[conspire] Building a secure inbound gateway

Andy Schwartz andy-news at schegg.org
Sat Aug 16 11:15:50 PDT 2003 

I am setting up a Linux home gateway box -- replacing a Windows system. 
   I was a bit more skilled in the windows enivronment, I could use some 
input for a piece of this Linux migration.

I want to provide secure remote access to my internal LAN.  The remote 
clients will include a windows box at my office.  I thought that IPsec 
using FreeS/WAN might be the most flexible way to do this.

Studying a variety of help/how-to documents, including Nate Carlson's 
frees/wan <-> win2k doc, it appeared that to do this successfully I 
would need the following on the Linux side:

- FreeS/WAN
- The X.509 FreeS/WAN patch

I have (I believe) successfully installed both, including the requisite 
kernel rebuild.  I then started to follow Nate's and FreeS/WAN's and 
X.509 Patch's configuration documents.

I am now in pain.

For starters, when I start FreeS/WAN - using any of the configuration 
scenarios the various authors discuss - FreeS/WAN installs a _2nd_ 
default route into my routetable.  That entry immediately breaks the 
forwarding of packets from my internal home machines out to the Internet.

Routing table before I perform start ipsec:
===========================================

Destination     Gateway         Genmask         Flags Iface
63.197.148.0    0.0.0.0         255.255.255.0   U     eth0
192.168.11.0    0.0.0.0         255.255.255.0   U     wlan0
192.168.10.0    0.0.0.0         255.255.255.0   U     eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     lo
0.0.0.0         63.197.148.254  0.0.0.0         UG    eth0


Routing table after I perform start ipsec:
==========================================
Kernel IP routing table
Destination     Gateway         Genmask         Flags Iface
63.197.148.0    0.0.0.0         255.255.255.0   U     eth0
63.197.148.0    0.0.0.0         255.255.255.0   U     ipsec0
192.168.11.0    0.0.0.0         255.255.255.0   U     wlan0
192.168.10.0    0.0.0.0         255.255.255.0   U     eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     lo
0.0.0.0         63.197.148.254  128.0.0.0       UG    ipsec0
128.0.0.0       63.197.148.254  128.0.0.0       UG    ipsec0
0.0.0.0         63.197.148.254  0.0.0.0         UG    eth0


As soon as this second 0.0.0.0 routing entry is created, all 
LAN->Internet forwarded packets attempt to go out ipsec0 and are 
immediatley dropped by my IPTables configuration.

There is something fundamental about how FreeS/WAN is supposed to work 
that I don't understand.  I would expect a routing entry, to ipsec0, 
that represents a simulated LAN on the far end of a VPN pipe, but I 
don't expect an entry that routes all traffic to ipsec.  I must be 
missing something fundamental.  (It irks me that the above tutorials say 
little, if anything, about the routing table.)

Any help and advice would be appreciated.  (In case your wondering, the 
freeswan.org list server appears to not be accepting join requests right 
now, which is why I'm looking here first for support.  Plus, there are 
some really experienced folks on this list!)

Thank you.

Andy Schwartz

More information about the conspire mailing list