How to make a VPN with FreeSWan using only dynamic IP's (for example: a Call by Call ISP does) Jens Zerbst (raffnix@gmx.at) ============= introduction: ============= The aim of this HOWTO is the description, howto connect x networks by a VPN using only dynamic IP's (for example: a Call by Call provider does; the advantage is obvious). The number of the connected networks is limited only by Freeswan. In this HOWTO i only discuss the crucial problems of dynamic IP's for a VPN, not the Freeswan configuration (this can be found at www.freeswan.org). The 'stability/availability' of the VPN concern only on the ISP. I reached a very satisfying 'stability/availability' with VPN's increase. ============ requierment: ============ running Freeswan 1.x system (see www.freeswan.org) Dynamic DNA service provider (for example: www.dyndns.org) or a shell with static IP (I do not discuss in this HOWTO) =============== sample network: =============== --------------------------- 10.100.x.x network - router1(ipsec) -------inet------- router2(ipsec) - 10.110.x.x network dynamic IP-Adress: dynamic IP-Adress: dynip1.xxx.org dynip2.xxx.org lan-Adresse: 10.100.0.1 lan-Adresse: 10.110.0.1 -------inet------- router3(ipsec) - 10.120.x.x network dynamic IP-Adress: dynip3.xxx.org lan-Adresse: 10.120.0.1 -------inet------- road (PGPnet, ...) --------------------------- ============== configuration: ============== 1. Configuration of the automatic IP-adress assignment to 'dynipx.xxx.org'. You can handle this with a Daemon that checks the IP address with the Dynamic DNS service Provider and updates the assignment if necessary. To find such tools, look for example at http://support.dyndns.org/dyndns/clients/unix.shtml An example configuration: --- any Script, which runs at bootup ------------ /sbin/ex-xxupdate -c /etc/dynamischendnsname.conf -d -P 200 --------------------------------------------------- 2. ipsec.conf The special feature with this ipsec.conf is the entry rightnexthop or leftnexthop (in ipsec.conf are only figuered numbers. Modification is necessary.) You only have to set the 'nexthop' on 'your side'. There are two possibilities: 1. Your ISP has always the same p-t-p partner for you (that is naturally the simpler version). You simply insert the p-t-p partner as 'nexthop' (shell: enter ifconfig) here. 2. Your ISP has different p-t-p partners for you. At this point you have to change the 'dialupscript to the ISP'. Grep the p-t-p partner and cat them into ipsec.conf (the instruction is described in most UNIX handbooks). You have to change ipsec.conf for the respective 'ipsec-router'. This is the ipsec.conf for the 'ipsec-router dynip1'. --- /etc/ipsec.conf --- config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=1 spi=0x200 esp=3des-md5-96 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0 espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf conn dynip1-dynip2 left=dynip1.xxx.org leftsubnet=10.100.0.0/16 leftnexthop=77.77.77.77 <---------- here you have to write the IP adress of your p-t-p partner right=dynip2.xxx.org rightsubnet=10.110.0.0/16 rightnexthop= auto=add conn dynip1-dynip3 left=dynip1.xxx.org leftsubnet=10.100.0.0/16 leftnexthop=77.77.77.77 <---------- here you have to write the IP adress of your p-t-p partner right=dynip3.xxx.org rightsubnet=10.120.0.0/16 rightnexthop= auto=add conn dynip1-road left=0.0.0.0 leftsubnet= leftnexthop= right=dynip1.xxx.org rightsubnet=10.100.0.0/16 rightnexthop=77.77.77.77 <---------- here you have to write the IP adress of your p-t-p partner authby=secret auto=add -------------------------- 3. ipsec.secrets --- /etc/ipsec.secrets --- dynip1.xxx.org dynip2.xxx.org "my secret" dynip1.xxx.org dynip3.xxx.org "my second secret" -------------------------- nothing more to say ... 4. cron-scripts The cron script is necessary to react on a ISP Disconnect (flatrates disconnect sometimes) or a reset of the router, etc. ISP test: --- /usr/sbin/inettest --- ping -i 10 -c 5 -n 77.77.77.77 <----- a IP adress, which is always online if test $? -ne 0; then /sbin/reboot <----- here you can write a relog script for your ISP also fi exit 0 -------------------------- dynip2 testen: --- /usr/sbin/dyn2test --- ping -i 5 -c 5 -n -I 10.100.0.1 10.110.0.1 <------ dynip1 is pinging at the dev with IP 10.100.0.1 to the dev with the IP 10.110.0.1 at dynip2 if test $? -ne 0; then /usr/sbin/ipsec auto --replace dynip1-dynip2 /usr/sbin/ipsec auto --add dynip1-dynip2 /usr/sbin/ipsec auto --up dynip1-dynip2 fi exit 0 -------------------------- This script is written for dynip1. For dynipx you have to change: - IP adresses in the 1. Line (own dev IP, other side dev IP) - change the name of the ipsec.conf's conn-name Afterwards you can integrate the script in cron. --- cron --- * * * * * /usr/sbin/inettest * * * * * /usr/sbin/dynip2test ------------ You also can start the cron script as daemon. =================== control assistance: =================== - does the login run into the ISP? is the 'default route' set? - does the allocation dynamic IP run to dynipx.xxx.org (ping on dynipx.xxx.org) - does the ipsec connect correctly? if you have problems, you can use your IP adresses (instead of dynipx.xxx.org) first. (write your present IP adresses into ipsec.conf, you get the present IP adreses using ifconfig) if there are still problems, look at the manuals on www.freeswan.org - the change of the dynipx.xxx.org needs some time you often see the error 'could NOT orient connection' these should adjust fast - is the 'nexthop entry' correct? (compare with p-t-p-entry using ifconfig) =========== last words: =========== With these steps you should be able to configurate an executable VPN with dynamic IP's. I tested it on some VPN's successfully. (to increase the availability you can work with 'fall out systems' , which can 'take over' a tunnel immediately.) This is the first version of the HOWTO and it certainly contains errors. Please send me indicated problems, errors, etc. - so that I can improve the HOWTO if necessary. My english isn't very good, sorry. If you have some correction, please mail me, too. Thank you for help. (raffnix@gmx.at) ========= Thanx to: ========= the team of FreeS/Wan the team of www.dyndns.org the team of ez-update for their great work FreeS/WAN derives its name from S/WAN, which is a trademark in the USA of RSA Data Security, Inc;