The FreeBSD Diary

IPsec is a smart way to secure communications. It prevents others from sniffing your traffic. I like using it for my wireless network. To be fair, my WLAN consists of one laptop. But that's so far. More may join later.

I first wrote about Wireless IPsec late last year. In that article, I describe how to create a gateway for your WLAN and implement IPsec to secure the communications. Since then, it's been working flawlessly. However, it's time to move the gateway to a new box. The existing gateway is a Pentium P150. It's a fine machine. Never had a problem with it! However, I have too many machines. I recently got my hands on a Dell Optiplex GX-260. This box will replace two other boxes: the WLAN gateway box and my FreeBSD 5.4 box that I use to build world for my laptop. It will also be used for a test box for the Bacula project. I put a SCSI card into it and plan to attach an external DLT drive.

The following services need to be implemented on this box:

• Gateway - /etc/ipnat.rules
• DNS Server - named - /etc/namedb/named.conf
• IPsec - /etc/ipsec.conf
• racoon - /usr/local/etc/racoon/{psk.txt|racoon.conf}
• DHCP server - /usr/local/etc/dhcpd.conf

For the most part, this will be a copying of files and installing of ports. No other changes are required.

I will assume you know how to install the ports in question. This article is more about the problems I encountered when moving the configuration files over and setting up the services.

Not much to do here. Just ensure that /etc/rc.conf contains gateway_enable="YES". You'll also need support for ipf in your kernel (I used ipf, you may want to use ipfw or pf):

options     IPFILTER                #ipfilter support
options     IPFILTER_LOG            #ipfilter logging
options     IPFILTER_DEFAULT_BLOCK  #block all packets by default

Since I'm using ipf, I also added ipfilter_enable="YES" to /etc/rc.conf.

In order to do NAT, I needed /etc/ipnat.rules. I needed to amend the network interfaces as the new gateway had different names for the NICs. Remember to add ipnat_enable="YES" to /etc/rc.conf.

I added these entries to /etc/namedb/named.conf:

forward only;
forwarders {
   10.55.0.18;
   10.55.0.23;
};

I also commented out the following line:

listen-on       { 127.0.0.1;};

Commenting out that line ensures that named listens on all available IP addresses. You can restrict it if you need. See the comments in the configuration file for details.

An easy move. I copied /etc/ipsec.conf to the new system. A chown root:wheel was done. I also added ipsec_enable="YES" to /etc/rc.conf.

A bit trickier. I failed to set the owner right on the files and so racoon did not start up properly. The file I needed where in /usr/local/etc/racoon/. I copied over psk.txt and racoon.conf. You'll also need racoon_enable="YES".

No problems here. I copied /usr/local/etc/dhcpd.conf from one system to the other and ensured it was chown root:wheel. Remember to add dhcpd_enable="YES" to /etc/rc.conf.