Contents Previous Next

How to Configure Linux FreeS/WAN with Policy Groups

What are Policy Groups?

Policy Groups are an elegant general mechanism to configure FreeS/WAN IPsec. They are useful for many FreeS/WAN users.

In previous FreeS/WAN versions, to build IPsec connections between pairs of nodes, you needed to configure both ends with a connection for each pair. This could become complex.

By contrast, Policy Groups allow you to set local IPsec policy for lists of remote nodes, simply by mentioning hosts which you wish to have special treatment in one of several Policy Group files. Linux FreeS/WAN then internally creates the connections needed to implement that policy.

In the next section we describe our five Base Policy Groups, which you can use to configure IPsec in many useful ways. Later, we will show you how to create a VPN using one line of configuration on each host.

Built-In Security Options

Linux FreeS/WAN offers these Base Policy Groups:

private (OE-based VPN)
FreeS/WAN communicates only privately with the listed CIDR blocks. If needed, FreeS/WAN attempts to create a connection opportunistically. If this fails, FreeS/WAN blocks traffic. Inbound blocking is assumed to be done by the firewall, for which FreeS/WAN offers no help.
private-or-clear
FreeS/WAN prefers private communication with the listed CIDR blocks. If needed, FreeS/WAN attempts to create a connection opportunistically. If this fails, FreeS/WAN allows traffic in the clear.
clear-or-private (Opportunistic Responder)
FreeS/WAN communicates cleartext with the listed CIDR blocks, but also accepts connection requests from them.
Also known as "Passive OE" (pOE), this is useful on a Web or file server.
clear
FreeS/WAN only communicates cleartext with the listed CIDR blocks.
block
FreeS/WAN blocks traffic between the host and the listed CIDR blocks. Inbound blocking is assumed to be done by the firewall, for which FreeS/WAN offers no help.

Notes:

Using Policy Groups

The Base Policy Groups which build IPsec connections rely on Opportunistic Encryption. To use the following examples, you must first become OE-capable, as described here.

Example 1: Using a Base Policy Group

Simply place CIDR blocks (names, IPs or IP ranges) in /etc/ipsec.d/policies/[groupname], and reread the policy group files.

For example, the private-or-clear policy tells FreeS/WAN to prefer encrypted communication to the listed CIDR blocks. Failing that, it allows talk in the clear.

FreeS/WAN ships with this policy as a behind-the-scenes default. However, the same purpose may be accomplished by placing fullnet in the private-or-clear policy group file:

    cat /etc/ipsec.d/policies/private-or-clear
    # This file defines the set of CIDRs (network/mask-length) to which
    # communication should be private, if possible, but in the clear otherwise.
    ....
    0.0.0.0/0

and reloading your policies with

    ipsec auto --rereadgroups

Use this test to verify opportunistic connections.

Example 2: Defining IPsec Security Policy with Groups

Defining IPsec security policy with Base Policy Groups is like creating a shopping list: just put CIDR blocks in the appropriate group files. For example:

    cd /etc/ipsec.d/policies
    cat private
        192.0.2.96/27              # The finance department
        192.0.2.192/29             # HR
	192.0.2.12                 # HR gateway
        irc.private.example.com    # Private IRC server
  
    cat private-or-clear
        0.0.0.0/0    # My default policy: try to encrypt.

    cat clear
        192.0.2.18/32   # My POP3 server
        192.0.2.19/32   # My Web proxy

    cat block
        spamsource.example.com

To make these settings take effect, type:

    ipsec auto --rereadgroups

Notes:

Example 3: Creating a Simple VPN with the private Group

You can create a VPN between several hosts, with only one line of configuration per host, using the private policy group.

First, use our quickstart guide to set up each participating host with a FreeS/WAN install and OE.

In one host's /etc/ipsec.d/policies/private, list the peers to which you wish to protect traffic. For example:

    cd /etc/ipsec.d/policies
    cat private
        192.0.2.9              # several hosts at example.com
        192.0.2.11             
        192.0.2.12                 
        irc.private.example.com 

Copy private file to each host. Remove the local host host, and add the initial host.

    scp2 /etc/ipsec.d/policies/private root@192.0.2.12:/etc/ipsec.d/policies/private

On each host, reread the policy groups with

    ipsec auto --rereadgroups

That's it! You're configured.

Test your VPN by pinging between two hosts. After a second or two, traffic should flow, and

    ipsec eroute

should yield something like

    192.0.2.11/32   -> 192.0.2.8/32  => tun0x149f@192.0.2.8

where your host IPs are substituted for 192.0.2.11 and 192.0.2.8.

If traffic does not flow, there may be an error in your OE setup. Revisit our quickstart guide.

In Example 5, we'll show you how to add subnets to the VPN.

Example 4: New Policy Groups to Protect a Subnet

To protect traffic to a subnet behind your FreeS/WAN gateway, you'll need additional DNS records, and new policy groups. To set up the DNS, see our quickstart guide. To create five new policy groups for your subnet, copy these connections to /etc/ipsec.conf. Substitute your subnet's IPs for 192.0.2.128/29.

conn private-net
        also=private  # inherits other settings from built in connection
        leftsubnet=192.0.2.128/29  # your subnet's IPs here

conn private-or-clear-net
        also=private-or-clear
        leftsubnet=192.0.2.128/29

conn clear-or-private-net
        also=clear-or-private
        leftsubnet=192.0.2.128/29

conn clear-net
        also=clear
        leftsubnet=192.0.2.128/29

conn block-net
        also=block
        leftsubnet=192.0.2.128/29

Copy the gateway's files to serve as the initial Policy Group files for the new groups

    cp -p /etc/ipsec.d/policies/private /etc/ipsec.d/policies/private-net
    cp -p /etc/ipsec.d/policies/private-or-clear /etc/ipsec.d/policies/private-or-clear-net
    cp -p /etc/ipsec.d/policies/clear-or-private /etc/ipsec.d/policies/clear-or-private-net
    cp -p /etc/ipsec.d/policies/clear /etc/ipsec.d/policies/clear-net
    cp -p /etc/ipsec.d/policies/block /etc/ipsec.d/policies/block

Tip: A missing policy group file is equivalent to a file with no entries. You therefore need create only the files that you'd like to populate.

To test one of your new groups, place the fullnet 0.0.0.0/0 in private-or-clear-net. From a subnet node, perform the test in our quickstart guide. You should see a connection, and

    ipsec eroute

should include an entry which mentions the subnet node's IP and the OE test site IP, like this:

    192.0.2.131/32   -> 192.139.46.77/32  => tun0x149f@192.0.2.11

Example 5: Adding a Subnet to the VPN

Suppose you wish to secure traffic to subnet 192.0.2.192/29 behind the FreeS/WAN box 192.0.2.12.

First, add DNS entries to configure 192.0.2.12 as an opportunistic gateway for that subnet. Instructions are in our quickstart guide. Next, create a private-net group on 192.0.2.12 as described in Example 4.

On each other host, add the subnet 192.0.2.192/29 to private , yielding for example

    cd /etc/ipsec.d/policies
    cat private
        192.0.2.9              # several hosts at example.com
        192.0.2.11
        192.0.2.12             # HR department gateway
        192.0.2.192/29         # HR subnet
        irc.private.example.com

and reread policy groups with

    ipsec auto --rereadgroups

That's all the configuration you need.

Test your VPN by pinging from a machine on 192.0.2.192/29 to any other host:

    root@192.0.2.194> ping 192.0.2.11

After a second or two, traffic should flow, and

    ipsec eroute

should yield something like

    192.0.2.11/32   -> 192.0.2.194/32  => tun0x149f@192.0.2.12

Key:

1.192.0.2.11/32Local start point of the protected traffic.
2.192.0.2.194/32Remote end point of the protected traffic.
3.192.0.2.12Remote FreeS/WAN node (gateway or host). May be the same as (2).
4.[not shown]Local FreeS/WAN node (gateway or host), where you've produced the output. May be the same as (1).

For additional assurance, you can verify with a packet sniffer that the traffic is being encrypted.

Note

Appendix

Our Hidden Connections

Our Base Policy Groups are created using hidden connections. These are spelled out in man ipsec.conf and defined in programs/_confread.

Custom Policy Groups

A policy group is built using a special connection description in ipsec.conf, which:

To create a new group:

  1. Create its connection definition in ipsec.conf.
  2. Create a Policy Group file in /etc/ipsec.d/policies with the same name as your connection.
  3. Put a CIDR block in that file.
  4. Reread groups with ipsec auto --rereadgroups.
  5. Test: ping to activate any OE connection, and view results with ipsec eroute.

Disabling Policy Groups

To disable policy groups, cut and paste the following lines to /etc/ipsec.conf:

      conn block
           auto=ignore

       conn private
           auto=ignore

       conn private-or-clear
           auto=ignore

       conn clear-or-private
           auto=ignore

       conn clear
           auto=ignore

Restart FreeS/WAN

    ipsec setup restart

Contents Previous Next