WAVEsec ClientsBase StationDownloads |
Client setupKernel setupFreeBSD does not come IPSEC enabled by default. You need to add options IPSEC options IPSEC_ESP options IPSEC_DEBUG to your kernel configuration and reinstall the kernel. cd /usr/src && make KERNCONF=YOUR_KERNEL_CONFIG buildkernel installkernel Also, FreeBSD ports installs racoon configuration files to /usr/local/etc/racoon. Other BSDs use /usr/pkg/etc/racoon or /etc/racoon. Other BSDs seem to come with this by default. Racoon key generation
First, generate a key for racoon if you do not have one already.
Become root, and cd /etc/racoon
Then, do:
openssl genrsa -out racoon.pem 1024
This generates an RSA public/private keypair.
Then, you need to turn it into a certificate request:
openssl req -new -key racoon.pem -out racoon.req
You will be asked to fill out the DN. For the purposes of wavesec, the
information is irrelevant, so fill it out as you wish. The resulting
racoon.req file could be provided to, say, VeriSign, to get a digital
ID.
Now, generate the self-signed certificate from this.
If you need a racoon.cnf file, then try
this one
openssl x509 -days 365 -signkey racoon.pem -in racoon.req -req -out racoon.crt
You now have a self-signed certificate in racoon.crt.
Racoon key extractionNow, you need to extract the public key that you generated from racoon into a form that you can insert into the dhclient.conf file. Get fswcert-0.6-bsd.tar.gz, compile it. Put it on your path somewhere, or adjust the script below. echo -n 'send oe-key = "16896 4 1 ' >>mykey.dns perl -e 'print pack("H*", "'`fswcert --raw --cert racoon.crt`'");' | mmencode | tr -d '\n' >>mykey.dns echo '";' >>mykey.dns (you may have to install mmencode from ports/pkgsrc's converters/mmencode) This produces a file that looks like: send oe-key = "16896 4 1 AwEAAZ7PeJWDMO69GjPbXWaN0UnHnNj3lANETIAtluJbpLfVeVpRubsYTru4kYxUK999Ga/23/Aw7mZrI+wQ3uhF36Tuxw76ls3FsgJuWxqdzLxlZxM8r/lXNGUftLPkfxbTwXgsfKcqhJCfraPLFH0QhCRVN56EW3Y91YCIMMyRAHbR"; I.e. a dhclient.conf statement that includes your key record with your public key in base64 notation. Test with dhclientThis step is the same for KAME as for FreeS/WANCompile our patched dhclient from dhcp-3.0-rc11-wavesec2.tar.gz. This is the rc11 client with a patch to include the "prefer" directive. Insert the following into your /etc/dhclient.conf file: option oe-key code 159 = string; option oe-gateway code 160 = ip-address; # the contents of your mykey.dns send oe-key = "16896 4 1 AwEAAZ7PeJWDMO69GjPbXWaN0UnHnNj3lANETIAtluJbpLfVeVpRubsYTru4kYxUK999Ga/23/Aw7mZrI+wQ3uhF36Tuxw76ls3FsgJuWxqdzLxlZxM8r/lXNGUftLPkfxbTwXgsfKcqhJCfraPLFH0QhCRVN56EW3Y91YCIMMyRAHbR"; # use your hostname here! send host-name "marajade.dasblinkenled.org."; # use your hostname here! send dhcp-client-identifier "marajade"; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, oe-gateway; require subnet-mask, routers, domain-name-servers; prefer oe-gateway; This will cause your dhclient to collect DHCP replies, looking for one that has the oe-gateway option, and prefering that one. If it doesn't find such a reply after 30 seconds, it will use whatever is available. You should now stop your dhclient, remove/backup the lease file (from /var/state/dhcp/dhclient.leases or /var/lib/dhclient/dhclient.leases), and restart dhclient: It will show you getting an IP address from the wavesec server, rather than renewing the lease that you had before. Racoon key extractionYou can now continue your racoon setup. An entry in
dhclient-exit-hooksFiles:
#!/bin/sh
PATH=/usr/sbin:/sbin:$PATH export PATH
# does not handle appendix mode yet
myip=$1
mydefault=$3
inner=$myip
innergate=$2
ciphergate=$2
(
echo "spdadd $inner/32 0.0.0.0/0 any -P out ipsec esp/tunnel/${myip}-${ciphergate}/require;"
echo "spdadd 0.0.0.0/0 $inner/32 any -P in ipsec esp/tunnel/${ciphergate}-${myip}/require;"
) > /var/run/spd/99-wavesec.spd
Original notes on setting up using KAME/BSD
|