the >following on the Cisco side: > >#config t >(config)# crypto key pubkey-chain rsa >(config-pubkey-chain)# addressed-key >(config-pubkey-key)# key-string >(config-pubkey-key)# >(config-pubkey-key)#quit >(config-pubkey-chain)#exit > ># config t >(config)# crypto isakmp policy 1 >(config-isakmp)# no authentication pre-share >(config-isakmp)# authentication rsa-sig >(config-isakmp)# exit > >How long is your RSA key that was generated on the Cisco? I tried copying >the key out of the 3640 and pasting it into ipsec.conf, removing the spaces >and adding a '0x' in the front. I get the 'key too small' error still. What >version of freeswan are you using? > >I'm using Freeswan 1.9 w/ IOS 12.1(6). > > >----- Original Message ----- >From: >To: "James Rowe" ; >Cc: >Sent: Thursday, May 31, 2001 5:15 PM >Subject: Re:Re: [Users] RSA public key and Cisco (3640) > > >> We had no problems with the key. Just be sure to remove the blank spaces >from the key (general key) that cisco generates. >> >> Just remove the blank, put all together as a long line (all the lines to a >single line) and add a "0x" at the key that Cisco give to you, and paste to >ipsec.secrets. >> >> The public key from FreeSwan, you just remove the "0x" and paste to the >command line at cisco. They will not complain about the keys. >> >> But my problem is with the proposal configured at Cisco. What to you think >to use? I tried "authentication rsasig" and "rsaencrip" with no results. >Cisco always sends me an "No proposal choosen" error message. >> >> I road an old message from someone called Brian here at this list, where >he says that FreeSwan will not accept authentication rsaencript from Cisco. >But rsasig is to use with a CA certification. So my question is: is it >possible to use Cisco with public RSA keying, without a CA? The thread ended >without an answer to it. >> >> Deyvi >> >>Hello, >> > >> >I am working on the same issue. I have pre-shared working, but would like >to >> >use RSA public keys. It seems that the Cisco key is too short. When >starting >> >IPsec in init.d, it says that the Cisco key is not secure because it is >less >> >than 512 bits, even tough the key is really over 768 bits. Claudia thinks >> >this is a parsing problem and suggested to take a look at the source >code. >> > >> >Some pointers that I have found while working on this: >> > >> >You must add a '0x' to the front of the Cisco key when entering it into >> >Freeswan, and remove the '0x' when entering the freeswan key into the >Cisco >> >3640. >> > >> >The case of the hexadecimal letters in the key does not matter. Thinking >> >that freeswan stopped reading the key when it encountered the first >> >uppercase letter in the Cisco key (freeswan keys are lowercase, Cisco's >are >> >uppercase), I changed everything to lowercase. Didn't help. >> > >> >I'll let you know if I make any progess on this. I'd appreciate if you >would >> >let me know if you get this working. Thanks. >> > >> >-- Jim Rowe >> > >> >----- Original Message ----- >> >From: >> >To: >> >Sent: Thursday, May 31, 2001 2:52 PM >> >Subject: [Users] RSA public key and Cisco (3640) >> > >> > >> >> Does anyone have a sucessful Cisco config file to use in a >freswan-cisco >> >conection using RSA public key? >> >> >> >> We were able to setup a pre-shared conection, but would like to try >public >> >keying.
Some messages from the mailing list:
Subject: Contivity Extranet Switch Date: Fri, 11 Jun 1999 From: Matthias David Siebler <msiebler@nortelnetworks.com> Reply-To: msiebler@alum.mit.edu Organization: Nortel Networks More interoperability results: I successfully established a tunnel with a Nortel (formerly Bay (formerly New Oak)) Contivity Extranet Switch running the latest release versions. The CES is running V2.50 of the software and the Linux server is running V1.0.0 of the Free/SWAN code on a RedHat 5.2 unit with the kernel upgraded to 2.0.36-3 I am using IKE with 3DES-HMAC-MD5 Note however, that tunnels cannot yet be configured as client tunnels since Free/SWAN does not yet support aggressive mode. Hopefully, that will arrive soon, which would allow remote users to connect to a CES using the Free/SWAN code as clients.
and apparently Nortel want their product to work with FreeS/WAN:
Subject: Is FreeSwan 3.1 a legitamate ipsec implementation when compared to its commercial competitors? Date: Tue, 02 May 2000 From: Bill Stewart <bill.stewart@pobox.com> Nortel's Contivity IPSEC server has a formal policy of interoperability with FreeS/WAN. I was quite pleased to hear it when they last talked to us, and it makes sense in their business environment, since they let you use their WinXX client software free, so this gives them support for Linux clients.
A more recent mailing list report is:
Subject: Nortel Contivity and Free-S/WAN
Date: Wed, 7 Mar 2001
From: "JJ Streicher-Bremer" <jj@digisle.net>
OK, here is a very brief nuts and bolts breakdown on how to get this
combo working. I want to thank everyone at Free-S/WAN and everyone on
the list for your help in getting this to work.
Connecting FreeS/WAN to the Nortel Networks Contivity Extranet Switch:
What you need:
FreeS/WAN v1.5 and Contivity ver 2.5 - 3.5 (might work with earlier
versions, but I have not tested it with this config)
or
FreeS/WAN v1.8 and COntivity ver 3.5 (the 3.5 version supports Diffe
Hilman group 2 key exchange)
What to do:
1 - Configure the Contivity:
Set up a branch office tunnel group with the following settings:
Connectivity:
Nailed Up: Disabled
Access Hours: Anytime
Call Admission Priority: Highest Priority
Forwarding Priority: Low Priority
Idle Timeout: 00:00:00
Forced Logoff: 00:00:00
RSVP: Disabled
RSVP: Token Bucket Depth: 3000 Bytes
RSVP: Token Bucket Rate: 28 Kbps
Branch Office Bandwidth Policy:
- Committed Rate: 56 Kbps
- Excess Rate: 128 Kbps
- Excess Action: Mark
Encryption:
- ESP - Triple DES with SHA1 Integrity: Enabled
- ESP - Triple DES with MD5 Integrity: Enabled
- ESP - 56-bit DES with SHA1 Integrity: Disabled
- ESP - 56-bit DES with MD5 Integrity: Disabled
*IKE Encryption and Diffie-Hellman Group: Triple DES with Group
2 (1024-bit prime)
Vendor ID: Disabled
Perfect Forward Secrecy: Enabled
Compression: Disabled
Rekey Timeout: 08:00:00
Rekey Data Count: (None)
*ISAKMP Retransmission Interval: 16
*ISAKMP Retransmission Max Attempts: 4
Set up a branch office tunnel inside this new group with the
following settings:
Endpoint Addresses
Local - Public address of your COntivity
Remote - Your Free-S/WAN interface Address
Tunnel Type - IPSEC
IPSEC Authentication - Text Pre-Shared Key
One note here, I have had some trouble trying to use HEX
or Non alphanumeric chars in this key.
Under IP:
Static Routing
Local - networks you want to be able to access through the
tunnel
Remote - networks that will be allowed through the tunnel
NAT - None
Get routing setup on your office network:
You will need to get a routing entry that will point all traffic
bound for your home network (the one that will be acciessible through
the tunnel) to the internal interface of the contivity system.
Configure Free-S/WAN:
Install, compile, and test Free-S/WAN
Edit ipsec.conf for your new tunnel:
--------------------------------------------------------
ipsec.conf --
config setup
interfaces="ipsec0=eth1"
forwardcontrol=no
klipsdebug=none
plutodebug=none
manualstart=
plutoload=%search
plutostart=%search
plutowait=no
conn net1
type=tunnel
auto=start
auth=esp
authby=secret
keyexchange=ike
keylife=1h
keyingtries=1
pfs=yes
left=10.0.0.2
leftnexthop=10.0.0.1
leftsubnet=10.0.1.0/24
right=172.16.0.2
rightsubnet=172.16.1.0/24
conn net2
type=tunnel
auto=start
auth=esp
authby=secret
keyexchange=ike
keylife=1h
keyingtries=1
pfs=yes
left=10.0.0.2
leftnexthop=10.0.0.1
leftsubnet=10.0.1.0/24
right=172.16.0.2
rightsubnet=172.16.2.0/24
ipsec.secrets --
10.0.0.2 172.16.0.2 "Your big secret"
---------------------------------------------
The above config is for this imaginary network:
+------+
10.0.1.1 | |10.0.0.2 10.0.0.1++ Internet
---------| |-------------------++===========
+------+ Home Router
Free-S/WAN host
Internet ++ 172.16.0.2#### 172.16.1.0/24 These
=========++--------------####---------172.16.2.0/24 are here somewhere
Office Router Contivity
This has worked for me. I am still having trouble with the tunnels
dying after about 30-40 minutes of non-use. Don't know what that is
about, but I'll keep you posted.
Subject: Interoperability with Raptor 5 (Success!) Date: Wed, 06 Jan 1999 16:19:27 -0500 From: Chuck Bushong <chuckb@chandler-group.com> I don't know if this is useful information for anyone, but I have successfully established a VPN between RedHat 5.1 (kernel 2.0.34) running FreeS/WAN 0.91 and NT4 running Raptor 5. However, Pluto does not appear compatible with the Raptor IKE implementation. . . . Subject: RE: linux-ipsec: Interoperability with Raptor 5 (Success!) Date: Thu, 28 Jan 1999 17:22:55 -0500 From: Chuck Bushong <chuckb@chandler-group.com> ... this VPN (at least the klips end) has been up under minimal utilization for three weeks plus without interruption. The machine seems very stable. Pat yourself on the back, gentlemen. Your beta release is more stable than certain companies' shipping product. Keep up the good work.
Subject: Re: successful interop. with Raptor 6.02
From: "Charles G. Griebel" <cggrieb@biw.com>
Date: Tue, 25 Jul 2000
On Thu, Jul 20, 2000 at 12:04:40PM -0700, Kevin Traas wrote:
> Great! I'm just about to start looking into this as well, so any
> docs/info you can provide would be *greatly* appreciated. Immortalize
> yourself! Get something written and added to the compatibility.html
> file. Many will thank you.
Can't be that hard. I'm just a freeswan newbie who hasn't even done a FS
FS
tunnel yet :)
Anyway, I hope you find this helpful.
Chock
-------------------------------------------------------------------------------
Automatically keyed 3DES VPN between Raptor 6.02 on Solaris 2.6 (left) and
FreeS/WAN 1.5 on 2.2.16 Intel (right)
FreeS/WAN (right) information:
-----------------------------
ipsec.conf
----------
config setup
interfaces="ipsec0=ppp0" # change to suite
klipsdebug=
plutodebug=
plutoload=sample
plutostart=sample
conn sample
left=10.0.0.1
leftnexthop=10.0.0.2
leftsubnet=192.168.0.0/24
right=10.1.1.1
rightnexthop=10.1.1.1
rightsubnet=172.16.1.0/24
auto=add
keyexchange=ike
pfs=no
lifetime=8h
esp=3des-md5-96
ipsec.secrets
-------------
# note I haven't verified that underscores will actually work
10.0.0.1 10.1.1.1: PSK "some_long_secret_with_plenty_of_chars"
Raptor 6.02 (left) information:
------------------------------
Key Profiles:
Name: left-external-kp-dynamic
Type: Dynamic
Profile Describing: local entity
Gateway: 10.1.1.1
Identification Type: Address
Identification: 10.1.1.1
ISAKMP Hash Method: MD5
ISAKMP Authentication: Shared_Key
Shared Secret: some_long_secret_with_plenty_of_chars
Time Expiration: 1080
Name: right-external-kp-dynamic
Type: Dynamic
Profile Describing: remote entity
Gateway: 10.0.0.1
Identification Type: Address
Identification: 10.0.0.1
Secure Subnets:
Name: left-ss-dynamic
Address: 192.168.0.0
Netmask: 255.255.255.0
Key Profile: left-ss-dynamic
Name: right-ss-dynamic
Address: 172.16.1.0
Netmask: 255.255.255.0
Key Profile: right-ss-dynamic
Secure Tunnel:
Name: left-to-right-tunnel
Entity A: right-ss-dynamic
Entity B: left-ss-dynamic
Encapsulation: ISAKMP
Filter: [none]
Pass traffic through proxies: [unchecked]
Use Authentication Header: [unchecked]
Use Encryption Header: [checked]
Data Integrity Algorithm: MD5
Data Privacy Algorithm: 3DES
[Advanced settings]
Data volume timeout: 2100000
Lifetime timeout: 480
Inactivity timeout: 0
Transport mode: [unchecked]
Perfect forward secrecy: [unchecked]
Proxy: [checked]
----
Notes:
I made the addresses fictitious RFC1918 addresses.
I haven't tried PFS.
I had problems getting an SA with manual keying -- I think it may be with the
SPI's.
> In the Raptor settings, there are 2 sets of data (1 for each end). Each set > contains an SPI, 3 DES Keys and 1 MD5 hash. I only know how to include one > set, how do I include the other set? Is the other set needed? They may be using different keys for each direction, which is a bit unusual for manual keying, but not impossible. The simplest thing is probably to just give it two identical sets of data -- that should work. FreeS/WAN has provisions for asymmetric keys etc. in manual keying, but that stuff is lightly documented and lightly tested.
Subject: Successful interop: FreeS/WAN 1.7
Gauntlet Firewall GVPN 5.5
Date: Tue, 21 Nov 2000
Sending the following to the list, at Hugh's request.
-----Original Message-----
From: Reiner, Richard
Sent: Tuesday, November 21, 2000 11:34 AM
To: 'hugh@mimosa.com'
Hugh,
> Good. But we don't think that you should be using our IPCOMP just
> yet. It is flaky :-(
I've seen no anomalies, although "allow ipcomp" is on at the Gauntlet
end. Looking at my ipsec.conf I actually find no refereence to ipcomp.
I presume it is disabled by default. In addition, reviewing my logs
both on the Gauntlet end and the Linux end, I see nothing I can
interpret as an indication that ipcomp was enabled during negotiation.
So I have to correct my previous posting - I believe the link is *not*
using ipcomp.
> This is interesting and we'd love a more complete writeup. It should
> get incorporated into our interop documentation.
Here are the relevant bits from ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn freeswan17-gauntlet55
auto=start
type=tunnel
left=1.1.1.1
leftnexthop=1.1.1.2
leftsubnet=10.0.1.0/24
right=3.3.3.3
rightnexthop=3.3.3.4
rightsubnet=10.0.2.0/24
authby=secret
keyexchange=ike
ikelifetime=480m
auth=esp
esp=3des-md5-96
keylife=480m
keyingtries=8
pfs=no
rekeymargin=9m
rekeyfuzz=25%
All settings on the Gauntlet side are the same (not shown here, as GUI
screenshots are hard to show in ASCII... and the textual format that is
generated by the Gauntlet GUI is ugly in the extreme).
Note that ikelifetime is 1440m by default on the Gauntlet end, but
freeswan does not support this value (max appears to be 480m), thus the
Gauntlet end is also set to 480m to match freeswan's value.
Also worth noting: I am using the excellent Seawall scripts to manage
ipchains configuration on the freeswan end. It automatically generates
a correct set of firewall rules for the link (along with doing many
other convenient things).
For more information on Seawall (the Seattle Firewall), see that
project's home page on
Sourceforge.
A PDF HowTo for connecting FreeS/WAN and this product can be downloaded from the vendor's site or browsed at a VPN mailing list site.
The mailing list reports success with this combination, but also some problems. Search the archives for the full story.
Here is one message, about what seems to be the biggest problem:
Subject: Re: Pb establishing connection from FW1/3DES/SP2 with freeswan 1.5 - ACTE 2 Date: Tue, 6 Feb 2001 From: Claudia Schmeing <claudia@freeswan.org> > Thanx to Michael and Claudia, but this doesn't work from VPN1 to linux (as > linux to VPN1 is OK). ... > I think that VPN1 doesn't send "192.168.1.0/24" but "192.168.1.20/32" and, > as Claudia said, IPSEC SA need to match Exactly. I don't know about the rules on the VPN-1. You'll have to rely on people with applicable experience there... > Is it possible that freeswan doesn't do the inclusion process (ie if he > receive 192.168.1.20/32, i doesn't match that this is include in > 192.168.1.0/24) ? Yes, that's correct. It needs to match exactly, and inclusion is not part of this process. > Btw why VPN/1 send 192.168.1.20/32 and not 192.168.1.20/24 (the value that > Freeswan is waiting for)? A bug? I think Michael may be able to help you with this. > Have i a way to force Freeswan to do the "inclusion" (ie accept > 192.168.1.20/32 as a part of 192.160.1.20/24, even if the 2 IPSEC Sa > doesn't match exactly) ? No, but... Another strategy is to accept the fact that the Checkpoint proposes separate connections for each machine. If you define and add each of these connections on the Linux FreeS/WAN side, then Linux FreeS/WAN ought to accept the Checkpoint's proposals. The only possible difficulty with this strategy is that I don't know how Linux FreeS/WAN handles the concept of overlapping tunnels. I believe, though, that these tunnels can coexist, and if for any packet there are two options, a more general and a less general, the packet will be handled by the more specific tunnel. You would need to do a little testing to ensure you understand the behaviour and that this does actually solve your problem. I think it would be simplest to try to get the Checkpoint to propose the more general tunnel. Since I don't recall having seen this problem before, I suspect the simpler solution is doable.
The vendor seems serious about interop with us. Here is a message one of their staff posted on our list:
From: Jussi Torhonen <jt@ssh.com> Organization: SSH Communications Security Corp - http://www.ssh.com Subject: [Users] SSH Sentinel VPN client public beta #3 now available Date: Thu, 31 May 2001 Hello, FreeS/WAN community ! SSH Communications Security Corp has released a new public beta #3 version of SSH Sentinel VPN client for Windows. We've got a lot of reports also from FreeS/WAN community and with that feedback we've improved interoperability and stability. For example PFS (Perfect Forward Secrecy in IKE rekey) can now be used between SSH Sentinel and FreeSWAN, and if using that user contributed X.509 patch and exporting the certificate from SSH Sentinel, now those -----[BEGIN|END] CERTIFICATE----- headers/footers are properly included in the exported PEM formatted certificate, so it can be imported to FreeSWAN with fswcert utility and OpenSSL tools. Thank you a lot for your feedback, colleagues ! You can get that new public beta #3 and PDF formatted User Manual from ftp://ftp.ssh.com/pub/sentinel/ or via website http://www.ipsec.com/products/sentinel/beta/register.html For more information about the product, please check our website http://www.ipsec.com We eagerly want to make SSH Sentinel as the best VPN client on the market. If you want to contact our support, please send e-mail to sentinel-support@ssh.com or fill up our feedback form at http://www.ipsec.com/support/sentinel/beta_report.html Best regards, Jussi Torhonen, SSH Sentinel Team Kuopio, Finland
Subject: linux-ipsec: Identification through other than IP number Date: Tue, 13 Apr 1999 From: Thomas Bellman <bellman@signum.se> ... Currently we are trying to interop FreeS/WAN with F-Secure VPN+ Client 4.0 (for MS Windows), and as long as the Windows machine has a fix IP address, and are initiating the IKE negotiations, things are working well. However, when the IP address is changing, it doesn't work. ... (I'll try to write something up about the problems we are having when Pluto is initiatior in another message.)
Watchguard make a Linux-based firewall product. Ipchains author Rusty Russell thanks them for support and recommends them in one of his HowTos . On the other hand, some comments on our mailing list about the Watchguard product have been quite unfavourable. See, for example, this archive message.
Watchguard do not use FreeS/WAN in their product. They have their own IPSEC implementation.
We have had mailing list reports of successful interoperation between FreeS/WAN and the Watchguard firewall, using manually keyed connections. The user could not get automatically keyed connections to work; the message below explains this.
Here is some mail from a Watchguard employee about interoperation:
Subject: FreeS/WAN and WatchGuard Firebox interop Date: Mon, 18 Dec 2000 From: Max Enders <menders@watchguard.com> I was recently given the task of testing IPSec interoperability with our product, the Firebox. I just wanted to let you know that I had success with a manual keyed tunnel. Here's what I used for my test: RedHat Linux 6.2 Linux 2.2.18 i686 unknown Linux FreeS/WAN 1.8 "Trusted" interface: 192.168.0.1/24 "External" interface: 192.168.1.1/24 Firebox II FastVPN WatchGuard Live Security System v4.5 Trusted interface: 192.168.2.1/24 External interface: 192.168.1.2/24 Because FreeS/WAN does not implement single DES, a dynamic keyed tunnel will not work. Our product strictly uses DES for main mode. We hope to address this in a future release. Here are instructions for configuring the Firebox: Open the Policy Manager and create a new IPSec gateway. Set the Key Negotiation Type to manual and enter the FreeS/WAN box's external IP address for the Remote Gateway IP. Configure a new tunnel with a unique SPI. Select 3DES-CBC for Encryption and MD5-HMAC for Authentication. Make an Encryption Key and Authentication Key. Copy the values and save them for configuration of the FreeS/WAN box. Configure a routing policy and any necessary services as you normally would. Here's how I configured FreeS/WAN: Modifications to /etc/ipsec.conf: Under the "config setup" section, add: manualstart=firebox At the end of the file, add the following connection: conn firebox left=192.168.1.1 leftsubnet=192.168.0.0/24 right=192.168.1.2 rightsubnet=192.168.2.0/24 spi=0x101 esp=3des-md5-96 espenckey=0x515b0875793e3708517c3d4554012f7c0273375e51572a31 espauthkey=0x072649041c2c0d452f7c15407576522f The spi used here should match the Firebox's. Note that the Policy Manager expects an SPI in decimal, not hexadecimal. The espenckey value should be 0x and the Encryption Key you're using on the Firebox. Likewise for espauthkey and the Authentication Key on the Firebox.A user comments:
Subject: RE: Freeswan Date: Wed, 7 Feb 2001 From: "Patrick Poncet" <pponcet@vaxxine.com> It's working!!! Voila... I wish to thank all the FreeS/WAN for putting out such a great product out! And also Philippe PAULEAU who pioneered interoperability between FreeS/WAN and Watchguard Firebox II and therefore showed me that my efforts would not be wasted!... Yes indeed FreeS/WAN to WatchGuard Firebox only works in manual keying mode and the best way to generate keys is to have the firebox generate the keys, then copy and paste into the ipsec.conf file on the FreeS/WAN side (don't forget to prefix the keys with '0x' in your ipsec.conf file. Also keep in mind that the SPI is in decimal on the Firebox side and HEX on the FreeS/WAN side!!! We spent 4 hours on fixing this HEX-DEC issue only :)
Subject: linux-ipsec: Interoperability result
Date: Mon, 15 Mar 1999 18:08:12 -0500
From: Paul Koning <pkoning@xedia.com>
Here's another datapoint for the "FreeS/WAN interoperability
database".
I tested 0.92 against the Xedia Access Point/QVPN product, using
dynamic keying (i.e., Pluto at work).
Results: it works fine so long as you ask for 3DES. DES and no-crypto
modes don't work when Pluto is involved.
I did limited data testing, which seemed to be fine. No performance
numbers yet, could do that if people are interested.
Any questions, please ask.
paul
Since version 6.5, the PGP products from PGP Inc. have included an IPSEC client program.
Here is the first message about it to our mailing list, from a senior PGP employee:
Subject: linux-ipsec: PGPnet interoperable with FreeSWAN
Date: Mon, 05 Apr 1999 18:06:13 -0700
From: Will Price <wprice@cyphers.net>
To: linux-ipsec@clinet.fi
Network Associates announced PGP 6.5 today. It includes a new product
PGPnet which is a full IKE/IPSec client implementation. This product
is for Windows and Macintosh. I just wanted to send a brief note to
this list that the product was compatibility tested with FreeSWAN
prior to its release, and the tests were successful!
[snip]
- --
Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
One version is downloadable at no cost for non-commercial use. See our links. That version does not support subnets.
Several of the user-written HowTos mentioned above cover interoperation between PGPnet and FreeS/WAN.
A more recent post from the same PGP Inc staff member pointed out:
Make sure you're using PGP 7.0 or later as the key parser was improved in that release. (PGP 7.0.1 was just released)
Various users have reported various successes and problems talking to PGPnet with FreeS/WAN. There has also been a fairly complex discussion of some fine points of RFC interpretation between the implementers of the two systems. Check an archive of our mailing list for details.
A post summarising some of this, from our Pluto programmer:
Subject: PGPnet 6.5 and freeswan Date: Sun, 16 Jan 2000 From: "D. Hugh Redelmeier" <hugh@mimosa.com> | From: Yan Seiner | | OK, I'm stumped. I am trying to configure IPSEC to support road | warriors using PGPnet 6.5. | | I've set up everything as per the man pages on the ipsec side. | | I've set up everything on the PGPnet side per the docs for that package. | | Pluto fails with this: | | Jan 16 08:14:11 aphrodite Pluto[26401]: "homeusers" #8: no acceptable | Oakley Transform | | and then it terminates the connection. As far as I can tell/remember, there are three common ways that PGPnet and FreeS/WAN don't get along. 1. PGPnet proposes a longer lifetime for an SA than Pluto is willing to accept. 2. After rekeying (i.e. after building a new SA bundle because the old one is about to expire), FreeS/WAN immediately switches to the new one while PGPnet continues using the old 3. FreeS/WAN defaults to expecting Perfect Forward Secrecy and PGPnet does not. Perhaps you are bumping into the first. In any case, look back in the log to see why Pluto rejected each transform
Some advice from the mailing list:
Subject: Re: Secure Gate Fails- PGPNet & FreeSwan
Date: Wed, 28 Jun 2000
From: Andreas Haumer <andreas@xss.co.at>
I have a PGPnet setup running with FreeS/WAN working as secure
gateway. It works quite fine, except for a re-negotiation problem
I'm currently investigating, and in fact I have it running on some
test equipment here right now!
As I tried _several_ different non-working configuration settings
I think I know the exact _one_ which works... :-)
Here's my short "HOWTO":
FreeS/WAN version: snap1000jun25b
PGPnet: PGP Personal Privacy, Version 6.5.3
Linux: 2.2.16 with some patches
Network setup:
=============
internal subnet [192.168.x.0/24]
|
| [192.168.x.1]
secure gateway with FreeS/WAN
| [a.b.c.x]
|
| [a.b.c.y]
router to internet
|
| Internet
|
| [dynamically assigned IP address]
road-warrior with PGPnet
Configuration of FreeS/WAN:
==========================
a) /etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
conn %default
keyingtries=1
authby=secret
left=a.b.c.x
leftnexthop=a.b.c.y
conn gw-rw
right=0.0.0.0
auto=add
conn subnet-rw
leftsubnet=192.168.x.0/24
right=0.0.0.0
auto=add
b) /etc/ipsec.secrets
a.b.c.x 0.0.0.0: "my very secret secret"
Note: If you are running ipchains on your secure gateway,
you have to open the firewall for all the IPsec packets
and also for traffic from your ipsec interface!
Don't masquerade the IPsec traffic!
Check your logfiles if the firewall is blocking some
important packets!
Configuration of PGPnet:
=======================
(note that there is an excellent description, including
screenshots of PGPnet, on <http://jixen.tripod.com/>)
In short, do the following:
Launch the PGPnet configuration tool and set defaults options
=============================================================
Start - Program - PGP - PGPnet
View - Options
General Panel :
Expert Mode
Allow communications with unconfigured hosts
Require valid authentication key
Cache passphrases between logins
IKE Duration : 6h
IPsec : 6h
Advanced panel :
Selected options :
Ciphers : Tripple DES
Hashes : MD5
Diffie-Hellman : 1024 and 1536
Compression : LZS and Deflate
Make the IKE proposal :
Shared-Key - MD5 - 3DES -1024 bits on top of the list (move up)
Make the IPSec proposal :
NONE - MD5-TrippleDES -NONE on top of the list (move up)
Select Perfect Forward Secrecy = 1024 bits
Press OK
Create the connection's definition.
==================================
In the Hosts panel, ADD
Name : Enter a name for the right gateway
IPaddress : Enter its IP address visible to the internet (a.b.c.x)
Select Secure Gateway
Set shared Paraphrase : enter you preshared key
Identity type : select IP address
Identity : enter 0.0.0.0
Remote Authentication : select Any valid key
Press Ok
Select the newly created entry for the right gateway and click ADD,
YES
Name : Enter a name for the central subnet
IP address : Enter its network IP address (192.168.x.0)
Select Insecure Subnet
Subnet Mask : enter its subnetmask (255.255.255.0)
Press OK, YES, YES
This should be it. Note that with this configuration there is
still this re-keying problem: after 6 hours, the SA is expired
and the connection fails. You have to re-connect your connection
with PGPnet.
and a note from the team's tech support person:
Date: Thu, 29 Jun 2000 From: Claudia Schmeing There is a known issue with PGPNet which I don't see mentioned in the docs. It's likely related to this one, that you note on the site: >2. After rekeying (i.e. after building a new SA bundle because the old > one is about to expire), FreeS/WAN immediately switches to the new > one while PGPnet continues using the old The issue is: When taking down and subsequently recreating a connection, it can appear to come up, but it is unusable because PGPNet continues to use an old SA, which Linux FreeS/WAN no longer recognizes. The solution is to take down the old connection using PGPNet, so that it will then use the most recently generated SA.
IRE have an extensive line of IPSEC products, including firewall software with IPSEC, and hardware encryption devices for LAN or modem links. Their Soft-PK is a Win 98 and NT client.
Quite a few people seem to be using this with FreeS/WAN and, judging by mailing list reports, to be getting good results. Several documents are available:
Some messages from the mailing list:
Subject: Re: Identification through other than IP number
Date: Fri, 23 Apr 1999
From: Tim Miller <cerebus+counterpane@haybaler.sackheads.org>
Randy Dees writes:
> Anyone know of a low-cost MS-Win client that interoperates and does not
> require purchasing a server license to get it?
SafeNet/Soft-PK from IRE (http://www.ire.com) is a low-cost
client (though I don't have the exact cost available at the moment).
I've got it running on an NT4 workstation and it interoperates nicely
(in transport mode, will try tunnel later) with FreeS/WAN. It's also
ICSA IPsec certified.
A later report from a different user:
Subject: Interop.. testing. WIN32 client : Success Story Date: Thu, 11 Nov 1999 From: Jean-Francois Nadeau <jna@microflex.ca> You can add IRE's products in the supported, well working (and cheap) WIN32 client. I tested it (SafeNet SoftPK 3DES) against Freeswan 1.0 and 1.1 in both tunnel and transport mode in a RoadWarrior configuration. No bug. The software is light, non-intrusive and transparent for the user.....defenitly, thats a good one. The tunnel is establish on demand. Using shared keys....but hope to use certificates with it soon (well, when Freeswan will ;)).A recent report with some setup details:
Subject: RE: linux-ipsec: PGPnet and Freeswan one more time... Date: Sat, 16 Dec 2000 From: "Tim Wilson" <timwilson@mediaone.net> Here are some details about using the IRE SafeNet Soft/PK client with a FreeSwan gateway. I applied the x509 patch to Pluto according to the instructions. I use the "leftcert" and "rightcert" keywords in the ipsec.conf file. This causes FreeSwan to read the public keys and identities from the cert files. The identities wanted and used by FreeSwan will then be the DNs in the certs. I used OpenSSL to generate keys and certs and to sign certs. When generating the gateway cert, you should *not* enter an e-mail address because it turns out that confuses Soft/PK. Also, Andreas Steffan tells me that you want to keep the cert short to avoid fragmentation, so use a 1024-bit RSA key and succinct names. The FreeSwan gateway cert goes in /etc/ipsec.d/, the gateway private key is extracted from the key file using fswcert (part of the x509 patch) and pasted into /etc/ipsec.secrets, and a DER version of the gateway cert goes in /etc/x509cert.der. This is all according to the instructions that accompany the x509 patch. The Windows client is of course running Soft/PK in this case. I generated a private key and cert for the client on the Linux machine using OpenSSL. I created a pkcs12 file containing the client's private key and cert, which I put on a floppy and imported into Soft/PK. I also imported the gateway cert into Soft/PK (you can either import a self-signed cert for the gateway or the self-signed cert for the CA that signed the gateway cert--either works). Soft/PK allows you to configure practically everything for the connection. Here are the main points to watch for: On the first panel you have to set the peer identities. The gateway will identify itself using the DN in the gateway cert. So of course you have to configure Soft/PK to look for the correct DN. There's no problem with this as long as you didn't enter an e-mail address in the gateway cert. Just check "Connect using Secure Gateway tunnel", set ID type to "Distinguished Name", and enter the correct info in the dialog box. In "My identity" just select the client cert that you imported in pcks12 format. Soft/PK apparently identifies itself with the DN from the cert, which is exactly what FreeSwan is looking for. In "Security Policy", you want Main mode and make the PFS setting agree with whatever FreeSwan is doing (FreeSwan uses PFS by default). If you use PFS I believe you must use DH group 2 as FreeSwan doesn't like group 1. Phase 1 Authentication must be "RSA signatures" and 3DES plus either MD5 or SHA-1 (I used MD5 but I believe FreeSwan accepts either). I left the lifetime unspecified. Also you must select DH group 2 because I believe that FreeSwan will not accept group 1. Phase 2 also must use 3DES and MD5 or SHA-1. I used no compression and only ESP and no AH, haven't tried other choices. Hope this helps.
Subject: ipsec interoperability FYI Date: Sun, 02 May 1999 From: Sean Rooney <sean@coldstream.ca> we've been doing some basic interoperability testing of the following; PGP NT VPN 6.5 and freeswan both seem to work reasonably well with Borderware 6.0 and freegate 1.3 beta. [as well as eachother] more details coming soon.
Subject: TimeStep Permit/Gate interop works!
Date: Thu, 10 Jun 1999
From: Derick Cassidy <dcthebrain@geek.com>
Just a quick note of success. TimeStep Permit/Gate (2520) and
Free/Swan (June 4th snapshot) interoperate!
I have them working in AUTO mode, with IKE. IPSec SA's are negotiated
with 3DES and MD5.
Here are the configs and a diagram for both configs.
left subnet---| Timestep | --- internet --- | Linux box |
The left subnet is defined as the red side of the timestep box.
This network definition MUST exist in the Secure Map.
On the Linux box:
ipsec.conf
conn timestep
type=tunnel
left=209.yyy.xxx.6
leftnexthop=209.yyy.xxx.1
leftsubnet=209.yyy.xxx.128/25
right=24.aaa.bbb.203
rightnexthop=24.aaa.bbb.1
rightsubnet=24.aaa.bbb.203/32
keyexchange=ike
keylife=8h
keyingtries=0
In the TimeStep permit/gate Secure Map
begin static-map
target "209.yyy.xxx.128/255.255.255.128"
mode "ISAKMP-Shared"
tunnel "209.yyy.xxx.6"
end
In the TimeStep Security Descriptor file
begin security-descriptor
Name "High"
IPSec "ESP 3DES MINUTES 300 or ESP 3DES HMAC MD5 MINUTES 300"
ISAKMP "IDENTITY PFS 3DES MD5 MINUTES 1440
or DES MD5 MINUTES 1440"
end
The timestep has a shared secret for 24.aaa.bbb.203/255.255.255.255
set in the Shared Secret Authentication tab of Permit/Config.
A web page with Shiva compatibility information.
Subject: Re: FreeS/WAN and Solaris Date: Tue, 11 Jan 2000 From: Peter Onion <Peter.Onion@btinternet.com> Slowaris 8 has a native (in kernel) IPSEC implementation. I've not done much interop testing yet, but I seem to rememeber we got a manual keyed connection between it and FreeSwan a few months ago.
Subject: Re: FreeS/WAN and SonicWall
Date: Mon, 5 Feb 2001
From: "Dilan Arumainathan" <dilan_a@impark.com>
***************************************************
I know I HAVE TO write the mini-howto - but here is the beginning
***************************************************
Here is my Sonicwall configuration for my working connection:
conn testauto
left=x.x.x.x
leftnexthop=x.x.x.x
right=y.y.y.y
rightnexthop=y.y.y.y
rightsubnet=10.1.20.0/24
#You need to set the Unique Firewall Identifier to the parameter that you
#use as the rightid.
It certainly has been possible to interop between Radguard VPN gateways and past Linux FreeS/WAN versions, as is evidenced by http://www.opus1.com/vpn/atl99display.html, as well as my own interop results from San Diego this year. There have been no major changes since SD that I would foresee affecting this. The Radguard team said that their VPN gateway will not respond to a peer request with PFS (Perfect Forward Secrecy) on, but it *will* successfully establish such a connection with Linux FreeS/WAN when Radguard is the initiator. Since PFS is a desirable feature in terms of cryptographic security, this asymmetry may frustrate efforts to provide a connection that is both as reliable as secure as possible. While it's not clear that rekeying will present a problem, I suspect that some fine tuning of the key life parameters may be needed. Unfortunately I was unable to do additional tests on this topic. Due to the PFS issue, when trying to maintain a connection with PFS, you may need to set the rekeying times shorter on the radguard side, in order to ensure that it is always the initiator.
Quite a number of client programs for IPSEC on Windows are available. Many of them are listed in this piece of list mail:
Subject: Re: Searching Windows95/98 and NT4.0 Clients for FreeS/WAN
From: Claudia Schmeing <claudia@coldstream.ca>
Date: Wed, 12 Jul 2000
F-Secure VPN+
-------------
for Win 95, 98 and NT 4.0
http://www.datafellows.com/products/vpnplus
Checkpoint SecureRemote VPN-1 4.1
---------------------------------
for Win 95, 98 and NT
http://www.checkpoint.com/techsupport/freedownloads.html
Raptor Firewall, Raptor MobileNT 5.0
-------------------------------------
Mobile NT is a "Client"* for Win 95, 98 (except SE), First Edition Windows NT
up to Service Pack 4. It ships with DES; triple DES may be available as an
add-on depending on your location.
Firewall is for Win NT 4.0 or Win 2000.
http://www.axent.com
IRE SafeNet SoftPK
------------------
a "Client" for Win 95, 98 and NT 4.0 *
http://www.ire.com
Xedia's AccessPoint QVPN "Client" or "Builder"
----------------------------------------------
"Builder" is for NT
"Client" is for Win 98 *
http://www.xedia.com
* "Client" in this context indicates software that does not support a subnet
behind its end of the connection.
That mail omits the PGPnet client because the user asking the question already knew of it. The SSH Sentinel client, released since the above message, is another possibility. Both of those have members of the vendor's staff active on our mailing list, an excellent sign for both interoperability and support.
We also know of some Windows IPSEC clients not mentioned above:
No doubt there are others we don't know of.
Robert Cotran asked:
> I have a VPN setup between two subnets (192.168.1.x and 192.168.2.x). I > would like to be able to join the NT domain on 192.168.1.x from the > 192.168.2.x subnet. Is this possible? Do I have to forward specific ports > to do this? I've already set up WINS entries for all the machines, so > accessing computers by their NetBIOS names works perfectly. Please let me > know about this domain thing. Thanks!Dilan Arumainathan answered:
All you need to do is to:
1. Enable NetBIOS over TCP.
2. Create a "lmhosts" file and enter the address of a BDC or a PDC like
192.168.1.[x] [Your PDC/BDC servername] #PRE #DOM:[Your Domain Name]
eg. 192.168.1.1 MYOWNPDC #PRE #DOM:DENSI-NT
3. Reboot if necessary.
and Sebastien Pfieffer provided a slightly different answer:
For a trust relationship to work between NT domains in different (sub)nets all domain controllers of the 1st domain have to know about all controllers of the other domain. Either you use the described LMHOSTS entry for every domain controller of both domains or consider setting up WINS service(s).We suspect that in some cases it may be more complex than that. See the discussion of Linux services and Windows 2000 below and the Interop HowTo documents listed above.
Windows 2000 ships with an IPSEC implementation built in. There may be restrictions. We have had mailing list reports that only the server version will act as a gateway, working with a subnet behind it, and other versions offer only "client" functionality, with no subnet. We are unclear on details.
Some versions of Windows 2000 ship with only weak encryption. You need to upgrade them with the strong encryption pack, available either via the Windows 2000 update service or from Microsoft's web site.
Windows 2000 IPSEC sometimes exhibits remarkably odd behaviour. It will allow you to configure it for 3DES only, then ignore your settings and fall back to single DES in some circumstances. Microsoft have said they will fix this. See this Wired article.
Windows 2000 also uses a number of other security mechanisms which have Linux equivalents. To integrate well with Windows 2000, you may need to look at several open source projects other than FreeS/WAN:
The Windows 2000 Kerberos implementation includes proprietary modifications. This is a security worry since it is by no means clear that the modified version remains secure. It also creates interoperation problems. Microsoft have released documentation on their modifications, but only under a license that hampers attempts either to audit their code for security flaws or to build other implementations that interoperate with it.
You write, > I want some information about IPsec with L2TP. > I'm going to build the IPsec tunnel on the L2TP tunnel. > Is it strange? > Is there any case like this already implemented? It's used, but rarely. In many cases, IPSec alone is sufficient. In this thread, Timo Teras reports that he configured the L2TP/IPSec hybrid with Win2k. He gives some pointers. http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00545.html See also John P. Eisenmenger's report on his own experiences at: http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00195.html
As for IPSEC interoperation between Windows 2000 and FreeS/WAN, there are several web sites listed under Interop HowTo documents above.
Here is a discussion from the mailing list:
From: "Jean-Francois Nadeau" <jna@microflex.ca>
Subject: Win2000 IPsec interop. in tunnel mode
Date: Tue, 29 Feb 2000
This was a pain.... but it worked. ;)
Win2000 Server against Freeswan 1.1 in tunnel mode is a success.
My Setup
Freeswan :
Kernel 2.2.12 running Freeswan 1.1
Using 3DES-MD5 and PreShared Keys.
Win2000
M$ Win2000 Advanced server patched for 3DES
Here's the setup for the Win2000 Server.
Open an MMC with the IPsec Security policy editor snap-in.
Create a new IP Security Policy.
Create 2 IP SECURITY RULES. One for inbound traffic and one for outbound trafic (see below)
Create 2 IP FILTERS. One for inbound traffic and one for outbound trafic (see below)
Assign the inbound IP SECURITY RULE to the inbound IP FILTERS, same for outbound.
Select both IP SECURITY RULES.
Select your IP Security Policy, right click and ASSIGN.
We need an example to clarify that !@#! logic :
In freeswan :
Conn Interop_Testing
Left=1.2.3.4
Leftsubnet=10.0.0.0/8
Right=9.8.7.6
Rightsubnet=192.168.0.0/24
In Win2000
IP Security Policy : Interop_Testing
**********
1st IP Security rule : Left_to_Right
IP Filter List : Left_to_Right
Source Address = 1.2.3.4
Destination Address = A specific Subnet = 192.168.0.0 255.255.255.0
Filter Action : Request Security
Connections type : All connections
Tunnel Settings : Endpoint = 9.8.7.6
Authentication Method = PreSharedKey=yourkey
***********
**********
2nd IP Security rule : Right_to_Left
IP Filter List : Right_to_Left
Source Address = 9.8.7.6
Destination Address = A specific Subnet = 10.0.0.0 255.0.0.0
Filter Action : Request Security
Connections type : All connections
Tunnel Settings : Endpoint = 1.2.3.4
Authentication Method = PreSharedKey=yourkey
***********
HINTS :
Do not use mirroring in your IP filters.
Move your main proposal to the top (in my case 3DES-MD5)
Enable PFS.
It worked... but a RoadWarrior configuration doesnt seems to be
possible here (must specify both Endpoints and 0.0.0.0 is not acceptable).
Jean-Francois Nadeau
Microlfex.
The RoadWarrior problem has since been solved. RSA authentication has been added to FreeS/WAN since the above message was posted.
Cryptography has a long and interesting history, and has been the subject of considerable political controversy.
The classic book on the history of cryptography is David Kahn's The Codebreakers. It traces codes and codebreaking from ancient Egypt to the 20th century.
Diffie and Landau Privacy on the Line: The Politics of Wiretapping and Encryption covers the history from the First World War to the 1990s, with an emphasis on the US.
There are many books on this period. See our bibliography for a few, or try a (web or library) search on "Ultra" and "Enigma". Two books I particularly like are:
Bletchley Park, where much of the Ultra work was done, now has a museum and a web site.
The Ultra work introduced three major innovations.
So by the end of the war, Allied code-breakers were expert at large-scale mechanised code-breaking. The payoffs were enormous.
America's NSA, for example, is said to be both the world's largest employer of mathematicians and the world's largest purchaser of computer equipment. Such claims may be somewhat exaggerated, but beyond doubt the NSA -- and similar agencies in other countries -- have some excellent mathematicians, lots of powerful computers, sophisticated software, and the organisation and funding to apply them on a large scale. Details of the NSA budget are secret, but there are some published estimates.
Changes in the world's communications systems since WW II have provided these agencies with new targets. Cracking the codes used on an enemy's military or diplomatic communications has been common practice for centuries. Extensive use of radio in war made large-scale attacks such as Ultra possible. Modern communications make it possible to go far beyond that. Consider listening in on cell phones, or intercepting electronic mail, or tapping into the huge volumes of data on new media such as fiber optics or satellite links. None of these targets existed in 1950. All of them can be attacked today, and almost certainly are being attacked.
The Ultra story was not made public until the 1970s. Much of the recent history of codes and code-breaking has not been made public, and some of it may never be. Two important books are:
Note that these books cover only part of what is actually going on, and then only the activities of nations open and democratic enough that (some of) what they are doing can be discovered. A full picture, including:
might be really frightening.
In recent years, that has changed a great deal. With computers and networking becoming ubiquitous, cryptography is now important to almost everyone. Among the developments since the 1970s:
This has led to a complex ongoing battle between various mainly government groups wanting to control the spread of crypto and various others, notably the computer industry and the "cypherpunk" crypto advocates, wanting to encourage widespread use.
Steven Levy has written a fine history of much of this, called Crypto: How the Code rebels Beat the Government -- Saving Privacy in the Digital Age.
The FreeS/WAN project is to a large extent an outgrowth of cypherpunk ideas. Our reasons for doing the project can be seen in these quotes from the Cypherpunk Manifesto:
Privacy is necessary for an open society in the electronic age. ...To quote project leader John Gilmore:We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. ...
We must defend our own privacy if we expect to have any. ...
Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.
Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. ...
For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. ...
We are literally in a race between our ability to build and deploy technology, and their ability to build and deploy laws and treaties. Neither side is likely to back down or wise up until it has definitively lost the race.
If FreeS/WAN reaches its goal of making opportunistic encryption widespread so that secure communication can become the default for a large part of the net, we will have struck a major blow.
Things various governments have tried or are trying include:
The government believes not only the governments associated with Echelon are able to intercept communication systems, but that it is an activity of the investigative authorities and intelligence services of many countries with governments of different political signature.Even if they have nothing on the scale of Echelon, most intelligence agencies and police forces certainly have some interception capability.
Of course governments are by no means the only threat to privacy and security on the net. Other threats include:
One study enumerates threats and possible responses for small and medium businesses. VPNs are a key part of the suggested strategy.
We consider privacy a human right. Our objective is to help make privacy possible on the Internet using cryptography strong enough not even those well-funded government agencies are likely to break it. If we can do that, the chances of anyone else breaking it are negliible.
For more on these issues see:
See also the bibliography and our list of web references on cryptography law and policy.
The remainder of this section includes two pieces of writing by our project leader
and discussions of:
and a section on press coverage of FreeS/WAN.
FreeS/WAN project founder John Gilmore wrote a web page about why we are doing this. The version below is slightly edited, to fit this format and to update some links. For a version without these edits, see his home page.
My project for 1996 was to secure 5% of the Internet traffic against passive wiretapping. It didn't happen in 1996, so I'm still working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we can secure 20% the next year, against both active and passive attacks; and 80% the following year. Soon the whole Internet will be private and secure. The project is called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free software, we call it FreeSwan to distinguish it from various commercial implementations. RSA came up with the term "S/WAN". Our main web site is at http://www.freeswan.org/. Want to help?
The idea is to deploy PC-based boxes that will sit between your local area network and the Internet (near your firewall or router) which opportunistically encrypt your Internet packets. Whenever you talk to a machine (like a Web site) that doesn't support encryption, your traffic goes out "in the clear" as usual. Whenever you connect to a machine that does support this kind of encryption, this box automatically encrypts all your packets, and decrypts the ones that come in. In effect, each packet gets put into an "envelope" on one side of the net, and removed from the envelope when it reaches its destination. This works for all kinds of Internet traffic, including Web access, Telnet, FTP, email, IRC, Usenet, etc.
The encryption boxes are standard PC's that use freely available Linux software that you can download over the Internet or install from a cheap CDROM.
This wasn't just my idea; lots of people have been working on it for years. The encryption protocols for these boxes are called IPSEC (IP Security). They have been developed by the IP Security Working Group of the Internet Engineering Task Force, and will be a standard part of the next major version of the Internet protocols ( IPv6). For today's (IP version 4) Internet, they are an option.
The Internet Architecture Board and Internet Engineering Steering Group have taken a strong stand that the Internet should use powerful encryption to provide security and privacy. I think these protocols are the best chance to do that, because they can be deployed very easily, without changing your hardware or software or retraining your users. They offer the best security we know how to build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.
This "opportunistic encryption box" offers the "fax effect". As each person installs one for their own use, it becomes more valuable for their neighbors to install one too, because there's one more person to use it with. The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it. Instead of "virtual private networks" we have a "REAL private network"; we add privacy to the real network instead of layering a manually-maintained virtual network on top of an insecure Internet.
The US government would like to control the deployment of IP Security with its crypto export laws. This isn't a problem for my effort, because the cryptographic work is happening outside the United States. A foreign philanthropist, and others, have donated the resources required to add these protocols to the Linux operating system. Linux is a complete, freely available operating system for IBM PC's and several kinds of workstation, which is compatible with Unix. It was written by Linus Torvalds, and is still maintained by a talented team of expert programmers working all over the world and coordinating over the Internet. Linux is distributed under the GNU Public License, which gives everyone the right to copy it, improve it, give it to their friends, sell it commercially, or do just about anything else with it, without paying anyone for the privilege.
Organizations that want to secure their network will be able to put two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by downloading it over the net, and plug it in between their Ethernet and their Internet link or firewall. That's all they'll have to do to encrypt their Internet traffic everywhere outside their own local area network.
Travelers will be able to run Linux on their laptops, to secure their connection back to their home network (and to everywhere else that they connect to, such as customer sites). Anyone who runs Linux on a standalone PC will also be able to secure their network connections, without changing their application software or how they operate their computer from day to day.
There will also be numerous commercially available firewalls that use this technology. RSA Data Security is coordinating the S/Wan (Secure Wide Area Network) project among more than a dozen vendors who use these protocols. There's a compatability chart that shows which vendors have tested their boxes against which other vendors to guarantee interoperatility.
Eventually it will also move into the operating systems and networking protocol stacks of major vendors. This will probably take longer, because those vendors will have to figure out what they want to do about the export controls.
My initial goal of securing 5% of the net by Christmas '96 was not met. It was an ambitious goal, and inspired me and others to work hard, but was ultimately too ambitious. The protocols were in an early stage of development, and needed a lot more protocol design before they could be implemented. As of April 1999, we have released version 1.0 of the software ( freeswan-1.0.tar.gz), which is suitable for setting up Virtual Private Networks using shared secrets for authentication. It does not yet do opportunistic encryption, or use DNSSEC for authentication; those features are coming in a future release.
The first prototype implementation of Domain Name System Security was funded by DARPA as part of their Information Survivability program. Trusted Information Systems wrote a modified version of BIND, the widely-used Berkeley implementation of the Domain Name System.
TIS, ISC, and I merged the prototype into the standard version of BIND. The first production version that supports KEY and SIG records is bind-4.9.5. This or any later version of BIND will do for publishing keys. It is available from the Internet Software Consortium. This version of BIND is not export-controlled since it does not contain any cryptography. Later releases starting with BIND 8.2 include cryptography for authenticating DNS records, which is also exportable. Better documentation is needed.
Because I can. I have made enough money from several successful startup companies, that for a while I don't have to work to support myself. I spend my energies and money creating the kind of world that I'd like to live in and that I'd like my (future) kids to live in. Keeping and improving on the civil rights we have in the United States, as we move more of our lives into cyberspace, is a particular goal of mine.
Would you like to help? I can use people who are willing to write documentation, install early releases for testing, write cryptographic code outside the United States, sell pre-packaged software or systems including this technology, and teach classes for network administrators who want to install this technology. To offer to help, send me email at gnu@toad.com. Tell me what country you live in and what your citizenship is (it matters due to the export control laws; personally I don't care). Include a copy of your resume and the URL of your home page. Describe what you'd like to do for the project, and what you're uniquely qualified for. Mention what other volunteer projects you've been involved in (and how they worked out). Helping out will require that you be able to commit to doing particular things, meet your commitments, and be responsive by email. Volunteer projects just don't work without those things.
From a message project leader John Gilmore posted to the mailing list:
John Denker wrote: > Indeed there are several ways in which the documentation overstates the > scope of what this project does -- starting with the name > FreeS/WAN. There's a big difference between having an encrypted IP tunnel > versus having a Secure Wide-Area Network. This software does a fine job of > the former, which is necessary but not sufficient for the latter. The goal of the project is to make it very hard to tap your wide area communications. The current system provides very good protection against passive attacks (wiretapping and those big antenna farms). Active attacks, which involve the intruder sending packets to your system (like packets that break into sendmail and give them a root shell :-) are much harder to guard against. Active attacks that involve sending people (breaking into your house and replacing parts of your computer with ones that transmit what you're doing) are also much harder to guard against. Though we are putting effort into protecting against active attacks, it's a much bigger job than merely providing strong encryption. It involves general computer security, and general physical security, which are two very expensive problems for even a site to solve, let alone to build into a whole society. The societal benefit of building an infrastructure that protects well against passive attacks is that it makes it much harder to do undetected bulk monitoring of the population. It's a defense against police-states, not against policemen. Policemen can put in the effort required to actively attack sites that they have strong suspicions about. But police states won't be able to build systems that automatically monitor everyone's communications. Either they will be able to monitor only a small subset of the populace (by targeting those who screwed up their passive security), or their monitoring activities will be detectable by those monitored (active attacks leave packet traces or footprints), which can then be addressed through the press and through political means if they become too widespread. FreeS/WAN does not protect very well against traffic analysis, which is a kind of widespread police-state style monitoring that still reveals significant information (who's talking to who) without revealing the contents of what was said. Defenses against traffic analysis are an open research problem. Zero Knowledge Systems is actively deploying a system designed to thwart it, designed by Ian Goldberg. The jury is out on whether it actually works; a lot more experience with it will be needed.
Notes on things mentioned in that message:
Various groups, especially governments and especially the US government, have a long history of advocating various forms of bogus security.
We regard bogus security as extremely dangerous. If users are deceived into relying on bogus security, then they may be exposed to large risks. They would be better off having no security and knowing it. At least then they would be careful about what they said.
Avoiding bogus security is a key design criterion for everything we do in FreeS/WAN. The most conspicuous example is our refusal to support single DES. Other IPSEC "features" which we do not implement are discussed in our compatibility document.
Various governments have made persistent attempts to encourage or mandate "escrowed encrytion", also called "key recovery", or GAK for "government access to keys". The idea is that cryptographic keys be held by some third party and turned over to law enforcement or security agencies under some conditions.
Mary had cryptography Her keys were in escrow And everything that Mary said The feds were sure to know(If anyone knows the origin of that ditty, let let me know so I can credit the author.)
There is an excellent paper available on Risks of Escrowed Encryption, from a group of cryptographic luminaries which included our project leader.
Like any unnecessary complication, GAK tends to weaken security of any design it infects. For example:
FreeS/WAN does not support escrowed encryption, and never will.
Various governments, and some vendors, have also made persistent attempts to convince people that:
Weak systems touted include:
The notion that choice of ciphers or keysize should be determined by a trade-off between security requirements and overheads is pure bafflegab.
For example, suppose public key operations use use 1% of the time in a hybrid system and you triple the cost of public key operations. The cost of symmetric cipher operations is unchanged at 99% of the original total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 = 102, a 2% rise in system cost.
In short, there has never been any technical reason to use inadequate ciphers. The only reason there has ever been for anyone to use such ciphers is that government agencies want weak ciphers used so that they can crack them. The alleged savings are simply propaganda.
Of course, making systems secure does involve costs, and trade-offs can be made between cost and security. There can be substantial hardware and software costs. There are almost always substantial staff or contracting costs:
For a fairly awful example, see this report. In that case over a million credit card numbers were taken from e-commerce sites, using security flaws in Windows NT servers. Microsoft had long since released patches for most or all of the flaws, but the site administrators had not applied them.
Compared to those costs, cipher overheads are an insignificant factor in the cost of security. Note, however, that choosing an insecure cipher can cause all your other investment to be wasted.
Our policy in FreeS/WAN is to use only cryptographic components with adequate keylength and no known weaknesses.
These decisions imply that we cannot fully conform to the IPSEC RFCs, since those have DES as the only required cipher and Group 1 as the only required DH group. (In our view, the standards were subverted into offerring bogus security.) Fortunately, we can still interoperate with most other IPSEC implementations since nearly all implementers provide at least 3DES and Group 2 as well.
We hope that eventually the RFCs will catch up with our (and others') current practice and reject dubious components. Some of our team and a number of others are working on this in IETF working groups.
Many nations restrict the export of cryptography and some restrict its use by their citizens or others within their borders.
US laws, as currently interpreted by the US government, forbid export of most cryptographic software from the US in machine-readable form without government permission. In general, the restrictions apply even if the software is widely-disseminated or public-domain and even if it came from outside the US originally. Cryptography is legally a munition and export is tightly controlled under the EAR Export Administration Regulations.
If you are a US citizen, your brain is considered US territory no matter where it is physically located at the moment. The US believes that its laws apply to its citizens everywhere, not just within the US. Providing technical assistance or advice to foreign "munitions" projects is illegal. The US government has very little sense of humor about this issue and does not consider good intentions to be sufficient excuse. Beware.
The official website for these regulations is run by the Commerce Department's Bureau of Export Administration (BXA). Information on various challenges to them is indexed in the Cryptography Export Control Archives.
The Bernstein case challenges the export restrictions on Constitutional grounds. Code is speech so restrictions on export of code violate the First Amendment's free speech provisions. This argument has succeeded in two levels of court so far. It is quite likely to go on to the Supreme Court.
The regulations were changed substantially in January 2000, apparently as a government attempt to get off the hook in the Bernstein case. It is now legal to export public domain source code for encryption, provided you notify the BXA.
There are, however, still restrictions in force. See this article. Moreover, the regulations can still be changed again whenever the government chooses to do so. Short of a Supreme Court ruling (in the Berstein case or another) that overturns the regulations completely, the problem of export regulation is not likely to go away in the forseeable future.
The FreeS/WAN project cannot accept software contributions, not even small bug fixes, from US citizens or residents. We want it to be absolutely clear that our distribution is not subject to US export law. Any contribution from an American might open that question to a debate we'd prefer to avoid. It might also put the contributor at serious legal risk.
Of course Americans can still make valuable contributions (many already have) by reporting bugs, or otherwise contributing to discussions, on the project mailing list. Since the list is public, this is clearly constitutionally protected free speech.
Note, however, that the export laws restrict Americans from providing technical assistance to foreign "munitions" projects. The government might claim that private discussions or correspondence with FreeS/WAN developers were covered by this. It is not clear what the courts would do with such a claim, so we strongly encourage Americans to use the list rather than risk the complications.
Some quotes from prominent cryptography experts:
The real aim of current policy is to ensure the continued effectiveness of US information warfare assets against individuals, businesses and governments in Europe and elsewhere.
Ross Anderson, Cambridge University
If the government were honest about its motives, then the debate about crypto export policy would have ended years ago.
Bruce Schneier, Counterpane Systems
We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state.
Jeff Schiller of MIT, in a discussion of FBI demands for wiretap capability on the net, as quoted by Wired.
The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG) made a strong statement in favour of worldwide access to strong cryptography. Essentially the same statement is in the appropriately numbered RFC 1984. Two critical paragraphs are:
We believe that such policies are against the interests of consumers and the business community, are largely irrelevant to issues of military security, and provide only a marginal or illusory benefit to law enforcement agencies, as discussed below.The IAB and IESG would like to encourage policies that allow ready access to uniform strong cryptographic technology for all Internet users in all countries.
Our goal in the FreeS/WAN project is to build just such "strong cryptographic technology" and to distribute it "for all Internet users in all countries".
More recently, the same two bodies (IESG and IAB) have issued RFC 2804 on why the IETF should not build wiretapping capabilities into protocols for the convenience of security or law enforcement agenicies.
Our goal is to go beyond that and prevent Internet wiretapping entirely.
Restrictions on the export of cryptography are not just US policy, though some consider the US at least partly to blame for the policies of other nations in this area.
A number of countries:
Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and United States
have signed the Wassenaar Arrangement which restricts export of munitions and other tools of war. Cryptographic sofware is covered there.
Wassenaar details are available from the Wassenaar Secretariat, and elsewhere in a more readable HTML version.
For a critique see the GILC site:
The Global Internet Liberty Campaign (GILC) has begun a campaign calling for the removal of cryptography controls from the Wassenaar Arrangement.The aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability . . .
There is no sound basis within the Wassenaar Arrangement for the continuation of any export controls on cryptographic products.
We agree entirely.
An interesting analysis of Wassenaar can be found on the cyber-rights.org site.
We believe our software is entirely exempt from these controls since the Wassenaar General Software Note says:
The Lists do not control "software" which is either:
- Generally available to the public by . . . retail . . . or
- "In the public domain".
There is a note restricting some of this, but it is a sub-heading under point 1, so it appears not to apply to public domain software.
Their glossary defines "In the public domain" as:
. . . "technology" or "software" which has been made available without restrictions upon its further dissemination.N.B. Copyright restrictions do not remove "technology" or "software" from being "in the public domain".
We therefore believe that software freely distributed under the GNU Public License, such as Linux FreeS/WAN, is exempt from Wassenaar restrictions.
Most of the development work is being done in Canada. Our understanding is that the Canadian government accepts this interpretation.
Recent copies of the freely modifiable and distributable source code exist in many countries. Citizens all over the world participate in its use and evolution, and guard its ongoing distribution. Even if Canadian policy were to change, the software would continue to evolve in countries which do not restrict exports, and would continue to be imported from there into unfree countries. "The Net culture treats censorship as damage, and routes around it."
You can help. If you don't know of a Linux FreeS/WAN archive in your own country, please download it now to your personal machine, and consider making it publicly accessible if that doesn't violate your own laws. If you have the resources, consider going one step further and setting up a mirror site for the whole munitions Linux crypto software archive.
If you make Linux CD-ROMs, please consider including this code, in a way that violates no laws (in a free country, or in a domestic-only CD product).
Please send a note about any new archive mirror sites or CD distributions to linux-ipsec@clinet.fi so we can update the documentation.
Lists of current mirror sites and of distributions which include FreeS/WAN are in our introduction section.
DES, the Data Encryption S tandard, can no longer be considered secure. While no major flaws in its innards are known, it is fundamentally inadequate because its 56-bit key is too short. It is vulnerable to brute-force search of the whole key space, either by large collections of general-purpose machines or even more quickly by specialized hardware. Of course this also applies to any other cipher with only a 56-bit key. The only reason anyone could have for using a 56 or 64-bit key is to comply with various export laws intended to ensure the use of breakable ciphers.
Non-government cryptologists have been saying DES's 56-bit key was too short for some time -- some of them were saying it in the 70's when DES became a standard -- but the US government has consistently ridiculed such suggestions.
A group of well-known cryptographers looked at key lengths in a 1996 paper. They suggested a minimum of 75 bits to consider an existing cipher secure and a minimum of 90 bits for new ciphers. More recent papers, covering both symmetric and public key systems are at cryptosavvy.com and rsa.com. For all algorithms, the minimum keylengths recommended in such papers are significantly longer than the maximums allowed by various export laws.
In a 1998 ruling, a German court described DES as "out-of-date and not safe enough" and held a bank liable for using it.
The question of DES security has now been settled once and for all. In early 1998, the Electronic Frontier Foundation built a DES-cracking machine. It can find a DES key in an average of a few days' search. The details of all this, including complete code listings and complete plans for the machine, have been published in Cracking DES, by the Electronic Frontier Foundation.
That machine cost just over $200,000 to design and build. "Moore's Law" is that machines get faster (or cheaper, for the same speed) by roughly a factor of two every 18 months. At that rate, their $200,000 in 1998 becomes $50,000 in 2001.
However, Moore's Law is not exact and the $50,000 estimate does not allow for the fact that a copy based on the published EFF design would of course cost far less than the original. We cannot say exactly what such a cracker would cost today, but it would likely be somewhere between $10,000 and $100,000.
A large corporation could build one of these out of petty cash. The cost is low enough for a senior manager to hide it in a departmental budget and avoid having to announce or justify the project. Any government agency, from a major municipal police force up, could afford one. Or any other group with a respectable budget -- criminal organisations, political groups, labour unions, religious groups, ... Or any millionaire with an obsession or a grudge, or just strange taste in toys.
One might wonder if a private security or detective agency would have one for rent. They wouldn't need many clients to pay off that investment.
As for the security and intelligence agencies of various nations, some of them may have had DES crackers for years. Possibly very fast ones! Cipher-cracking is one of the few known applications which is easy to speed up by just adding more processors and memory. Within very broad limits, you can make it as fast as you like if you have the budget. The EFF's $200,000 machine breaks DES in a few days. An aviation website gives the cost of a B1 bomber as $200,000,000. Spending that much, an intelligence agency could expect to break DES in an average time of six and a half minutes.
That estimate assumes they use the EFF's 1998 technology and just spend more money. They may have an attack that is superior to brute force, they quite likely have better chip technology (Moore's law, a bigger budget, and whatever secret advances they may have made) and of course they may have spent the price of an aircraft carrier, not just one aircraft.
In short, we have no idea how quickly these organisations can break DES. Unless they're grossly incompetent, they can certainly do it more quickly than the users of the cipher would like, but beyond that we can't say. Pick any time unit between days and milliseconds. None of these is entirely unbelievable. More to the point, none of them is of any comfort if you don't want such organisations reading your communications.
Note that this may be a concern even if nothing you do is a threat to anyone's national security. An intelligence agency might well consider it to be in their national interest for certain companies to do well. If you're competing against such companies in a world market and that agency can read your secrets, you have a serious problem. For example, see this NBC story or this analysis. The US are the villains in those pieces, but there is no reason to imagine they are the only threat.
One might wonder about technology the former Soviet Union and its allies developed for cracking DES during the Cold War. They must have tried; the cipher was an American standard and widely used. How well did they succeed? Is their technology now for sale or rent?
Before the definitive EFF effort, DES had been cracked several times by people using many machines. See this press release for example.
A major corporation, university, or government department could break DES by using spare cycles on their existing collection of computers, by dedicating a group of otherwise surplus machines to the problem, or by combining the two approaches. It might take them weeks or months, rather than the days required for the EFF machine, but they could do it.
What about someone working alone, without the resources of a large organisation? For them, cracking DES will not be easy, but it may be possible. A few thousand dollars buys a lot of surplus workstations. A pile of such machines will certainly heat your garage nicely and might break DES in a few months or years. Or enroll at a university and use their machines. Or use an employer's machines. Or crack security somewhere and steal the resources to crack a DES key. Or write a virus that steals small amounts of resources on many machines. Or . . .
None of these approaches are easy or break DES really quickly, but an attacker only needs to find one that is feasible and breaks DES quickly enough to be dangerous. How much would you care to bet that this will be impossible if the attacker is clever and determined? How valuable is your data? Are you authorised to risk it on a dubious bet?
In short, it is now absolutely clear that DES is not secure against
That is why Linux FreeS/WAN disables all transforms which use plain DES for encryption.
DES is in the source code, because we need DES to implement our default encryption transform, Triple DES. We urge you not to use single DES. We do not provide any easy way to enable it in FreeS/WAN, and our policy is to provide no assistance to anyone wanting to do so.
The same is true, in spades, of ciphers -- DES or others -- crippled by 40-bit keys, as many ciphers were required to be until recently under various export laws. A brute force search of such a cipher's keyspace is 216 times faster than a similar search against DES. The EFF's machine can do a brute-force search of a 40-bit key space in seconds. One contest to crack a 40-bit cipher was won by a student using a few hundred idle machines at his university. It took only three and half hours.
We do not, and will not, implement any 40-bit cipher.
Triple DES, usually abbreviated 3DES, applies DES three times, with three different keys. DES seems to be basically an excellent cipher design; it has withstood several decades of intensive analysis without any disastrous flaws being found. It's only major flaw is that the small keyspace allows brute force attacks to succeeed. Triple DES enlarges the key space to 168 bits, making brute-force search a ridiculous impossibility.
3DES is currently the only block cipher implemented in FreeS/WAN. 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at quite respectable speeds. Some speed measurements for our code are available.
The AES project has recently chosen a replacement for DES, a new standard cipher for use in non-classified US government work and in regulated industries such as banking. This cipher will almost certainly become widely used for many applications, including IPSEC, but perhaps not quickly.
The winner, announced in October 2000 after several years of analysis and discussion, was the Rijndael cipher from two Belgian designers.
It is likely that many IPSEC implementations will add Rijndael support over the next few months or years. FreeS/WAN will almost certainly do so, but it is not high on the priority list. This might be an excellent project for a volunteer.
Strong Internet Privacy Software Free for Linux Users Worldwide
Toronto, ON, April 14, 1999 -
The Linux FreeS/WAN project today released free software to protect
the privacy of Internet communications using strong encryption codes.
FreeS/WAN automatically encrypts data as it crosses the Internet, to
prevent unauthorized people from receiving or modifying it. One
ordinary PC per site runs this free software under Linux to become a
secure gateway in a Virtual Private Network, without having to modify
users' operating systems or application software. The project built
and released the software outside the United States, avoiding US
government regulations which prohibit good privacy protection.
FreeS/WAN version 1.0 is available immediately for downloading at
http://www.xs4all.nl/~freeswan/.
"Today's FreeS/WAN release allows network administrators to build
excellent secure gateways out of old PCs at no cost, or using a cheap
new PC," said John Gilmore, the entrepreneur who instigated the
project in 1996. "They can build operational experience with strong
network encryption and protect their users' most important
communications worldwide."
"The software was written outside the United States, and we do not
accept contributions from US citizens or residents, so that it can be
freely published for use in every country," said Henry Spencer, who
built the release in Toronto, Canada. "Similar products based in the
US require hard-to-get government export licenses before they can be
provided to non-US users, and can never be simply published on a Web
site. Our product is freely available worldwide for immediate
downloading, at no cost."
FreeS/WAN provides privacy against both quiet eavesdropping (such as
"packet sniffing") and active attempts to compromise communications
(such as impersonating participating computers). Secure "tunnels" carry
information safely across the Internet between locations such as a
company's main office, distant sales offices, and roaming laptops. This
protects the privacy and integrity of all information sent among those
locations, including sensitive intra-company email, financial transactions
such as mergers and acquisitions, business negotiations, personal medical
records, privileged correspondence with lawyers, and information about
crimes or civil rights violations. The software will be particularly
useful to frequent wiretapping targets such as private companies competing
with government-owned companies, civil rights groups and lawyers,
opposition political parties, and dissidents.
FreeS/WAN provides privacy for Internet packets using the proposed
standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN
negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern
$500 PC can set up a tunnel in less than a second, and can encrypt
6 megabits of packets per second, easily handling the whole available
bandwidth at the vast majority of Internet sites. In preliminary testing,
FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code,
its innards are open to review by outside experts and sophisticated users,
reducing the chance of undetected bugs or hidden security compromises.
The software has been in development for several years. It has been
funded by several philanthropists interested in increased privacy on
the Internet, including John Gilmore, co-founder of the Electronic
Frontier Foundation, a leading online civil rights group.
Press contacts:
Hugh Daniel, +1 408 353 8124, hugh@toad.com
Henry Spencer, +1 416 690 6561, henry@spsystems.net
* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
Security, Inc; used by permission.
This section provides details of the IPSEC protocols which FreeS/WAN implements
The basic idea of IPSEC is to provide security functions, authentication and encryption, at the IP (Internet Protocol) level. This requires a higher-level protocol (IKE) to set things up for the IP-level services (ESP and AH).
Three protocols are used in an IPSEC implementation:
The term "IPSEC" is slightly ambiguous. In some contexts, it includes all three of the above but in other contexts it refers only to AH and ESP.
Authentication and encryption functions for network data can, of course, be provided at other levels. Many security protocols work at levels above IP.
and so on. Other techniques work at levels below IP. For example, data on a communications circuit or an entire network can be encrypted by specialised hardware. This is common practice in high-security applications.
There are, however, advantages to doing it at the IP level instead of, or as well as, at other levels.
IPSEC is the most general way to provide these services for the Internet.
IPSEC, however, can protect any protocol running above IP and any medium which IP runs over. More to the point, it can protect a mixture of application protocols running over a complex combination of media. This is the normal situation for Internet communication; IPSEC is the only general solution.
IPSEC can also provide some security services "in the background", with no visible impact on users. To use PGP encryption and signatures on mail, for example, the user must at least:
These systems can be designed so that the burden on users is not onerous, but any system will place some requirements on users. No such system can hope to be secure if users are sloppy about meeting those requirements. The author has seen username and password stuck on terminals with post-it notes in an allegedly secure environment, for example.
IPSEC is designed to secure IP links between machines. It does that well, but it is important to remember that there are many things it does not do. Some of the important limitations are:
Of course, there is another side to this. IPSEC can be a powerful tool for improving system and network security. For example, requiring packet authentication makes various spoofing attacks harder and IPSEC tunnels can be extremely useful for secure remote administration of various things.
For example, if you need mail encrypted from the sender's desktop to the recipient's desktop and decryptable only by the recipient, use PGP or another such system. IPSEC can encrypt any or all of the links involved -- between the two mail servers, or between either server and its clients. It could even be used to secure a direct IP link from the sender's desktop machine to the recipient's, cutting out any sort of network snoop. What it cannot ensure is end-to-end user-to-user security. If only IPSEC is used to secure mail, then anyone with appropriate privileges on any machine where that mail is stored (at either end or on any store-and-forward servers in the path) can read it.
In another common setup, IPSEC encrypts packets at a security gateway machine as they leave the sender's site and decrypts them on arrival at the gateway to the recipient's site. This does not even come close to providing an end-to-end service. In particular, anyone with appropriate privileges on either site's LAN can intercept the message in unencrypted form.
Note, however, that IPSEC authentication of the underlying communication can make various attacks on higher-level protocols more difficult. In particular, authentication prevents man-in-the-middle attacks.
IPSEC shifts the ground for DoS attacks; the attacks possible against systems using IPSEC are different than those that might be used against other systems. It does not, however, eliminate the possibility of such attacks.
IPSEC is not designed to defend against this. Partial defenses are certainly possible, and some are described below, but it is not clear that any complete defense can be provided.
While IPSEC does not provide all functions of a mail encryption package, it can encrypt your mail. In particular, it can ensure that all mail passing between a pair or a group of sites is encrypted. An attacker looking only at external traffic, without access to anything on or behind the IPSEC gateway, cannot read your mail. He or she is stymied by IPSEC just as he or she would be by PGP.
The advantage is that IPSEC can provide the same protection for anything transmitted over IP. In a corporate network example, PGP lets the branch offices exchange secure mail with head office. SSL and SSH allow them to securely view web pages, connect as terminals to machines, and so on. IPSEC can support all those applications, plus database queries, file sharing (NFS or Windows), other protocols encapsulated in IP (Netware, Appletalk, ...), phone-over-IP, video-over-IP, ... anything-over-IP. The only limitation is that IP Multicast is not yet supported, though there are Internet Draft documents for that.
IPSEC creates secure tunnels through untrusted networks . Sites connected by these tunnels form VPNs, Virtual Private Networks.
IPSEC gateways can be installed wherever they are required.
Which of these, or of the many other possible variants, to use is up to you. IPSEC provides mechanisms; you provide the policy .
No end user action is required for IPSEC security to be used; they don't even have to know about it. The site administrators, of course, do have to know about it and to put some effort into making it work. Poor administration can compromise IPSEC as badly as the post-it notes mentioned above. It seems reasonable, though, for organisations to hope their system administrators are generally both more security-conscious than end users and more able to follow computer security procedures. If not, at least there are fewer of them to educate or replace.
IPSEC can be, and often should be, used with along with security protocols at other levels. If two sites communicate with each other via the Internet, then IPSEC is the obvious way to protect that communication. If two others have a direct link between them, either link encryption or IPSEC would make sense. Choose one or use both. Whatever you use at and below the IP level, use other things as required above that level. Whatever you use above the IP level, consider what can be done with IPSEC to make attacks on the higher levels harder. For example, man-in-the-middle attacks on various protocols become difficult if authentication at packet level is in use on the potential victims' communication channel.
Where appropriate, IPSEC can provide authentication without encryption. One might do this, for example:
Authentication has lower overheads than encryption.
The protocols provide four ways to build such connections, using either an AH-only connection or ESP using null encryption, and in either manually or automatically keyed mode. FreeS/WAN supports only one of these, manually keyed AH-only connections, and we do not recommend using that. Our reasons are discussed under Resisting traffic analysis a few sections further along.
Originally, the IPSEC encryption protocol ESP didn't do integrity checking. It only did encryption. Steve Bellovin found many ways to attack ESP used without authentication. See his paper Problem areas for the IP Security Protocols. To make a secure connection, you had to add an AH Authentication Header as well as ESP. Rather than incur the overhead of several layers (and rather than provide an ESP layer that didn't actually protect the traffic), the IPSEC working group built integrity and replay checking directly into ESP.
Today, typical usage is one of:
Other variants are allowed by the standard, but not much used:
There are fairly frequent suggestions that AH be dropped entirely from the IPSEC specifications since ESP and null encryption can handle that situation. It is not clear whether this will occur. My guess is that it is unlikely.
The above describes combinations possible on a single IPSEC connection. In a complex network you may have several layers of IPSEC in play, with any of the above combinations at each layer.
For example, a connection from a desktop machine to a database server might require AH authentication. Working with other host, network and database security measures, AH might be just the thing for access control. You might decide not to use ESP encryption on such packets, since it uses resources and might complicate network debugging. Within the site where the server is, then, only AH would be used on those packets.
Users at another office, however, might have their whole connection (AH headers and all) passing over an IPSEC tunnel connecting their office to the one with the database server. Such a tunnel should use ESP encryption and authentication. You need authentication in this layer because without authentication the encryption is vulnerable and the gateway cannot verify the AH authentication. The AH is between client and database server; the gateways aren't party to it.
In this situation, some packets would get multiple layers of IPSEC applied to them, AH on an end-to-end client-to-server basis and ESP from one office's security gateway to the other.
Traffic analysis is the attempt to derive useful intelligence from encrypted traffic without breaking the encryption.
Is your CEO exchanging email with a venture capital firm? With bankruptcy trustees? With an executive recruiting agency? With the holder of some important patents? If an eavesdropper learns that, he has interesting intelligence on your company, whether or not he can read the messages themselves.
Except in the simplest cases, traffic analysis is hard to do well. It requires both considerable resources and considerable analytic skill. However, intelligence agencies of various nations have been doing it for centuries and many of them are likely quite good at it by now. Various commercial organisations, especially those working on "targeted marketing" may also be quite good at analysing certain types of traffic.
In general, defending against traffic analysis is also difficult. Inventing a really good defense could get you a PhD and some interesting job offers.
IPSEC is not designed to stop traffic analysis and we know of no plausible method of extending it to do so. That said, there are ways to make traffic analysis harder. This section describes them.
One might choose to use encryption even where it appears unnecessary in order to make analysis more difficult. Consider two offices which pass a small volume of business data between them using IPSEC and also transfer large volumes of Usenet news. At first glance, it would seem silly to encrypt the newsfeed, except possibly for any newsgroups that are internal to the company. Why encrypt data that is all publicly available from many sites?
However, if we encrypt a lot of news and send it down the same connection as our business data, we make traffic analysis much harder. A snoop cannot now make inferences based on patterns in the volume, direction, sizes, sender, destination, or timing of our business messages. Those messages are hidden in a mass of news messages encapsulated in the same way.
If we're going to do this we need to ensure that keys change often enough to remain secure even with high volumes and with the adversary able to get plaintext of much of the data. We also need to look at other attacks this might open up. For example, can the adversary use a chosen plaintext attack, deliberately posting news articles which, when we receive and encrypt them, will help break our encryption? Or can he block our business data transmission by flooding us with silly news articles? Or ...
Also, note that this does not provide complete protection against traffic analysis. A clever adversary might still deduce useful intelligence from statistical analysis (perhaps comparing the input newsfeed to encrypted output, or comparing the streams we send to different branch offices), or by looking for small packets which might indicate establishment of TCP connections, or ...
As a general rule, though, one can improve resistance to traffic analysis by encrypting as much traffic as possible rather than only as much as seems necessary.
This also applies to using multiple layers of encryption. If you have an IPSEC tunnel between two branch offices, it might appear silly to send PGP-encrypted email through that tunnel. However, if you suspect someone is snooping your traffic, then it does make sense:
It may also help to use fewer tunnels. For example, if all you actually need encrypted is connections between:
You might build one tunnel per mail server and one per remote database user, restricting traffic to those applications. This gives the traffic analyst some information, however. He or she can distinguish the tunnels by looking at information in the ESP header and, given that distinction and the patterns of tunnel usage, might be able to figure out something useful. Perhaps not, but why take the risk?
We suggest instead that you build one tunnel per branch office, encrypting everything passing from head office to branches. This has a number of advantages:
Of course you might also want to add additional tunnels. For example, if some of the database data is confidential and should not be exposed even within the company, then you need protection from the user's desktop to the database server. We suggest you do that in whatever way seems appropriate -- IPSEC, SSH or SSL might fit -- but, whatever you choose, pass it between locations via a gateway-to-gateway IPSEC tunnel to provide some resistance to traffic analysis.
IPSEC combines a number of cryptographic techniques, all of them well-known and well-analyzed. The overall design approach was conservative; no new or poorly-understood components were included.
This section gives a brief overview of each technique. It is intended only as an introduction. There is more information, and links to related topics, in our glossary. See also our bibliography and cryptography web links.
The encryption in the ESP encapsulation protocol is done with a block cipher .
We do not implement single DES. It is insecure. Our default, and currently only, block cipher is triple DES.
The Rijndael block cipher has just won the AES competition to choose a relacement for DES. It will almost certainly be added to FreeS/WAN and to other IPSEC implementations.
IPSEC packet authentication is done with the HMAC construct. This is not just a hash of the packet data, but a more complex operation which uses both a hashing algorithm (MD5 or SHA) and a key. It therefore does more than a simple hash would. A simple hash would only tell you that the packet data was not changed in transit, or that whoever changed it also regenerated the hash. An HMAC also tells you that the sender knew the HMAC key.
For IPSEC HMAC, the output of the hash algorithm is truncated to 96 bits. This saves some space in the packets. More important, it prevents an attacker from seeing all the hash output bits and perhaps creating some sort of attack based on that knowledge.
The Diffie-Hellman key agreement protocol allows two parties (A and B or Alice and Bob) to agree on a key in such a way that an eavesdropper who intercepts the entire conversation cannot learn the key.
The protocol is based on the discrete logarithm problem and is therefore thought to be secure. Mathematicians have been working on that problem for years and seem no closer to a solution, though there is no proof that an efficient solution is impossible.
The RSA algorithm (named for its inventors -- Rivest, Shamir and Adleman) is a very widely used public key cryptographic technique. It is used in IPSEC as one method of authenticating gateways for Diffie-Hellman key negotiation.
There are three protocols used in an IPSEC implementation:
The term "IPSEC" is slightly ambiguous. In some contexts, it includes all three of the above but in other contexts it refers only to AH and ESP.
The IKE protocol sets up IPSEC (ESP or AH) connections after negotiating appropriate parameters (algorithms to be used, keys, connection lifetimes) for them. This is done by exchanging packets on UDP port 500 between the two gateways.
IKE (RFC 2409) was the outcome of a long, complex process in which quite a number of protocols were proposed and debated. Oversimplifying mildly, IKE combines:
For all the details, you would need to read the four RFCs just mentioned (over 200 pages) and a number of others. We give a summary below, but it is far from complete.
IKE negotiations have two phases.
After both IKE phases are complete, you have IPSEC SAs to carry your encrypted data. These use the ESP or AH protocols. These protocols do not have ports; ports apply only to UDP or TCP.
The IKE protocol is designed to be extremely flexible. Among the things that can be negotiated (separately for each SA) are:
The protocol also allows implementations to add their own encryption algorithms, authentication algorithms or Diffie-Hellman groups. We do not support any such extensions.
There are a number of complications:
These complications can of course lead to problems, particularly when two different implementations attempt to interoperate. For example, we have seen problems such as:
Despite this, we do interoperate successfully with many implementations, including both Windows 2000 and PGPnet. Details are in our interoperability document.
Here is our Pluto developer explaining some of this on the mailing list:
When one IKE system (for example, Pluto) is negotiating with another
to create an SA, the Initiator proposes a bunch of choices and the
Responder replies with one that it has selected.
The structure of the choices is fairly complicated. An SA payload
contains a list of lists of "Proposals". The outer list is a set of
choices: the selection must be from one element of this list.
Each of these elements is a list of Proposals. A selection must be
made from each of the elements of the inner list. In other words,
*all* of them apply (that is how, for example, both AH and ESP can
apply at once).
Within each of these Proposals is a list of Transforms. For each
Proposal selected, one Transform must be selected (in other words,
each Proposal provides a choice of Transforms).
Each Transform is made up of a list of Attributes describing, well,
attributes. Such as lifetime of the SA. Such as algorithm to be
used. All the Attributes apply to a Transform.
You will have noticed a pattern here: layers alternate between being
disjunctions ("or") and conjunctions ("and").
For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
cut back. There must be exactly one Proposal. So this degenerates to
a list of Transforms, one of which must be chosen.
IPSEC offers two services, authentication and encryption. These can be used separately but are often used together.
Packet authentication can be provided separately using an Authentication Header, described just below, or it can be included as part of the ESP (Encapsulated Security Payload) service, described in the following section. That service offers encryption as well as authentication.
In IPSEC this is done using a block cipher (normally Triple DES for Linux). In the most used setup, keys are automatically negotiated, and periodically re-negotiated, using the IKE (Internet Key Exchange) protocol. In Linux FreeS/WAN this is handled by the Pluto Daemon.
The IPSEC protocol offering encryption is ESP, Encapsulated Security Payload. It can also include a packet authentication service.
Note that encryption should always be used with some packet authentication service. Unauthenticated encryption is vulnerable to man-in-the-middle attacks. Also note that encryption does not necessarily prevent traffic analysis.
Packet authentication can be provided separately from encryption by adding an authentication header (AH) after the IP header but before the other headers on the packet. This is the subject of this section. Details are in RFC 2402.
Each of the several headers on a packet header contains a "next protocol" field telling the system what header to look for next. IP headers generally have either TCP or UDP in this field. When IPSEC authentication is used, the packet IP header has AH in this field, saying that an Authentication Header comes next. The AH header then has the next header type -- usually TCP, UDP or encapsulated IP.
IPSEC packet authentication can be added in transport mode, as a modification of standard IP transport. This is shown in this diagram from the RFC:
BEFORE APPLYING AH
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
AFTER APPLYING AH
---------------------------------
IPv4 |orig IP hdr | | | |
|(any options)| AH | TCP | Data |
---------------------------------
||
except for mutable fields
Athentication can also be used in tunnel mode, encapsulating the underlying IP packet beneath AH and an additional IP header.
||
IPv4 | new IP hdr* | | orig IP hdr* | | |
|(any options)| AH | (any options) |TCP | Data |
------------------------------------------------
||
| in the new IP hdr |
This would normally be used in a gateway-to-gateway tunnel. The receiving gateway then strips the outer IP header and the AH header and forwards the inner IP packet.
The mutable fields referred to are things like the time-to-live field in the IP header. These cannot be included in authentication calculations because they change as the packet travels.
The actual authentication data in the header is typically 96 bits and depends both on a secret shared between sender and receiver and on every byte of the data being authenticated.
The algorithms involved are the MD5 Message Digest Algorithm or SHA, the Secure Hash Algorithm. For details on their use in this application, see RFCs 2403 and 2404 respectively.
For descriptions of the algorithms themselves, see RFC 1321 for MD5 and FIPS (Federal Information Processing Standard) number 186 from NIST, the US National Institute of Standards and Technology for SHA. Applied Cryptography covers both in some detail, MD5 starting on page 436 and SHA on 442.
These algorithms are intended to make it nearly impossible for anyone to alter the authenticated data in transit. The sender calculates a digest or hash value from that data and includes the result in the authentication header. The recipient does the same calculation and compares results. For unchanged data, the results will be identical. The hash algorithms are designed to make it extremely difficult to change the data in any way and still get the correct hash.
Since the shared secret key is also used in both calculations, an interceptor cannot simply alter the authenticated data and change the hash value to match. Without the key, he or she (or even the dreaded They) cannot produce a usable hash.
The authentication header includes a sequence number field which the sender is required to increment for each packet. The receiver can ignore it or use it to check that packets are indeed arriving in the expected sequence.
This provides partial protection against replay attacks in which an attacker resends intercepted packets in an effort to confuse or subvert the receiver. Complete protection is not possible since it is necessary to handle legitmate packets which are lost, duplicated, or delivered out of order, but use of sequence numbers makes the attack much more difficult.
The RFCs require that sequence numbers never cycle, that a new key always be negotiated before the sequence number reaches 2^32-1. This protects both against replays attacks using packets from a previous cyclce and against birthday attacks on the the packet authentication algorithm.
In Linux FreeS/WAN, the sequence number is ignored for manually keyed connections and checked for automatically keyed ones. In automatic mode, we do that. In manual mode, there is no way to negotiate a new key, or to recover from a sequence number problem, so we don't use sequence numbers.
The ESP protocol is defined in RFC 2406. It provides one or both of encryption and packet authentication. It may be used with or without AH packet authentication.
Note that some form of packet authentication should always be used whenever data is encrypted. Without authentication, the encryption is vulnerable to active attacks which may allow an enemy to break the encryption. ESP should always either include its own authentication or be used with AH authentication.
The RFCs require support for only two mandatory encryption algorithms -- DES, and null encryption -- and for two authentication methods -- keyed MD5 and keyed SHA. Implementers may choose to support additional algorithms in either category.
The authentication algorithms are the same ones used in the IPSEC authentication header.
We do not implement single DES since DES is insecure. Instead we provide triple DES or 3DES . This is currently the only encryption algorithm supported.
We do not implement null encryption since it is obviously insecure.
IPSEC can connect in two modes. Transport mode is a host-to-host connection involving only two machines. In tunnel mode, the IPSEC machines act as gateways and trafiic for any number of client machines may be carried.
Security gateways are required to support tunnel mode connections. In this mode the gateways provide tunnels for use by client machines behind the gateways. The client machines need not do any IPSEC processing; all they have to do is route things to gateways.
Host machines (as opposed to security gateways) with IPSEC implementations must also support transport mode. In this mode, the host does its own IPSEC processing and routes some packets via IPSEC.
KLIPS is KerneL IP SEC Support, the modifications necessary to support IPSEC within the Linux kernel. KILPS does all the actual IPSEC packet-handling, including
KLIPS also checks all non-IPSEC packets to ensure they are not bypassing IPSEC security policies.
Pluto(8) is a daemon which implements the IKE protocol. It
The ipsec(8) command is a front end that allows control over IPSEC activity.
The configuration file for Linux FreeS/WAN is
/etc/ipsec.conf
For details see the ipsec.conf(5)
manual page and our Configuration section.
There are several ways IPSEC can manage keys. Not all are implemented in Linux FreeS/WAN.
IPSEC allows keys to be manually set. In Linux FreeS/WAN, such keys are stored with the connection definitions in /etc/ipsec.conf.
Manual keying is useful for debugging since it allows you to test the KLIPS kernel IPSEC code without the Pluto daemon doing key negotiation.
In general, however, automatic keying is preferred because it is more secure.
In automatic keying, the Pluto daemon negotiates keys using the IKE Internet Key Exchange protocol. Connections are automatically re-keyed periodically.
This is considerably more secure than manual keying. In either case an attacker who acquires a key can read every message encrypted with that key, but automatic keys can be changed every few hours or even every few minutes without breaking the connection or requiring intervention by the system administrators. Manual keys can only be changed manually; you need to shut down the connection and have the two admins make changes. Moreover, they have to communicate the new keys securely, perhaps with PGP or SSH . This may be possible in some cases, but as a general solution it is expensive, bothersome and unreliable. Far better to let Pluto handle these chores; no doubt the administrators have enough to do.
Also, automatic keying is inherently more secure against an attacker who manages to subvert your gateway system. If manual keying is in use and an adversary acquires root privilege on your gateway, he reads your keys from /etc/ipsec.conf and then reads all messages encrypted with those keys.
If automatic keying is used, an adversary with the same privileges can read /etc/ipsec.secrets, but this does not contain any keys, only the secrets used to authenticate key exchanges. Having an adversary able to authenticate your key exchanges need not worry you overmuch. Just having the secrets does not give him any keys. You are still secure against passive attacks. This property of automatic keying is called perfect forward secrecy, abbreviated PFS.
Unfortunately, having the secrets does allow an active attack, specifically a man-in-the-middle attack. Losing these secrets to an attacker may not be quite as disastrous as losing the actual keys, but it is still a serious security breach. These secrets should be guarded as carefully as keys.
It would be possible to exchange keys without authenticating the players. This would support opportunistic encryption -- allowing any two systems to encrypt their communications without requiring a shared PKI or a previously negotiated secret -- and would be secure against passive attacks. It would, however, be highly vulnerable to active man-in-the-middle attacks. RFC 2408 therefore specifies that all ISAKMP key management interactions must be authenticated.
There is room for debate here. Should we provide immediate security against passive attacks and encourage widespread use of encryption, at the expense of risking the more difficult active attacks? Or should we wait until we can implement a solution that can both be widespread and offer security against active attacks?
So far, we have chosen the second course, complying with the RFCs and waiting for secure DNS (see below) so that we can do opportunistic encryption right.
The IPSEC RFCs allow key exchange based on authentication services provided by Secure DNS. Once Secure DNS service becomes widely available, we expect to make this the primary key management method for Linux FreeS/WAN. It is the best way we know of to support opportunistic encryption, allowing two systems without a common PKI or previous negotiation to secure their communication.
As of FreeS/WAN 1.4, we have experimental code to acquire RSA keys from DNS but do not yet have code to validate Secure DNS signatures.
The IPSEC RFCs allow key exchange based on authentication services provided by a PKI or Public Key Infrastructure. With many vendors selling such products and many large organisations building these infrastructures, this will clearly be an important application of IPSEC and one Linux FreeS/WAN will eventually support.
On the other hand, this is not as high a priority for Linux FreeS/WAN as solutions based on secure DNS. We do not expect any PKI to become as universal as DNS.
Some patches to handle authentication with X.509 certificates, which most PKIs use, are available.
Photuris is another key management protocol, an alternative to IKE and ISAKMP, described in RFCs 2522 and 2523 which are labelled "experimental". Adding Photuris support to Linux FreeS/WAN might be a good project for a volunteer. The likely starting point would be the OpenBSD photurisd code.
SKIP is yet another key management protocol, developed by Sun. At one point it was fairly widely used, but our current impression is that it is moribund, displaced by IKE. Sun now (as of Solaris 8.0) ship an IPSEC implementation using IKE. We have no plans to implement SKIP.
We had a single list on clinet.fi for several years (Thanks, folks!), then one list on freeswan.org, but now we've split into several lists:
Archives of these lists are available via the web interface.
Non-subscribers can post to some of these lists. This is necessary; someone working on a gateway install who encounters a problem may not have access to a subscribed account.
Some spam turns up on these lists from time to time. For discussion of why we do not attempt to filter it, see the FAQ. Please do not clutter the lists with complaints about this.
Searchable archives of the old single list have existed for some time. At time of writing, it is not yet clear how they will change for the new multi-list structure.
Note that these use different search engines. Try both.
Archives of the new lists are available via the web interface.
PAML is the standard reference for Publicly Accessible Mailing Lists. When we last checked, it had over 7500 lists on an amazing variety of topics. It also has FAQ information and a search engine.
There is an index of Linux mailing lists available.
A list of computer security mailing lists, with descriptions.
Most links in this section point to subscription addresses for the various lists. Send the one-line message "subscribe list_name " to subscribe to any of them.
Each IETF working group has an associated mailing list where much of the work takes place.
The main project web site is www.freeswan.org.
Links to other project-related sites are provided in our introduction section.
Some user-contributed patches gave been integrated into the FreeS/WAN distribution. For a variety of reasons, those listed below have not.
Patches believed current at time of writing (March 2001, just before 1.9 release):
Before using these, check the mailing list for news of newer versions and to see whether they have been incorporated into more recent versions of FreeS/WAN.
Note: At one point the way PGP generates RSA keys and the way FreeS/WAN checks them for validity before using them were slightly different, so quite a few PGP-generated keys would be rejected by FreeS/WAN, confusing users no end. This is fixed in 1.9.
A set of PKIX patches were recently announced on the mailing list:
Subject: a different PKIX patch. Date: Mon, 5 Mar 2001 From: Luc Lanthier <firesoul@netwinder.org> I'd like to invite volunteers to use the now-complete PKIX project I've been working on since about August. Because of this, the patch is for FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since I don't use IPV6 nor DNSSec. This is similar, but different than Andreas Steffen's pkix implementation. I've based this work on Neil Dunbar's openssl-pkix patch for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and added support for ID_DER_ASN1_DN ID packet support. It will do LDAP certificate lookups no problem, as well as local flatfile, directory, or DB lookup for testing or speed. IE: It's a full CA-compatible client, capable of looking up, checking the CRL for expiry and such. It will not only do the classic PSK and RSASIG freeswan methods just fine, but also does PKIX's RSASIG, PKE and RPKE. I've spent a lot of time adding RoadWarrior support for these last IKE exchange methods. The patch can be found as: ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch There are also freeswan-1.5 - kernel 2.4 patches for those who need them. Let me know. Feedback is appreciated.
Older patches:
These patches are for older versions of FreeS/WAN and will likely not work with the current version. Older versions of FreeS/WAN may be available on some of the distribution sites , but we recommend using the current release.
At last report, this patch could not co-exist with FreeS/WAN on the same machine.
The introductory section of our document set lists several Linux distributions which include FreeS/WAN.
There is a list of Linux VPN software in the Linux Security Knowledge Base.
Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in our introduction.
Other vendors have Linux IPSEC products which, as far as we know, do not use FreeS/WAN
All the major router vendors support IPSEC, at least in some models.
Vendors using FreeS/WAN in turnkey firewall products are listed in our introduction.
All the major open source operating systems support IPSEC. See below for details on BSD-derived Unix variants.
Among commercial OS vendors, IPSEC players include:
We like to think of FreeS/WAN as the Linux IPSEC implementation, but it is not the only one. Others we know of are:
The IPSEC protocols are designed so that different implementations should be able to work together. As they say "the devil is in the details". IPSEC has a lot of details, but considerable success has been achieved.
Linux FreeS/WAN has been tested for interoperability with many other IPSEC implementations. Results to date are in our interoperability section.
Various other sites have information on interoperability between various IPSEC implementations:
The Linux IP stack is getting some new features in 2.4 kernels. Most are already available as experimental code in 2.3 kernels. Some HowTos have been written: