Results 1 to 4 of 4

Thread: IPSec VPN on 8.04?

  1. #1
    Join Date
    May 2008
    Beans
    154

    Question IPSec VPN on 8.04?

    I'm trying to connect to my corporate intranet from home via VPN.

    The VPN is set up using IPSec with DES/MD5 enc.

    I've looked into VPNC and OpenVNC. Neither of those solutions work - VPNC is specific to Cisco VPN routers and OpenVNC will only connect to OpenVNC servers.

    Can anyone provide me with instructions to get a non-cisco IPSec VPN configured on 8.04?

    Thanks

  2. #2
    Join Date
    May 2008
    Beans
    154

    Re: IPSec VPN on 8.04?

    bump

  3. #3
    Join Date
    May 2008
    Beans
    154

    Re: IPSec VPN on 8.04?

    bump

  4. #4
    Join Date
    Mar 2009
    Beans
    2

    Re: IPSec VPN on 8.04?

    Key search terms: ubuntu intrepid ibex ipsec openswan vpn kvpnc networkmanager huawei e220

    I imagine this applies for most versions of Ubuntu. If not, bite me. I'm running 8.10.

    I installed the kde-vpn-client - http://home.gna.org/kvpnc/ - which simplifies the use of a whole bunch of different tools. This tool works in gnome too.

    Code:
    sudo apt-get install kvpnc
    PPTP connections worked fine, and OpenVPN connections worked fine - these are also easily configurable in NetworkManager->VPN Connections. This tool includes some nice wizards to get you going. But because some options in IPSEC can be a bit tricky, even the latest version of the kvpnc tool (at writing, 0.9.1) couldn't manage properly some openswan options that I needed and I didn't have the time to slice up config options I know that work and punch them into a GUI, I went the manual (but automate-able route).

    I found good info here:
    http://ubuntuforums.org/showthread.php?p=1781442
    http://searchenterpriselinux.techtar...286413,00.html

    I chose the OpenSWAN implementation since this is what my company uses, and we use the relatively more secure X509 certificate authentication and not PSK (pre-shared-key aka passwords). My setup is my laptop, and one of those Huawei E220 modems for mobile broadband so my IP is dynamic at worst. To get that working, I installed the driver download from here:
    https://forge.betavine.net/frs/?grou...&release_id=14 and added my ISP connection under NetworkManager. Got the idea from here:
    http://henrikan.wordpress.com/2008/0...ch-ubuntu-710/

    Pre-requisites: openswan, vpn server X509 public certificate from each server you want to tunnel to, your X509 private/public certificate pair which each vpn server is aware of.

    Code:
    sudo apt-get install openswan
    That done, set up your local connection in
    Code:
    /etc/ipsec.conf
    The options provided below are independent of local IP, route and interface, so should work carte-blanche.

    Code:
    # right: remote
    # left: local
    
    version 2
    config setup
        klipsdebug=none
        plutodebug=none
        plutostderrlog=/var/log/ipsec.log
        nat_traversal=yes
    
    #set some default options that both connections below will use.
    #in this example we will use X509 certificates for authentication.
    conn %default
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        type=tunnel
        leftcert="/etc/ipsec.d/certs/myprivatecert.pem"
        keyingtries=1
        #keylife=1200s
        #ikelifetime=1200s
        #leftcert= this needs to be YOUR PRIVATE X509 certificate that 
             #the vpn servers are aware of
    
    #name the connection...
    conn Stockholm
        auto=start
        left=%defaultroute
        rightcert="/path/to/this/vpn/servers/public/certificate.crt"
        right=1.2.3.4
        rightsubnet=10.48.0.0/16
        #left=%defaultroute. this is auto-determined at connect time. 
        #right=remote=public IP address or host-name of the vpn server with openswan
        #rightsubnet=the subnet of the internal network you want to connect to
    
    #name the connection...
    conn London
        auto=start
        left=%defaultroute
        rightcert="/path/to/this/vpn/servers/public/certificate.crt"
        right=fw-london.somecorp.com
        rightsubnet=193.188.23.0/24
    
    #some other important options to follow...
    
    # disable opportunistic encryption
    conn block
        auto=ignore
    
    conn private
        auto=ignore
    
    conn private-or-clear
        auto=ignore
    
    conn clear-or-private
        auto=ignore
    conn clear
        auto=ignore
    
    conn packetdefault
        auto=ignore
    Feel free to copy and paste the above options and modify to get things working your way. The above options are fairly common, e.g. NAT.

    Finally, to bring the tunnels up, you need to
    Code:
    sudo /etc/init.d/ipsec restart
    This should say something like
    Code:
    ipsec_setup: Stopping Openswan IPsec...
    ipsec_setup: Starting Openswan IPsec 2.4.12...
    The output of
    Code:
    route
    produces the following:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     *               255.255.255.255 UH    0      0        0 ppp0
    193.180.23.0    *               255.255.255.0   U     0      0        0 ppp0
    10.48.0.0       *               255.255.0.0     U     0      0        0 ppp0
    link-local      *               255.255.0.0     U     1000   0        0 ppp0
    default         10.64.64.64     0.0.0.0         UG    0      0        0 ppp0
    From this you can see the two routes from the rightsubnet= options are now set. i.e. the two rows beginning 193.180. and 10.48.

    To close the tunnels you need to:
    Code:
    sudo /etc/init.d/ipsec stop
    If you want to automate the tunnels to go up and down upon connect of various network interfaces, check out this post which should give you a good example to follow. http://ubuntuforums.org/showthread.php?t=430312 Look at the scripts to go in
    Code:
    /etc/network/if-up.d
    and
    Code:
    /etc/network/if-down.d
    and place (links to) scripts here.

    I can't adequately explain half of this stuff, but it works for me. ipsec options will be radically different depending on scenario - your mileage will vary. If it doesn't work for you - you're on your own.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •