Next Previous Contents

5. The End

In this chapter I will discuss some problems you may encounter when using this HOWTO. Also some solutions are given. Because there are a lot of issues where the tunnel can go wrong I will only give you some links to which you can go with your particular question.

5.1 Testing

To test if you can get through the gateway, try to ping a machine on the subnet behind the security gateway. Make sure the VPN is up. A problem i encountered in this test is that the VPN will not come up automatically. However this is set in PGPNet. This is a pure PGPNet problem and perhaps this problem is caused because we used a evaluation version of PGPNet. If you know the solution to this please e-mail me. :-)

5.2 Problems

If the connection has not come up, you can check the log of PGPNet or pluto error messages on the gateway. You might want to set plutodebug=all in the configuration file. Depending on the error refer to the mailing list archives of FreeSWAN.
The different mailing lists can be found here As I've already said, i could not get PGPNet to automaticly establish the tunnel if a request to the subnet is done. To solve this problem I manually established the connection.

If the tunnel is established and you cannot ping the subnet check to see if the routes are correct on the gateway. The routes can be shown using:

ipsec eroute
Sometimes a tcpdump on the ipsec0 interface can also help you out to find the problem.

In this HOWTO i did not cover the subject firewalls. I assume you know how your firewall has been implemented in your network and know where to make the necessary changes.
When you startup freeswan and you get the following message:

ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Starting FreeS/WAN IPsec 1.96...
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)

To get rid of this message you can add the following rules into your firewall configuration script:

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "0" > ${interface}; done
rp_filter is used to prevent the use of IP Spoofing, this helps make sure the packets make use of legitimate source addresses by automatically rejecting incoming packets if the routing table entry for their source address doesn't match the network interface they are arriving on.
If you cannot ping your internal network it can be a rp_filter problem or a routing problem.
Further more it is important to have the the following port open:
Port 500 for IKE negotiations, Protocol 50 to allow ESP encryption and authentication and Protocol 51 for the Authentication Header.
It is possible to poke holes in the firewall using the leftupdown directives in the ipsec.conf file.
This script will be executed as soon as the state of a connection changes.
Be aware that if you plan to put in your own rules to not add these rules into the standard _updown script provided by freeswan. It is better to copy the contents of the _updown script to another file and add the rules you want in in there.
Some scripts for ipchains and iptables are provided in the freeswan tarball. I have tested the roadwarrior connections using 56k dial-up modems. In practice this is too slow to let a roadwarrior work from a remote connection. This is caused by the overhead that IPSec brings to the IP stack. It would be more workable if roadwarriors have some sort of *DSL connection.

5.3 Certificate Management

Digital Certificates are the electronic counterparts of a passport. A Digital Certificate can be presented electronically to prove your identity. Digital Certificates bind basically an identity to a pair of electronic keys. The electronic keys can be used for encrypting and/or signing digital information.

The information placed in a Digital Certificate contains a number of things. It starts with the owners public key, the owners name, an expiration date, the name of the Certification Authority that issued the Digital Certificate, a serial number and some other information.

Digital Certificates can be used for:

  1. - Privacy and confidentiality
  2. - Integrity, Authentication and non-repudiation
  3. - Access control to control access to facilities, Internet Sites, Intranets and VPN's
  4. - Proof of document transmission (time stamping)
  5. - Document archive and retrieval
  6. - Identification and privileges
  7. - etc.
To hold everything up to date you need Certificate Management. It all depends on what kind of purpose the Certificate is used for. How higher the importancy the shorter the duration of the Certificate should be. When a new certificate is given out the old one is not valid anymore. The old certificates are then placed in the Certificate Authority's revocation list.

5.4 Where to store your Certificates

The main places to store your Certificates could be a harddisk, token or a protected environment.
A possibility to store your certificates is on a harddisk. Often in a special directory or a fixed space on the harddisk. Protection is mostly done via mechanisms via the Operating System. Not very secure!

Another possibility is to store your Certificates on a token. There are several tokens available in the market for instance a serial- or a bustoken.

Another good alternative could be a SmartCard which is particularly designed for this purpose. SmartCards are physical secure, can do cryptographic functions and have an I/O interface.

A secure possibility is to store your certificates in a special crypto module placed in a server. Most available cryptocards have an add on tamper resistant part placed on the card. The Certificate and Keys are electronically stored in this tamper protected part.

5.5 Encryptors

Encryptor units are in fact build on three items, an interface, software or hardware encipherment engine and a crypto algorithm.

There are many types of encryptor units in the market. Encryptors can hold a variety on different interfaces like:

  1. - Frame-relay
  2. - E1
  3. - T1
  4. - n x 64kb
  5. - ISDN-BRI
  6. - ISDN-PRI
  7. - X.25
  8. - ATM 155/622Mb
  9. - Ethernet 10/100/1000Mbit LayerIII

The second part of the cryptor units decide how encipherment is done, this can be software or hardware based. The first group are encryptors that does encryption based on software. This form is easy to upgrade but the encipherment with large blocks of data takes a long time to process. The second group is based on hardware. Hardware encryptors have special designed chips that do the encryption. Hardware encryptors compared to software based encryptors are a lot faster in processing the data.

The third part are the types of used crypto algorithms on the market. The crypto algorithm which can be placed in the crypto unit are:
  1. - DES/3DES
  2. - RSA
  3. - AES

5.6 Thank you

I would like to thank Klaas Boshoven my Manager. He gave me permission to write this HOWTO and make it public.
Also i would like to thank Andreas Steffen who helped me further when i was faced with little problems.
If you encounter any errors in this document please e-mail me.
If this helped you setting things up successfully or inspired you i would love to hear it! Drop me an e-mail :-)

5.7 Future plans

I will try to keep this HOWTO up-to-date as much as I can. Perhaps there will be a newer HOWTO available in the coming months with complete Certificate Management and LDAP issues. Who knows. :-)

Wouter Prins


Next Previous Contents