niels / Blog / #email,#gnupg

GnuPG key

I recently created a new Public GnuPG key.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenKeyServer v1.2
Comment: Extracted from http://www.keyserver.net

mQGiBD2/K9ERBADj/QIuSod0L0jEbyzYitC56Sx5zb4Z5/nTRmyhz3gWm4xfiVFz
3Yi9swBOcR3EAL8vNU/CD2DwuNt+rF66CYOBQ3Pt/yCEo4RnResMngzQ2HvZGZty
lXD4+v8q37Zb+bUG8/njQXS9jYhMSYMOdeQU0Q71ByD6YVywWCtO3lARtwCgxYim
O2Mdq2D8FYVOlkegaWQgbmMD+wa6Yydqpj2mR1bFa20qqMjP1B4VKnH95lCqEv9X
dv/AtryO/oRbL3JTpDwQHHbnFUN70g50xOE9FJQAg7TZduqIrS5Qf3z3CEgHWSXs
l+BLC7AFA6ORF+0pZVKPkhcKoo9NDUpgP+3uizJ/oLI8AzYzKaLBgc4/piBnAc0v
pjxcBACLI8o8K3jx4Rzj1DZwHo/N7FWeyGm/55C77mZzNZndaoGaqrNzmkpOXKS5
E34ZUwAAJKlNHybNGGv9G7cSxUE9gSlQ4wKg+1EpeVxr7u+FNg+lQsLas7BN2KWx
ieiDDAJLGW+uCkAE+nH0DZx79m17PhFy/+AXYu79kloq9rcEx7QbTmllbHMgUGVl
biA8bmllbHNAcGVlbi5uZXQ+iF8EExECAB8FAj2/K9IFCQHhM4AECwcDAgMVAgMD
FgIBAh4BAheAAAoJEA63+QrUmG/Vk08An0HAeRdrNw6yTCjcGYymMpT2UmNNAJ9S
BHqP7Zco9akEtLaPP53V/B9/7ohMBBMRAgAMBQI96x8XBYMBtUA6AAoJECYELLsT
O2Jk+Z8An12GqVlo3EGIVKLOMFb4AZ/ioSsAAJwIE6BRc0afXBLdRljFktBDPkxM
8bkCDQQ9vyviEAgAswlqUtT03H5q29F/vusDPJ6YvrlDlcSCBAxoP9iup9tz3ZNr
Dhspr3fDtbxsV4RVC+xhNPBvMWgNkvuRxz8VZ24hqJ0EncCVXEEuONI2GMu2V8/i
9LrMBMdOmZrt5rXpLiky57tQv3PPH3GlX8h6+OBBzZwXwH7mgeKklMtxNPm+LtOY
L9au8SsbUmF4swrg6KRZd2TBckSICBe4rxZlTsQRycVQwx6Keu40NB2FR1zcVyLL
CH0ZkOQXLKVopPJ3xAci35IcZA0bsD+ivfb8ecNY25SuzNh9zlz8XP7HNv7Cj1lb
Zt6MocDNQQU0h1a94SzqUdjyTkxwKbcbgWgZmwADBQf+OjXLT0kpVNvZ8fLXAI1z
Jzmqfmp4hxMaLNd9m+Cdoj83TvFE1xnSLdfDSz/J3pZNujWCol2+wadgrXC22Q0E
Cq1VyeiwsucdlxOePO/rGDYLrQBJ+kD/sQljiObnwi7dbfOaIRkKahriSurG2KtD
/bO/zo0Xpd9Q4bBTP0et+blDuVw9+IvyuoVs+kc0Qwuh5OK3eFrDyejLbN0JsGqM
9kEd5YKo1E4OZ3W7EObrZKRwZJ7i3jFzTSlyVwWpvElykseonALoWkODbISEloaY
WadvMH9BJlYP+4eETb36ONbiSQqiV/Wx4+LHmAOdfP7ZE6u0RvyQh4dBpRBbRrEG
iohMBBgRAgAMBQI9vyviBQkB4TOAAAoJEA63+QrUmG/VEAYAmgNeS6Z22cXSJmNL
nGBskSkBvZIXAKCJGSpQrEF+J0YovrrLuWQ8Wkenvw==
=X3HU
-----END PGP PUBLIC KEY BLOCK-----
niels / Hardware / #router,#vpn

Draytek Vigor2200 <-> FreeS/WAN HOWTO

  • v1.00 2002/01/24 – first
  • v1.01 2002/03/06 – latest firmware supports PFS and fixes accidental
  • v1.02 2002/08/16 – make sure to use the scheduler in lan-lan profile
    pass-through of IKE packets when DMZ is used

##Situation

  • We have a large network 10.2.0.0/16 with a FreeS/WAN Linux box on internal
    IP 10.2.0.1 and external (public internet) IP 123.123.123.123
  • We also have a small network 192.168.1.0/24 with a Vigor2200 on internal IP
    192.168.1.1 and external (public internet) IP 222.222.222.222
  • Our setup will automatically create a link between the two networks as
    soon as any machine on the smaller (connected to the vigor) network tries to
    access the larger (connected to the linux box) network.

Assumptions

  • You have succesfully installed FreeS/WAN (For installing FreeS/WAN see
    http://www.freeswan.org/)
  • Your Vigor2200 is up and running
  • vm will be the IPSec box
  • vigor will be the Vigor2200

Instructions

First, create a PSK (pre-shared key) using the ipsec ranbits command:

vm:~# ipsec ranbits --continuous 128 
0x6672dd8b3f15227556b606f9f624c3da
vm:~#

Access the Vigor2200 through it’s web interface. Go through the screens mentioned below and configure accordingly. You must of course replace the secret key with your own one created above.

This screen is pretty straight forward. We configure the pre-shared key and tell the Vigor to both authenticate and encrypt using 3DES.

Vigor IKE/IPSec Setup

Dial-in Set up
IKE Authentication method
Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
IPSec Security Method
Select High(ESP) and 3DES

Dial-out
IKE Authentication method
Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da

This is a screen has a lot of things, but most things on the right (except for dial direction and idle-timeout) can be ignored because they apply only to ISDN usage.

LAN-to-LAN Dialer Profile Setup

Common Setup
Profile Name: ipsecvm
Select Enable this profile
Call Direction: select Both
Idle Timeout: 900

Dial-Out Settings
Username: leave empty, or leave ???
Password: leave empty
Server IP: 123.123.123.123
Type of Server I am Calling: select IPSec Tunnel
Select High(ESP) and 3DES with Authentication

Scheduler(1-15): 1 (or whatever number you give your schedule
profile)

Dial-In Settings
Username: leave empty, or leave ???
Password: leave empty
Select Enable CLID
Peer VPN Server IP: 123.123.123.123
Allowed Dial-In Type: Select IPSec Tunnel

TCP/IP Network Settings
My WAN IP: 0.0.0.0
Remote Gateway: 123.123.123.123
Remote Network: 10.2.0.0
Remote Netmask: 255.255.0.0

For NAT operation, treat remote sub-net as: Private IP

This screen enables the auto-dial function. It’s not necessary (you can start the connection on either side manually), but it is very convenient 😉

Call Schedule Setup

Select Enable Schedule Setup
Start Date: 2000-1-1
Start Time: 0:0
Duration: 23:59
Action: select enable dial-on-demand
Idle Timeout: 0
How Often: select weekdays and sun, mon, etc

FreeS/WAN

Now we go setup the FreeS/WAN config files.

leftnexthop is usually the default gateway on the linux box. rightnexthop is usually the default gateway for the vigor.

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
 
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes
 
conn %default
        keyingtries=3
        keylife=3600s
        ikelifetime=480m
        authby=secret
        auth=esp
        keyexchange=ike
        pfs=yes
 
conn peen
        esp=3des-md5-96
        left=123.123.123.123
        leftsubnet=10.2.0.0/16
        leftnexthop=123.123.123.1
        right=222.222.222.222
        rightsubnet=192.168.1.0/24
        rightnexthop=222.222.222.1
        auto=add

Below of course again replace the secret key with the one you generated earlier.

# /etc/ipsec.secrets

123.123.123.123 222.222.222.222 : PSK "0x6672dd8b3f15227556b606f9f624c3da"

Some additional hints:

  • The Vigor2200 supports IPSec only if the firmware is 2.00 of later.
  • The keylife and ikelifetime above match those of the Vigor. If you use different values, results are unpredictable.