FreeS/WAN is an implementation of IPSEC and IKE for Linux. It allows you to build secure tunnels through untrusted networks, where everything passing through the tunnel is encrypted, thus producing a Virtual Private Network, or VPN, a network that is private despite having machines at different locations connected by the insecure Internet.
In a previous job, I wanted to connect to a work VPN which was confirued in such a way that I could only access it with a shared secret configuration. In this page I describe the configuration I used and also provide a small patch to FreeS/WAN that enables shared secrets to be specified in /etc/ipsec.secrets with %any specified as the IP address for either end of the connection.
The contents of this page may be dated. This was a previous job, and I obviously no longer have access to that VPN. I am not currently using a VPN, and so lack the itch to keep this patch up to date. Luckily, it has recently been adopted into Ken Bantoft's Super FreeS/WAN and so stands a chance of remaining current there. Many thanks to Ken for this.
I need a VPN to connect into the internal network at work. This is numbered in the 10. private range; hosts on the internal network are 10.1.x.x. My host needs to appear as a fixed host on that network, as 10.3.0.1. However, I do not have a static IP for my internet connection.
So, from the FreeS/WAN point of view, I am operating a VPN but I am also a road warrior, because the IP address of my end of the connection changes.
To do this I use a configuration due to Jan Vroonhof. This uses a regular configuration with a ipsec0 device at the dynamic address but adds an alias device ipsec0:1 at the fixed network address 10.3.0.1. Here's the relevant pieces from my /etc/ipsec.conf:
config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # should setup turn IP forwarding on after IPSEC is started, and off # before it is stopped? forwardcontrol=no conn work type=tunnel authby=secret left=%defaultroute leftsubnet=10.3.0.1/32 leftupdown=/etc/ipsec/work-updown right=rightsubnet=10.1.0.0/16 keyexchange=ike auth=esp pfs=no keyingtries=3 ikelifetime=4h keylife=40m auto=start
Note that this requires having IP aliasing enabled in your Linux kernel.
My work-updown script is based on the _updown script in FreeS/WAN 1.8 and can be found here. A patch file containing the changes is here.
There is an additional complication in my case because old work used Ralvin IPsec equipment, which FreeS/WAN has some problems interoperating with. The problem (which I am fairly sure is a problem with Ravlin, not FreeS/WAN) is described and a patch to FreeS/WAN provided on my Ravlin page.
I have another small problem with FreeS/WAN because my connection uses a shared secret. Because I am a Road Warrior, I need to specify the secret as
x.x.x.x %any : PSK "This is our secret"
where x.x.x.x is the IP address of the work gateway. My address changes (no static IP for me, remember) so I need to specify it as %any.
Unfortunately in current FreeS/WAN, %any won't match my end of the connection; it only matches the other end. So I would need to modify the secret line every time my IP changes. Not good.
This patch for FreeS/WAN 1.98b redoes the %any handling to permit %any to be specified on either end or both ends of the connection. If multiple secrets are specified, the secret that matches with the fewest %anys is always preferred. There is also a patch against Super FreeS/WAN 1.99.8 courtesy of Fredrik Ax, and as noted above the patch will shortly be incorporated into mainline Super FreeS/WAN.
Apply the patch with
patch -p1 < shared.patch
in the top FreeS/WAN source directory. It only affects
pluto, so you can just rebuild and reinstall that.