WAVElan server setup using IPsec

Main page

WAVEsec Clients

• FreeSWAN at IETF-57
• KAME/BSD
• OS/X
• Others

Base Station

• Checklist
• Router
• DNS server
• DHCP server
• IPsec server
• Appendix mode

Downloads

• Binaries
• Raw patches

IPsec server requirements

Your IPsec server

• must be able to do RSA signature mode for ISAKMP/IKE,
• must further be able to extract keys for phase 1 (ISAKMP) IPv4 IDs from KEY records in the reverse (in-addr.arpa) zone,
• and (for appendix mode or if your address space is extruded) must be capable of building extruded networks.

FreeSWAN 1.99 can do all of these things. We have RPMs for RedHat 7 and 8 here.

Server setup

Install FreeS/WAN

Install FreeSWAN on your server, as described here.

Keys in DNS

For each of the server's IP addresses, insert KEY and TXT records into the reverse map, as described here.

Test

You can test that you've correctly published your DNS records by creating an opportunistic connection.

First, temporarily enable the Opportunistic Encryption ("me-to-anyone") conn which comes in /etc/ipsec.conf, by making sure this line is present in the connection:

    auto=add

Restart FreeS/WAN so that this will take effect:

    ipsec setup restart

Then, from your IPSec server:

    links oetest.freeswan.org

If the site says you have a secure connection, your DNS records have been published properly. If not, take another look at your reverse map and troubleshoot using dig.

A note to the paranoid: the feds are probably watching oetest.freeswan.org .

Disable the OE connection when done, by

    #auto=add

Configure FreeS/WAN

You will need to configure FreeS/WAN by modifying the /etc/ipsec.conf configuration file, as described in the following sections.

List protected interfaces

In config setup, list each interface you want to protect with IPsec. This will be at least the interface which faces your WAVEsec clients, ie. wlan0. If you are in inline mode and want to protect outgoing connections with IPsec, mention the public interface too. For example:

config setup
        interfaces="ipsec0=eth0 ipsec1=wlan0"

Many connection descriptions

To enable your WAVEsec clients to connect, create a connection description for each IP address that will be served. A future version of FreeS/WAN may reduce this to a single definition, but this is not yet implemented.

For each, you will need a conn like:

conn host66-to-world
        left=192.139.46.254   # IP of WAVEsec gateway
        leftsubnet=0.0.0.0/0
        right=192.139.46.66   # IP of potential client.
        keylife=1h            # IP may be reused after 1 hour idle
        rekey=no
        auto=add

Generate all the descriptions you need and put them in:

    /etc/wavesec.conns

Place this line at the end of ipsec.conf:

    include wavesec.conns

Be sure that FreeS/WAN loads these connections with:

    ipsec setup restart

Exempt DHCP and DNS packets from IPSec

To allow clients to renegotiate a connection on reboot, exempt DHCP and DNS packets from IPsec on the server side. For example, see this script.

Working with non-FreeSWAN clients

If your users have IPSec clients which can not deal with raw RSA keys extracted from DNS, then you'll need to package the server key differently. In most cases, this means an X.509 certificate. The OpenSSL software will be necessary. There are two methods:

• generate an X.509 key using OpenSSL and extract the public and private portions for use by FreeSWAN. Details available with the X.509 documentation for FreeSWAN.
• incorporate the FreeSWAN into an X.509 CA using a custom patch to OpenSSL.

Distribute the resulting X.509 certificate to the clients by ftp, HTTP download, or finger.