In this chapter I will discuss some problems you may encounter when using this HOWTO. Also some solutions are given. Because there are a lot of issues where the tunnel can go wrong I will only give you some links to which you can go with your particular question.
To test if you can get through the gateway, try to ping a machine on the subnet behind the security gateway. Make sure
the VPN is up. A problem i encountered in this test is that the VPN will not come up automatically. However this is
set
in PGPNet. This is a pure PGPNet problem and perhaps this problem is caused because we used a evaluation version of
PGPNet. If you know the solution to this please e-mail me. :-)
If the connection has not come up, you can check the log of PGPNet or pluto error messages on the gateway.
You might want to set plutodebug=all in the configuration file. Depending
on the error refer to the mailing list archives of FreeSWAN.
The different mailing lists can be found
here
As I've already said, i could not get PGPNet to automaticly establish the tunnel if a request to the subnet is done.
To
solve this problem I manually established the connection.
If the tunnel is established and you cannot ping the subnet check to see if the routes are correct on the gateway.
The routes can be shown using:
ipsec eroute
Sometimes a tcpdump on the ipsec0 interface can also help you out to find the problem.
In this HOWTO i did not cover the subject firewalls. I assume you know how your firewall has been implemented in your
network and know where to make the necessary changes.
When you startup freeswan and you get the following message:
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Starting FreeS/WAN IPsec 1.96...
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
To get rid of this message you can add the following rules into your firewall configuration script:
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "0" > ${interface};
done
rp_filter is used to prevent the use of IP Spoofing, this helps make sure the packets make use of legitimate source
addresses by
automatically rejecting incoming packets if the routing table entry for
their source address doesn't match the network interface they are arriving
on.Digital Certificates are the electronic counterparts of a passport. A Digital Certificate can be presented
electronically to prove your identity. Digital Certificates bind basically an identity to a pair of electronic keys.
The electronic keys can be used for encrypting and/or signing digital information.
The information placed in a Digital Certificate contains a number of things. It starts with the owners public key, the
owners name, an expiration date, the name of the Certification Authority that issued the Digital Certificate, a serial
number and some other information.
Digital Certificates can be used for:
The main places to store your Certificates could be a harddisk, token or a protected environment.
A possibility to store your certificates is on a harddisk. Often in a special directory or a fixed space on the
harddisk. Protection is mostly done via mechanisms via the Operating System. Not very secure!
Another possibility is to store your Certificates on a token. There are several tokens available in the market for
instance a serial- or a bustoken.
Another good alternative could be a SmartCard which is particularly designed for this purpose. SmartCards are physical
secure, can do cryptographic functions and have an I/O interface.
A secure possibility is to store your certificates in a special crypto module placed in a server. Most available
cryptocards have an add on tamper resistant part placed on the card. The Certificate and Keys are electronically
stored in this tamper protected part.
Encryptor units are in fact build on three items, an interface, software or hardware encipherment engine and a crypto
algorithm.
There are many types of encryptor units in the market. Encryptors can hold a variety on different interfaces like:
I would like to thank Klaas Boshoven my Manager. He gave me permission to write this HOWTO and make it public.
Also i would like to thank Andreas Steffen who helped me further when i was faced with
little problems.
If you encounter any errors in this document please e-mail me.
If this helped you setting things up successfully or inspired you i would love to hear
it! Drop
me an e-mail :-)
I will try to keep this HOWTO up-to-date as much as I can. Perhaps there will be a newer HOWTO available in the coming
months with complete Certificate Management and LDAP issues. Who knows. :-)
Wouter Prins