Linux FreeS/WAN and a Linksys BEFVP41 Setup

This document describes the setup of an IPSEC tunnel between a Linux machine running FreeS/WAN and a Linksys BEFVP41.

12 december 2003

Because I changed jobs, I had to change my setup. My employer now uses a Linksys BEFVP41 as the office gateway. This device supports about 40 ipsec tunnels and seems pretty standard, when it comes to ipsec. In this setup, I didn't test NAT-T, because I don't think that the Linksys supports it.

The setup pretty much resembles other ones I made in previous documents. The only thing that differs is that Free/SWAN has moved up to version 2. More to be read on http://www.freeswan.ca.

When testing 2 Linksys firewalls, I came to the conclusion that I could only make a tunnel for a directly connected network. At the corporate HQ, we have multiple networks, connected by routers and firewalls, but they can't seem to be reached. If anyone has proven otherwise, please mail me at freeswan at xinit.cx.

I'm using a Linksys BEFVP41 and FreeS/WAN 2.04 on Debian GNU/Linux 3.0, kernel 2.4.23.

This is my setup:

Corporate Network
(192.168.1.0/24;)
|

Linksys Firewall
(100.0.0.141)
|
Corporate Router
(100.0.0.129)
|

[INTERNET]
|
ISP Router
(200.0.0.1)
|
Home Linux gateway (Free/SWAN)

(200.0.0.14 ; 192.168.20.254)
|
My Linux workstation
(192.168.20.66/32)

For security reasons, public IP's are forged

Linksys setup:

    This Tunnel: enable
    Tunnel name: freeswan
    Local Secure Group:
         Subnet: 192.168.1.0
         Mask: 255.255.255.0
    Remote Secure Group:
         Subnet: 192.168.20.0

         Mask: 255.255.255.0
    Remote Security Gateway: 200.0.0.14
    Encryption: 3DES
    Authentication: MD5
    Key management: Auto. (IKE)
    PFS: off
    Pre-shared Key: thisisatest
    Key Lifetime: 3600

    Advanced

    Phase 1:
      Operation mode: Main mode
      Propopsal 1:
         Encryption: 3DES
         Authentication: MD5
         Group: 1024-bit
         Key Lifetime: 28800

    Phase 2:
      Proposal:
         Group: 1024-bit
         Key Lifetime: 3600

FreeS/WAN Setup:

    /etc/ipsec.conf:

    
version 2

config setup
        klipsdebug=none
        plutodebug=none

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

# This is a connection for a remote site w/Static IP
conn wouter
        right=200.0.0.14
        rightsubnet=192.168.20.0/24
        rightnexthop=200.0.0.1
        left=100.0.0.141
        leftsubnet=192.168.1.0/24
        leftnexthop=100.0.0.129
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=no
        compress=no
        authby=secret
        auto=route

    /etc/ipsec.secrets
    100.0.0.141 200.0.0.14 : PSK "thisisatest"

I tested this with our home gateway only doing NAT (masquerading). No other firewall rules where active. If running a firewall, you must be sure that all 500/udp and proto ESP packets can travel freely.

If you have any questions, mail them to freeswan at xinit.cx