Next Previous Contents

1. Introduction

This HOWTO will describe step-by-step how to set up a IPSEC VPN tunnel using FreeSWAN and PGPNet. The certificates will be stored locally on the security gateway. It is intended to help you set up a secure VPN tunnel over the internet. It is assumed that you are familiar with compiling and installing software on your UNIX-like system. It is required that you have read the documentation of FreeSWAN to understand this HOWTO. For links to the HOWTO see the Where? section

1.1 What?

In this HOWTO you will find how to set up FreeSWAN, a Certificate Authority, X.509 Certificates and a configuration of PGPNet to FreeSWAN. The X.509 certificates will be locally stored on the VPN gateway machine.
A VPN, or Virtual Private Network enables two networks to communicate securely, when the only connection between them is over a third network, which they do not trust.

1.2 Why?

Because we use a public network (the internet) it is required that the traffic between the two communicating hosts is somehow encrypted.
Reasons why this HOWTO was written is described here: http://www.evolvedatacom.nl/research.html

1.3 Where?

The latest version of this HOWTO is available at the Evolve Datacom website http://www.evolvedatacom.nl/.
FreeSWAN is available on the FreeSWAN website: http://www.freeswan.org
The x.509 patch is available from the strongsec website: http://www.strongsec.com/freeswan
OpenSSL is available on the OpenSSL website: http://www.openssl.org
PGPNet is available on the PGPNet website http://www.pgpi.org/products/pgp/versions/freeware
Please note that the latest evaluation versions of PGPNet do NOT support subnets or certificates!
Also, PGPNet is now known as "McAfee VPN Client".
In the freeware beta version 8 no VPN client support is included.
Several users using the registered version of PGPNet have reported this HOWTO is still usable.

1.4 How?

The Linux distribution we used is debian (woody currently being in test phase): ( http://www.debian.org)
In our test environment we have used kernel versions 2.2.x (with 2.2.20 being the latest a.t.m.)
The FreeSWAN version we used is 1.96
PGPNet version is PGP Corporate Desktop 7.1.1 (evaluation version)
The openssl version we used is OpenSSL 0.9.6c
Please note that this HOWTO is written on the use of these versions. Some stuff will not work in older versions of the kernel/freeswan/x509 patch.


Commands in this HOWTO are in slanted text: I am a command
Directory and filenames in this howto are in bold: /example/filename
Output from a command or configuration options are in bold and slanted:

I am the output on your screen

The passwords we use when making the certificates will be in the following format: <PASSWORD>

1.5 Changes

19 November 2002 - A typo has been corrected and information about PGPNet has been added in the Where? section.

1.6 Disclaimer

These steps worked for me, on our system; your mileage might vary. This is just one way to approach this, there are a lot of other ways to set the same thing up (although the general approach will be the same). It just happens that this was the first way that I tried that worked, so I wrote it down.

1.7 Copyright

(C)opyright 2002 Wouter Prins, Evolve Datacom B.V..
Do not modify without amending copyright, distribute freely but retain copyright message.


Next Previous Contents