Table of Contents

• The IPSEC protocols
• Interoperating with other IPSEC implementations
• Applications of IPSEC
• The need to authenticate gateways
• The FreeS/WAN project
• Project goals
• Information on the web
• Distribution sites
• Archives of the project mailing list
• Products containing FreeS/WAN
• Linux distributions
• Firewall and VPN products
• Documentation
• This HowTo, in multiple formats
• Other documents in the distribution
• User-written HowTo information
• Papers on FreeS/WAN
• Test results
• License and copyright information
• Links to other sections

• Before starting the install
• Choosing a kernel
• Getting kernel source
• Kernel configuration
• Install and test a kernel before adding FreeS/WAN
• Building and installing the software
• Everything but kernel installation
• Installing the new kernel
• Make sure Lilo knows about the new kernel
• Testing to see if install succeeded
• Links to other sections

• Our example networks
• Configuration for a testbed network
• Set up and test networking
• Enabling packet forwarding
• Other software
• RTFM (please Read The Fine Manuals)
• Setting up RSA authentication keys
• Generating an RSA key pair
• Exchanging authentication keys
• Using RSA signatures for authentication
• The configuration file
• The setup section of ipsec.conf(5)
• Connection defaults
• Editing a connection description
• Which is which?
• Example setups
• VPN
• Road Warrior
• Opportunistic encryption
• Simplifying ipsec.conf files
• Is there a firewall in play?
• Testing the installation
• Matching numbers
• Sanity checking
• Starting a connection
• Ping tests
• Testing with tcpdump
• What next?
• Other configuration possibilities
• Choosing connection types
• Using shared secrets in production
• Using manual keying in production
• Setting up connections at boot time
• Multiple tunnels between the same two gateways
• Many tunnels from a single gateway
• Extruded Subnets
• Road Warrior with virtual IP address
• Dynamic Network Interfaces
• Unencrypted tunnels

• Files
• Commands
• Library routines

• IPSEC packets
• ESP and AH do not have ports
• Header layout
• Filtering rules for IPSEC packets
• IPSEC through the gateway
• Filtering packets from unknown gateways
• Other packet filters
• ICMP filtering
• UDP packets for traceroute
• IPSEC and NAT
• Calling firewall scripts, named in ipsec.conf(5)
• DHR on the updown script
• Example updown script for ipchains
• Ipchains firewall configuration at boot

• Problem Reporting
• Logs used
• Testing in stages
• If a manually keyed connection works and auto doesn't
• If manually keyed connections don't work
• If a single manual connection works, but more than one fails
• If IPSEC works but connections using compression fail
• Dropped packets
• The firewall ate my packets!
• Small packets work, but large transfers fail
• Dropped connections
• Interoperability problems
• Systems that want to use DES
• Pluto problem hints
• Pluto error "no acceptable transform" message
• Connection names in Pluto error messages
• ECONNREFUSED error message
• Information available on your system
• man pages provided
• Status information
• ifconfig reports for KLIPS debugging
• Testing between security gateways

• Not everyone needs to worry about kernel configuration
• Assumptions and notation
• Labels used
• Kernel options for FreeS/WAN

• Top directory
• Documentation
• KLIPS: kernel IP security
• Pluto key and connection management daemon
• Utils
• Libraries
• FreeS/WAN Library
• Imported Libraries

• Implemented parts of the IPSEC Specification
• In Linux FreeS/WAN
• Deliberaretly ommitted
• Not (yet) in Linux FreeS/WAN
• Our PF-Key implementation
• PF-Key portability
• Kernels other than 2.0.38 and 2.2.16
• Other 2.0.x Intel Kernels
• 2.2 and 2.3 Kernels
• Intel Linux distributions other than Redhat 5.x and 6.x
• Redhat 7.0
• SuSE Linux
• Slackware
• Debian
• CPUs other than Intel
• Corel Netwinder (StrongARM CPU)
• Yellow Dog Linux on Power PC
• Mklinux
• Alpha 64-bit processors
• Sun SPARC processors
• MIPS processors
• Motorola Coldfire
• Support for crypto hardware
• IP version 6 (IPng)

• Published test results and HowTo documents
• Interoperation with specific products
• OpenBSD
• FreeBSD
• Cisco Routers
• Nortel (Bay Networks) Contivity switch
• Raptor Firewall on Windows NT
• Checkpoint Firewall-1
• F-Secure VPN for Windows
• Xedia Access Point/QVPN
• PGP 6.5 Mac and Windows IPSEC Client, PGPnet
• IRE Safenet/SoftPK
• Borderware
• Freegate
• Timestep
• Shiva/Intel LANrover
• Sun Solaris
• Windows clients
• Windows 2000

• Introduction
• Outline of this section
• Links
• From our project leader
• Swan: Securing the Internet against Wiretapping
• Stopping wholesale monitoring
• Government promotion of weak crypto
• Escrowed encryption
• Limited key lengths
• Cryptography Export Laws
• US Law
• What's wrong with restrictions on cryptography
• The Wassenaar Arrangement
• Export status of Linux FreeS/WAN
• Help spread IPSEC around
• DES is Not Secure
• Dedicated hardware breaks DES in a few days
• Spooks may break DES faster yet
• Networks break DES in a few weeks
• We disable DES
• 40-bits is laughably weak
• Triple DES is almost certainly secure
• AES in IPSEC
• Press coverage of Linux FreeS/WAN:
• FreeS/WAN 1.0 press
• Press release for version 1.0

• Applying IPSEC
• Advantages of IPSEC
• Limitations of IPSEC
• IPSEC is a general mechanism for securing IP
• Using authentication without encryption
• Encryption without authentication is dangerous
• Multiple layers of IPSEC processing are possible
• Using "unnecessary" encryption
• Cryptographic components
• Block ciphers
• Hash functions
• Diffie-Hellman key agreement
• RSA authentication
• Structure of IPSEC
• IKE (Internet Key Exchange)
• IPSEC Services, AH and ESP
• The Authentication Header (AH)
• Encapsulated Security Payload (ESP)
• IPSEC modes
• Tunnel mode
• Transport mode
• FreeS/WAN parts
• KLIPS: Kernel IPSEC Support
• The Pluto daemon
• The ipsec(8) command
• Linux FreeS/WAN configuration file
• Key management
• Currently Implemented Methods
• Methods not yet implemented

• The FreeS/WAN mailing list
• Archives of the project mailing list
• Indexes of mailing lists
• Lists for related software and topics
• Linux mailing lists
• Lists for IETF working groups
• Other mailing lists
• Usenet newsgroups

• The Linux FreeS/WAN Project
• Add-ons and patches for FreeS/WAN
• Distributions including FreeS/WAN
• Things FreeS/WAN uses or could use
• Other approaches to VPNs for Linux
• The IPSEC Protocols
• General IPSEC or VPN information
• IPSEC overview documents or slide sets
• IPSEC information in languages other than English
• RFCs and other reference documents
• Analysis and critiques of IPSEC protocols
• Background information on IP
• IPSEC Implementations
• Linux products
• IPSEC in router products
• Operating systems with IPSEC support
• Open source IPSEC implementations
• Interoperability
• Linux links
• Basic and tutorial Linux information
• General Linux sites
• Documentation
• Advanced routing
• Security for Linux
• Linux firewalls
• Miscellaneous Linux information
• Crypto and security links
• Crypto and security resources
• Cryptography law and policy
• Cryptography technical information
• Computer and network security
• Links to home pages

• Jump to a letter in the glossary
• Other glossaries
• Definitions

• The RFCs.tar.gz Distribution File
• Other sources for RFCs & Internet drafts
• RFCs
• Internet Drafts
• FIPS standards
• Document CDs
• What's in the RFCs.tar.gz bundle?
• Overview RFCs
• Basic protocols
• Key management
• Details of various things used
• Older RFCs which may be referenced
• RFCs for secure DNS service, which IPSEC may use
• RFCs labelled "experimental"
• Related RFCs

• Questions
• How do I report a problem or seek help?
• Setup and testing questions
• I cannot ping ....
• Manual connections work, but automatic keying doesn't
• One manual connection works, but second one fails
• TCPdump on the gateway shows strange things
• Supported features
• Does FreeS/WAN support single DES encryption?
• Does FreeS/WAN support X.509 or other PKI certificates?
• Does FreeS/WAN run on my version of Linux?
• Interpreting error messages
• Pluto: ... no connection is known