Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Advice sought: IPSEC 3DES VPN config on Fedora Core 3

From: "Bruce B. Platt" <bruce () ei3 com>
Date: Thu, 21 Apr 2005 10:43:32 -0400
I have had good luck when creating hub and spoke VPNs where I used netfilter rules on the hub to control the traffic from the spokes back to the hub.
For my hub I used Trustix as I find it to be lightweight and stable. I used the 2.4.28-7 kernel. Trustix runs Openswan.
I haven't touched FC3. I did some work with FC1 and 2. There is a lot of user support and an active community, but Fedora sure is a heavyweight for a purpose built box.
I used simple netfilter rules to control traffic from the spokes back to the hub. The spokes were appliances like Netscreens, Pix 501s, etc. Policies to control traffic were implemented there also, but since they were remote, the risk existed of them being compromised. So I had netfilter rules on the Hub.
Excuse me if I go too much into the obvious, but I went crazy finding all the information also. Here is an excerpt from a netfilter FORWARD table which I used in this context. Note that the first two lines serve the identical function, save the second uses the ipsec0 interface as the input interface. $LAN_IFACE is simply the Hub's interface address on 192.168.0.0/24.
$IPTABLES -A FORWARD -p tcp --dport 3001 -s 192.168.2.0/24 -d 192.168.0.0/24 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 3001 -i ipsec0 -o $LAN_IFACE -d 192.168.0.0/24 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s 192.168.2.0/24 -d 192.168.0.0/24 -j LOG --log-level info --log-prefix "VPN Dropped: " 
$IPTABLES -A FORWARD -p tcp  -s 192.168.2.0/24 -d 192.168.0.0/24 -j DROP
Here is a sample config from /etc/ipsec.conf. It shows some of the features useful like controlling the lifetime of the phase 1 ISAKMP and phase 2 ipsec phases. 

conn site1
        keyingtries=0
        authby=secret
        # Left (Local) security gateway, subnet behind it, next hop
# toward right.
        left=1.2.3.4
        leftnexthop=1.2.3.1     # router
        leftsubnet=192.168.0.0/24
        # Right (remote) security gateway, subnet behind it, next hop
# toward left.
        right=5.6.7.2
        rightnexthop=5.6.7.1    #router
        rightsubnet=192.168.2.0/24
        keylife=60m             # phase 2 lifetime in minutes
        auto=start              # start when service ipsec starts
        ikelifetime=480m        # phase 1 lifetime in minutes
Here are some links I found with lot's of searching which were useful to me in one way or another. Good luck. YMMV. Test a lot. 


http://www.novell.com/coolsolutions/appnote/7964.html
http://lists.debian.org/debian-user/2003/05/msg01311.html
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: