Policy Groups are an elegant general mechanism to configure FreeS/WAN IPsec. They are useful for many FreeS/WAN users.
In previous FreeS/WAN versions, to build IPsec connections between pairs of nodes, you needed to configure both ends with a connection for each pair. This could become complex.
By contrast, Policy Groups allow you to set local IPsec policy for lists of remote nodes, simply by mentioning hosts which you wish to have special treatment in one of several Policy Group files. Linux FreeS/WAN then internally creates the connections needed to implement that policy.
In the next section we describe our five Base Policy Groups, which you can use to configure IPsec in many useful ways. Later, we will show you how to create a VPN using one line of configuration on each host.
Linux FreeS/WAN offers these Base Policy Groups:
Notes:
The Base Policy Groups which build IPsec connections rely on Opportunistic Encryption. To use the following examples, you must first become OE-capable, as described here.
Simply place CIDR blocks (names, IPs or IP ranges) in /etc/ipsec.d/policies/[groupname], and reread the policy group files.
For example, the private-or-clear policy tells FreeS/WAN to prefer encrypted communication to the listed CIDR blocks. Failing that, it allows talk in the clear.
FreeS/WAN ships with this policy as a behind-the-scenes default. However, the same purpose may be accomplished by placing fullnet in the private-or-clear policy group file:
cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. .... 0.0.0.0/0
and reloading your policies with
ipsec auto --rereadgroups
Use this test to verify opportunistic connections.
Defining IPsec security policy with Base Policy Groups is like creating a shopping list: just put CIDR blocks in the appropriate group files. For example:
cd /etc/ipsec.d/policies cat private 192.0.2.96/27 # The finance department 192.0.2.192/29 # HR 192.0.2.12 # HR gateway irc.private.example.com # Private IRC server cat private-or-clear 0.0.0.0/0 # My default policy: try to encrypt. cat clear 192.0.2.18/32 # My POP3 server 192.0.2.19/32 # My Web proxy cat block spamsource.example.com
To make these settings take effect, type:
ipsec auto --rereadgroups
Notes:
You can create a VPN between several hosts, with only one line of configuration per host, using the private policy group.
First, use our quickstart guide to set up each participating host with a FreeS/WAN install and OE.
In one host's /etc/ipsec.d/policies/private, list the peers to which you wish to protect traffic. For example:
cd /etc/ipsec.d/policies cat private 192.0.2.9 # several hosts at example.com 192.0.2.11 192.0.2.12 irc.private.example.com
Copy private file to each host. Remove the local host host, and add the initial host.
scp2 /etc/ipsec.d/policies/private root@192.0.2.12:/etc/ipsec.d/policies/private
On each host, reread the policy groups with
ipsec auto --rereadgroups
That's it! You're configured.
Test your VPN by pinging between two hosts. After a second or two, traffic should flow, and
ipsec eroute
should yield something like
192.0.2.11/32 -> 192.0.2.8/32 => tun0x149f@192.0.2.8
where your host IPs are substituted for 192.0.2.11 and 192.0.2.8.
If traffic does not flow, there may be an error in your OE setup. Revisit our quickstart guide.
In Example 5, we'll show you how to add subnets to the VPN.
To protect traffic to a subnet behind your FreeS/WAN gateway, you'll need additional DNS records, and new policy groups. To set up the DNS, see our quickstart guide. To create five new policy groups for your subnet, copy these connections to /etc/ipsec.conf. Substitute your subnet's IPs for 192.0.2.128/29.
conn private-net also=private # inherits other settings from built in connection leftsubnet=192.0.2.128/29 # your subnet's IPs here conn private-or-clear-net also=private-or-clear leftsubnet=192.0.2.128/29 conn clear-or-private-net also=clear-or-private leftsubnet=192.0.2.128/29 conn clear-net also=clear leftsubnet=192.0.2.128/29 conn block-net also=block leftsubnet=192.0.2.128/29
Copy the gateway's files to serve as the initial Policy Group files for the new groups
cp -p /etc/ipsec.d/policies/private /etc/ipsec.d/policies/private-net cp -p /etc/ipsec.d/policies/private-or-clear /etc/ipsec.d/policies/private-or-clear-net cp -p /etc/ipsec.d/policies/clear-or-private /etc/ipsec.d/policies/clear-or-private-net cp -p /etc/ipsec.d/policies/clear /etc/ipsec.d/policies/clear-net cp -p /etc/ipsec.d/policies/block /etc/ipsec.d/policies/block
Tip: A missing policy group file is equivalent to a file with no entries. You therefore need create only the files that you'd like to populate.
To test one of your new groups, place the fullnet 0.0.0.0/0 in private-or-clear-net. From a subnet node, perform the test in our quickstart guide. You should see a connection, and
ipsec eroute
should include an entry which mentions the subnet node's IP and the OE test site IP, like this:
192.0.2.131/32 -> 192.139.46.77/32 => tun0x149f@192.0.2.11
Suppose you wish to secure traffic to subnet 192.0.2.192/29 behind the FreeS/WAN box 192.0.2.12.
First, add DNS entries to configure 192.0.2.12 as an opportunistic gateway for that subnet. Instructions are in our quickstart guide. Next, create a private-net group on 192.0.2.12 as described in Example 4.
On each other host, add the subnet 192.0.2.192/29 to private , yielding for example
cd /etc/ipsec.d/policies cat private 192.0.2.9 # several hosts at example.com 192.0.2.11 192.0.2.12 # HR department gateway 192.0.2.192/29 # HR subnet irc.private.example.com
and reread policy groups with
ipsec auto --rereadgroups
That's all the configuration you need.
Test your VPN by pinging from a machine on 192.0.2.192/29 to any other host:
root@192.0.2.194> ping 192.0.2.11
After a second or two, traffic should flow, and
ipsec eroute
should yield something like
192.0.2.11/32 -> 192.0.2.194/32 => tun0x149f@192.0.2.12
Key:
1. | 192.0.2.11/32 | Local start point of the protected traffic. |
2. | 192.0.2.194/32 | Remote end point of the protected traffic. |
3. | 192.0.2.12 | Remote FreeS/WAN node (gateway or host). May be the same as (2). |
4. | [not shown] | Local FreeS/WAN node (gateway or host), where you've produced the output. May be the same as (1). |
For additional assurance, you can verify with a packet sniffer that the traffic is being encrypted.
Note
Our Base Policy Groups are created using hidden connections. These are spelled out in man ipsec.conf and defined in programs/_confread.
A policy group is built using a special connection description in ipsec.conf, which:
To create a new group:
To disable policy groups, cut and paste the following lines to /etc/ipsec.conf:
conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore
Restart FreeS/WAN
ipsec setup restart