|
|
The Windows 2000 Clients:
(The first one is called "jukebox01")
The basic TCP/IP settings for this one are:
ip-address: 192.168.1.76
Default gateway: 192.168.0.253 (The green interface on the IPCop box).
The Win2k box needs at least SP2, or better SP3 installed (or at least the high encryption pack, but why not installed the SP's? :) to get the 3DES required by IPCop.
Then download the Win2k ipsec policy editor from here,
here or this local copy.
Then download a small ipsec utility from here, or this local copy.
Extract this utility into the MS IPSec utility directory
(typically c:\Program Files\Resource Kit\).
Now edit the ipsec.conf in the same directory as the tools above. Mine looks like this:
conn WLAN
right=192.168.1.254
rightsubnet=*
left=%any
presharedkey=ThisIsMyVerySecretPassword
network=auto
auto=start
pfs=yes
Open a dos-box, enter the above mentioned directory, and type "ipsec". This loads the ipsec policy onto the machine, and enables it.
All this can also be done by the wizards if you are a wizard guy, then read here (I don't bother to explain).
Go to "Start" - "Run" and type "ipsecmon" to load the monitoring tool. In a dos-box, "ping" a resource on the green network. After 7-8 tries, the tunnel should be up, and stuff shall happend. :)
On the IPCop box, run a "tail -f /var/log/secure" to see what's going on.
Logon on to a Windows 2000 domain controller over Ipsectunnel:
In short, Windows 2000 uses Kerberos (TCP/UDP traffic on port 88) to authenticate a Windows 2000 Professional against a Windows 2000 server running as domain controller.
Some smart guy at MS have decided that Kerberos traffic should not run inside the encrypted VPN tunnel created with ipsec. But there is a workaround. Create this key in the registry as a DWORD value:
HKLM\SYSTEM\CurrentControlSet\Services\IPSec\NoDefaultExempt
It can be set to 0 or 1 in Windows 2000, and 0, 1 or 2 in Windows XP:
0 = default exemptions are still active
1 = disable the exemption for RSVP and Kerberos
2 = disable the exemption for broadcast and multicast (Windows XP only!)
For reference, see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q254949
(http://lists.freeswan.org/pipermail/users/2002-September/014656.html)
WindowsXP comment:
For Windows XP they way you will need the Ipseccmd program : You have to install the Win XP Support tools. They reside on your Win XP CD in the directory \SUPPORT\TOOLS. Just start setup.exe in this directory. You have to select a Complete installation to get ipseccmd. This is not tested by me.
When I installed on WindowsXP i did like the Windows2000 installation described above. But two registry values is necessary to get things rollin':
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
Value Name: NoDefaultExempt
Data Type: REG_DWORD
Data Value: 1
After you configure this IPSec policy, you may notice that when the computers are started, several packets may be sent over the network unencrypted. This issue occurs because some packets might be sent over the network before the IPSec driver has been initialized and before the IPSec policy has been processed. To resolve this issue, put the IPSec driver IPSec.sys into Block Mode during the computer startup process. When you do this, IPSec blocks outgoing network traffic from the computer until the PolicyAgent component starts and until the PolicyAgent component loads the IPSec policies. After the IPSec PolicyAgent component has started, and after the IPSec policies are loaded, the PolicyAgent changes the IPSec driver's operation mode to permit the passage of IPSec traffic. To put the IPSec driver into Block Mode, set the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
Value name: OperationMode
Value type: REG_DWORD
Value data: 1
A value of 1 puts the IPSec driver into Block Mode. A value of 0 (zero) bypasses the IPSec driver's block mode.
The Linux Clients:
Because I'm using RedHat Linux on the clients i choose to install FreeS/Wan (http://www.freeswan.org) using the rpm packages.
I use the 2.4.9-34 kernel, so I download the correct kernel module:
freeswan-module-1.99_2.4.9_34-0.i386.rpm
and the FreeS/WAN utilities:
freeswan-1.99_2.4.9_34-0.i386.rpm
(If you are using another kernel, or another RedHat distro, i.e. RH9 or maybe Fedora Core 1, type on one line:
ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*
I pretty much follow the manual on: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/install.html
First install the rpm's as root:
rpm -ivh freeswan*
Then type "service ipsec start", and the first time you get some info about the pre-installation of the module.
So I type the following to disable rp_filter on eth0:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
(To be shure, I added this one at the top of "/etc/rc.d/init.d/ipsec", this is not necessary in the later versions of FreeSwan).
Now it's time to edit the file "/etc/ipsec.conf". Mine looks like this (with comments):
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
keyingtries=0
disablearrivalcheck=no
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
conn WLAN
left=192.168.1.75
right=192.168.1.254
rightsubnet=0.0.0.0/0
rightnexthop=
# auto=auto
auto=start
authby=secret
And the file "/etc/ipsec.secrets". Mine looks like this:
# myIP IPCop-ip : PSK "MySHaredSecret":
192.168.1.75 192.168.1.254 : PSK "ThisIsMyVerySecretPassword"
Note: On my ipsec client i did not set any default gateway in the network setup. IPSec will see to that everything is routed to the IPCop box through the VPN tunnel.
|