FreeS/WAN WAVEsec Clients

Main page

WAVEsec Clients

• FreeSWAN at IETF-57
• KAME/BSD
• OS/X
• Others

Base Station

• Checklist
• Router
• DNS server
• DHCP server
• IPsec server
• Appendix mode

Downloads

• Binaries
• Raw patches

Client requirements

WAVEsec is a way to authenticate and encrypt wavelan traffic using IPsec. This is substantially more secure than WEP. Unlike SSH or PGP, it covers any type of IP traffic.

To set yourself up as a WAVEsec client, you need:

• to be running Linux. Some instructions for other operating systems are given under "Client Types" on the left.
• to install a hacked dhclient, and configure it for WAVEsec
• to install and configure Linux FreeS/WAN (we recommend version 1.99)

Installing the software

Our downloads

We supply these WAVEsec downloads:

• patched dhclient source.
• a patch to start dhclient from Red Hat's standard /sbin/ifup
• FreeS/WAN as Red Hat RPMs or source.

dhclient

Your DHCP client must be able insert additional options into the DHCP requests that it sends. ISC DHCP 3.0.1rc9 can do it, but in order to fit the large options which we need to pass the public key, our patch to the source is required.

Quick download of patched dhclient source.

To build and install dhclient:

    tar -xzf dhcp-3.0.1rc9.freeswan.tar.gz
    cd dhcp-3.0.1rc9
    ./configure
    make
    # beware: will also install dhcpd etc.
    su -c "make install"

Linux FreeS/WAN

Your IPsec implementation must be able to do RSA signature mode for ISAKMP/IKE. You must also have a way to extract the raw RSA key in DNS KEY format (base64 format). Linux FreeS/WAN meets both requirements.

The instructions that follow are for version 1.99 on a kernel supplied by Red Hat. Other Linuxes also support FreeS/WAN; to install on these see our Install Guide.

Download FreeS/WAN 1.99 RPMs for Red Hat only. Install two RPMs, one for userland tools and one for modules. These are highly sensitive to kernel modifications, and so will work only on plain Red Hat kernels.

Start FreeS/WAN:

   ipsec setup start

Confirm that FreeS/WAN is running, with:

   ipsec verify

Here's more on ipsec verify.

Client Configurations

dhclient

RSA public key in dhclient.conf

By default the /etc/dhclient.conf configuration file is empty. Create this file and place your RSA public key in it:

    ipsec showhostkey --dhclient > /etc/dhclient.conf

The resulting file will look something like this:

    # this is a comment
    option oe-key     code 159 = string;
    option oe-gateway code 160 = ip-address;

    send oe-key = "0x4200 4 1 AQOGxn6v9uF2Y26Ddir...AaRvf1AEW+KoIfKi9";

If you have an existing file or an older FreeS/WAN, you may have to hand edit the file.

(Re)start dhclient

Once the key is in the file, dhclient must be (re)started.

First, kill any existing dhcp client. For dhcpd, the client that comes with a default Red Hat install, use:

    killall dhcpcd

Bring dhclient up with:

    dhclient eth0

or:

    dhclient wlan0

To make dhclient your active dchp client for subsequent network initializations, you may need to modify /sbin/ifup. If you're on Red Hat 7.3, this patch will do the trick. Apply it to /sbin/ifup with:

    patch < sbin-ifup.dhclient.rhl7.3.patch

Test

Test that the key has been uploaded by querying the reverse map for your newly acquired IP. If the WAVEsec base station is 1.2.3.254, and your new IP is 1.2.3.209, this query is:

    dig @1.2.3.254 209.3.2.1.in-addr.arpa. KEY

The answer section should look something like:

    ;; ANSWER SECTION:
    209.3.2.1.in-addr.arpa. 1200  IN      KEY     0x4200 4 1 AQOGxn6v9uF2Y26Ddir...AaRvf1AEW+KoIfKi9

Linux FreeS/WAN

Copy this connection to the end of /etc/ipsec.conf:

conn wavesec
      left=%defaultroute
      right=1.2.3.254          # Substitute your WAVEsec gateway here
      rightsubnet=0.0.0.0/0
      leftrsasigkey=%dnsondemand    # new in 1.98
      rightrsasigkey=%dnsondemand   # makes WAVEsec easier
      auto=add

Since there is a known issue using WAVEsec with opportunistic encryption, turn off any opportunistic connections you've created.

So that your new connection is recognized, do an:

    ipsec setup restart

Bring up the connection with:

    ipsec auto --up wavesec

Note that after every reboot, you need to bring the connection up with that line.

Check your work

Try pinging someplace nearby:

    ping 1.2.5.200

To check that your traffic is encrypted, do a

    tcpdump -n -i eth0

or:

    tcpdump -n -i wlan0

and look for ESP encrypted packets, like this:

    17:02:46.360528 1.2.3.209 > 1.2.3.254: ESP(spi=0x77adbe72,seq=0xe55)
    17:02:46.378446 1.2.3.254 > 1.2.3.209: ESP(spi=0x656128b8,seq=0x1622)

Contrast these with the unencrypted packets below:

    21:04:11.110810 1.2.3.209.32866 > 198.31.100.82.http: . ack 18155 win 49232 <nop,nop,timestamp 3417168 451149487> (DF)
    21:04:11.131068 198.31.100.82.http > 1.2.3.209.32866: . 18155:19546(1391) ack 449 win 24616 <nop,nop,timestamp 451149487 3417147> (DF)

The encrypted packets show up as "ESP" along with an SPI number.

Now what?

Automating WAVEsec start

On further restarts you may wish to have WAVEsec come up automatically. In this case, change the auto= line in your connection description to read:

    auto=start

Leaving the WAVEsec zone

When you take your laptop elsewhere, you will still be set up for WAVEsec. You have two choices:

1. Roll back some of your changes:
   • Remove the auto= line from conn wavesec so that the connection does not start on boot.
   • Configure dhclient to work with your regular network settings.
2. Or, set up WAVEsec in your home or office, using our server instructions.

FAQ

Before install

I can't configure my wireless card (without WAVEsec).

Use these settings:

• mode should be "managed" or "infrastructural", not "ad hoc".
• ssid should be blank or "any". It will pick the id up on its own.
• WEP is off.

Change your mode with:

    wvconfig wvlan0 mode="Managed"

To make the change active on next boot, open /etc/sysconfig/network-scripts/ifup-wireless and set:

    MODE="Managed"

The wvconfig method won't work for some people; they lose access to the base station. Instead edit /etc/pcmcia/wireless.opts with:

    MODE="Managed"
    ESSID="any"
    RATE="auto"
    #KEY="s:secu1" # no WEP 

Then reinsert your wireless card.

What does WAVEsec secure, anyway?

It secures all IP traffic headed for the wild internet (excluding DNS and IKE, which are used to set up the connection), on its vulnerable hop between your laptop and the wavelan base station.

After install

"I'm pinging the gateway (1.2.3.254), but my traffic is not encrypted!"

WAVEsec protects only traffic destined for the world beyond the gateway. Pinging the gateway is therefore not a suitable test for WAVEsec. Instead, ping an IP that's not on your local net.

Re-connecting

I've rebooted my laptop, and now traffic is encrypted one way!

Have you started your connection with ipsec auto --up wavesec ? This needs to be done each time you reboot.