cesa/openswan/README - kernel/prism - Git at Google

 OpenSWAN
 =========
  In order to explore the CESA through the OpenSWAN, 1 patch should be applied to the OpenSWAN.

  download openswan-2.6.29 (http://www.openswan.org/), then untar+unzip it.
  apply the patch:

  - mv_openswan_2_6_29.patch -
 	change default configs to remove DEBUG and to include OCF.
 	Fixes:
 		- fix icmp_send failure caused by IFF_XMIT_DST_RELEASE flag set on the net dev.
 		- fix rmmod BUG by removing duplicated free_netdev call.
 		- include patch from openswan git that make sure we have the skb->dst in place before we call
 		  ip_select_ident otherwise we get kernel warn: "rt_bind_peer(0) .. "

 and compile:

  + ipsec module (cross compilation) :
   'make KERNELSRC=<path to this release, after config> module ARCH=arm CC=<path_to_cross_compile> LD=<path_to_cross_loader>'
   then copy the module to the host FS: /lib/modules/<kernel_name>/kernel/net/ipsec/

  + ipsec user (native) :
   make sure that you have the kernel source on the FS.
   'make KERNELSRC=<path to this release, after config> programs'
   'make install'

 Note: before tunnel is enabled on target, reverse path filtering(rp_filter) must be disabled under sysfs, using
       the following commands:
       - echo 0  > /proc/sys/net/ipv4/conf/eth<x>/rp_filter
       - echo 0  > /proc/sys/net/ipv4/conf/all/rp_filter

 Reverse Path Filtering(rp_filter): it is a technology that is used on IP routers to try and prevent source address spoofing,
 which is often used for DenialOfService attacks. RPF works by checking the source IP of each packet received on an interface
 against the routing table. If the best route for the source IP address does not use the same interface that the packet was received
 on the packet is dropped.

 IPSec routing using encryption/authentication only

   basic vpn connection:
   +++++++++++++++++++++
  - platform: conncted with egiga.
  - make sure you have 'ip' (part of the iproute package) installed.
  - edit /etc/ipsec.conf (on both sides) ,check the "man ipsec.conf" :

 config setup
         interfaces="ipsec0=eth0"    # Virtual/physical interfaces
         klipsdebug="none"             # Debug KLIPS
         plutodebug="none"             # Debug PLUTO

 conn dove_psk_vpn
     type=tunnel                    # type of the connection: tunnel(default),passthrough,transport,reject,drop
     authby=secret
     left=192.168.1.1
     leftsubnet=192.168.1.0/16
     right=192.168.0.1              # Remote information
     rightsubnet=192.168.0.0/16
     auto=start                     # start this connection at startup


  - edit /etc/ipsec.secrets (on both sides) to have shared secret.
 192.168.1.1 192.168.0.1 : PSK "123456"

  - side1: 'ifconfig eth0 192.168.0.1 netmask 255.255.0.0'
  - side2: 'ifconfig eth0 192.168.1.1 netmask 255.255.0.0'
  - check connectivity: ping from side1 to 192.168.1.1
  - '/etc/init.d/ipsec start' (on both sides), create new interface ipsec0.
  - check connectivity: ping from side1 to 192.168.1.1 --> VPN is working (make sure by sniffing)
	OpenSWAN
	=========
	In order to explore the CESA through the OpenSWAN, 1 patch should be applied to the OpenSWAN.

	download openswan-2.6.29 (http://www.openswan.org/), then untar+unzip it.
	apply the patch:

	- mv_openswan_2_6_29.patch -
	change default configs to remove DEBUG and to include OCF.
	Fixes:
	- fix icmp_send failure caused by IFF_XMIT_DST_RELEASE flag set on the net dev.
	- fix rmmod BUG by removing duplicated free_netdev call.
	- include patch from openswan git that make sure we have the skb->dst in place before we call
	ip_select_ident otherwise we get kernel warn: "rt_bind_peer(0) .. "

	and compile:

	+ ipsec module (cross compilation) :
	'make KERNELSRC=<path to this release, after config> module ARCH=arm CC=<path_to_cross_compile> LD=<path_to_cross_loader>'
	then copy the module to the host FS: /lib/modules/<kernel_name>/kernel/net/ipsec/

	+ ipsec user (native) :
	make sure that you have the kernel source on the FS.
	'make KERNELSRC=<path to this release, after config> programs'
	'make install'

	Note: before tunnel is enabled on target, reverse path filtering(rp_filter) must be disabled under sysfs, using
	the following commands:
	- echo 0 > /proc/sys/net/ipv4/conf/eth<x>/rp_filter
	- echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

	Reverse Path Filtering(rp_filter): it is a technology that is used on IP routers to try and prevent source address spoofing,
	which is often used for DenialOfService attacks. RPF works by checking the source IP of each packet received on an interface
	against the routing table. If the best route for the source IP address does not use the same interface that the packet was received
	on the packet is dropped.

	IPSec routing using encryption/authentication only

	basic vpn connection:
	+++++++++++++++++++++
	- platform: conncted with egiga.
	- make sure you have 'ip' (part of the iproute package) installed.
	- edit /etc/ipsec.conf (on both sides) ,check the "man ipsec.conf" :

	config setup
	interfaces="ipsec0=eth0" # Virtual/physical interfaces
	klipsdebug="none" # Debug KLIPS
	plutodebug="none" # Debug PLUTO

	conn dove_psk_vpn
	type=tunnel # type of the connection: tunnel(default),passthrough,transport,reject,drop
	authby=secret
	left=192.168.1.1
	leftsubnet=192.168.1.0/16
	right=192.168.0.1 # Remote information
	rightsubnet=192.168.0.0/16
	auto=start # start this connection at startup


	- edit /etc/ipsec.secrets (on both sides) to have shared secret.
	192.168.1.1 192.168.0.1 : PSK "123456"

	- side1: 'ifconfig eth0 192.168.0.1 netmask 255.255.0.0'
	- side2: 'ifconfig eth0 192.168.1.1 netmask 255.255.0.0'
	- check connectivity: ping from side1 to 192.168.1.1
	- '/etc/init.d/ipsec start' (on both sides), create new interface ipsec0.
	- check connectivity: ping from side1 to 192.168.1.1 --> VPN is working (make sure by sniffing)