Encrypting the Local Network
Openswan Server Setup
We need to set up the WaveSEC conn on the server end. Unfortunately, we cannot bundle all the connections into one definition. We will need a separate conn for each local IP address that we wish to support WaveSEC on. An option for Openswan to allow a specification in one conn is planned, but has not yet been implemented. For each IP address you want to support, you will need a conn like this:
conn host51-to-world |
|
left=192.168.1.1 |
# IP of WaveSEC gateway |
leftsubnet=0.0.0.0/0 |
# all traffic |
right=192.168.1.51 |
# IP of potential client |
keylife=1h |
# IP may be reused after 1 hour idle |
rekey=no |
# Let the client rekey |
auto=add |
|
You can download a script from the WaveSEC website called gen-ipsec-conf.sh to generate these connections. The syntax of the script is:
./gen-ipsec-conf.sh baseIP low-IP high-IP wavesec-IP nexthop-IP
Catch 22 Traffic Setup
We need to run a script, for example through rc.local, that will create the necessary holes for DHCP, DNS, and ICMP echo traffic. We can use the following wavesec_hole.sh script:
iptables -A PREROUTING -t mangle -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 --sport 53 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 --sport 67:68 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p icmp -s 0.0.0.0/0 -d 192.168.1.0/24 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 --sport 67:68 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 --sport 53 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p icmp -s 0.0.0.0/0 -d 192.168.1.0/24 -j MARK -- set-mark 1
ip rule add fwmark 1 table dhcpd
ip route add 192.168.1.0/24 dev wlan0 table dhcpd
In this example, the WaveSEC server uses eth0 for its uplink and wlan0 is its wireless device. Of course the wireless could also be a second Ethernet card connected to a wireless Access Point in bridging mode.
Building a WaveSEC Client
Setting up the client is relatively easy. However, you will need to install a patched version of dhclient, and properly configure Openswan for WaveSEC.
DH Client Setup
First, we need to put the Openswan public key in /etc/dhclient.conf. Some distributions already ship a dhclient.conf file, or use separate dhclient.conf files based on the interface name, such as dhclient-eth0.conf. Add the output of the following command to the appropriate
dhclient.conf file:
246
Chapter 10
ipsec showhostkey --dhclient
The resultant file will look something like this:
# this is a comment |
|
|
||
option |
oe-key |
code 159 |
= |
string; |
option |
oe-gateway code 160 |
= |
ip-address; |
|
send oe-key = "0x4200 4 1 AQOGxn6v9uF2Y26Ddir...AaRvf1AEW+KoIfKi9";
The dhclient program needs to be restarted before it will read the changed configuration file. You can use your Linux distribution's method of restarting the network subsystem, or you can just restart dhclient manually. Assuming your wireless interface is eth0, run the following:
killall dhclient dhclient eth0
If everything worked correctly, your public key should now appear in the reverse DNS zone that belongs to your IP address. For instance, if the DNS server is 192.168.1.1 and your IP address obtained from DHCP is 192.168.1.51, then try this command:
dig @192.168.1.1 51.1.168.192.in-addr.arpa. ANY
The answer section should look something like:
;; ANSWER SECTION: |
|
|
|
51.1.168.192.in-addr.arpa. 1200 |
IN |
PTR |
paul.wavesec.openswan.org. |
51.1.168.192.in-addr.arpa. 1200 |
IN |
KEY |
0x4200 4 1 |
AQOGxn6v9uF2Y26Ddir...AaRvf1AEW+KoI
Openswan Setup
Because NETKEY does not yet support proper packet caching for dynamic IPsec tunnels, as required by OE (and thus WaveSEC), you must use KLIPS on the client. Add the following conn
to /etc/ipsec.conf:
conn wavesec left=%defaultroute
right=192.168.1.1 # Substitute your WaveSEC gateway here rightsubnet=0.0.0.0/0
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
auto=add
Disable OE by including /etc/ipsec.d/examples/no_oe.conf in /etc/ipsec.conf.
Either restart Openswan or manually add the connection with the following command:
ipsec auto --add wavesec
Testing the WaveSEC
If your key has been successfully added to the DNS, you can now try and bring the WaveSEC connection up:
ipsec auto --up wavesec
247