2002/01/16 Yoshimasa Takami y-takami@r2i.co.jp IPsec on floppyfw HowTo Threre is already a vpnd package(vpnd.bz2) on floppyfw. But if you want to acces to some VPN box like SonicWall or VPN-1, you have to use IPsec on floppyfw. This is a document which how to use IPsec on floppyfw. a) environment ^^^^^^^^^^^^^^^ I made enviroment with ... * floppyfw v1.0.11(may not concern with version) * Linux kernel v2.2.19 * FreeS/WAN v1.94 * SonicWall PRO(Firmware 5.1.1) b) build kernel with IPsec options ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ get FreeS/WAN from ... ftp://ftp.xs4all.nl/pub/crypto/freeswanfreeswan-1.94.tar.gz cd /usr/src tar zxvf /tmp/freeswan-1.94.tar.gz cd freeswan-1.94 make menugo *) you can confirm IPsec option is on. Then and cp /usr/src/linux/arch/i386/boot/bzImage as /mnt/floppy/vmlinuz. *) Use above bzImage as vmlinuz. *) I send my kernel with document. The kernel is SLIP and BRIDGE and IPsec option is on. c) make ipsec.bz2 ^^^^^^^^^^^^^^^^^^ floppyfw is glibc 2.0.7 base. So, I complied below on RedHat5.2. cd /usr/src/freeswan-1.94 make programs make install mkdir /tmp/ipsec mkdir t/mp/ipsec/usr/local/lib mkdir /tmp/ipsec/bin mkdir /tmp/ipsec/lib mkdir /tmp/ipsec/etc/rc.d/init.d/ipsec cp /usr/local/lib/* /tmp/ipsec/usr/local/lib cp /usr/local/sbin/ipsec /tmp/ipsec/bin/ cp /usr/bin/dirname /tmp/ipsec/bin/ cp /bin/dirname /tmp/ipsec/bin/ cd /tmp/ipsec/bin/ ln -s gawk awk cp /usr/bin/paste /tmp/ipsec/bin/ cp /bin/paste /tmp/ipsec/bin/ cp /usr/lib/libgmp.so.2.0.2 /tmp/ipsec/lib cp /usr/lib/libm-2.0.7.so /tmp/ipsec/lib cd /tmp/ipsec/lib ln -s libgmp.so.2.0.2 libgmp.so.2 ln -s libm-2.0.7.so libm.so.6 cp /etc/rc.d/init.d/ipsec /tmp/ipsec/etc/rc.d/init.d/ipsec cd /tmp/ipsec tar Icvf /tmp/ipsec.bz2 bin etc lib usr *) I send ipsec.bz2 with this document. d) work floppyfw with CD-ROM ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ipsec.bz2 is 714KB. So, 1.44MB floppy disk doesn't have enough space. I put all *.bz2 on CD-ROM like following. *) CD-ROM image D:\floppyfw\add.bz2 D:\packages\dhcpd.bz2 D:\packages\elvis.bz2 D:\packages\ipsec.bz2 D:\packages\loadkeys-qwerty.bz2 D:\packages\sshd1.bz2 Then, change A:\floppyfw\floppyfw.ini for unzip packages from CD-ROM. Insert point is above extract packages section. ---------------------- # # unbzip2 Packages from CD-ROM # by Yoshimasa Takami # ln -s /dev/hdc /dev/cdrom echo "/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0" >> /etc/fstab mkdir /mnt/cdrom mount -o /dev/hdc /mnt/cdrom echo -n "Looking for extra packages from CD-ROM: " bzip2 ${BZIP} -d < /mnt/cdrom/floppyfw/add.bz2 | tar -x for i in /mnt/cdrom/packages/*.bz2; do if test -f $i then echo -n "$i " bzip2 ${BZIP} -d < $i | tar -x fi done echo umount /mnt/cdrom rm -r /mnt/cdrom # MAKEDEV cd /dev /bin/MAKEDEV -v ptyp /bin/MAKEDEV -v random /bin/MAKEDEV -v urandom cd / # # Packages (contributed by: t'Sade) # ---------------------- e) make 10MB initrd.gz ^^^^^^^^^^^^^^^^^^^^^^^ A:\initrd.gz is a RAM disk image which floppyfw will work. And the size is about 2MB. After extract ipsec.bz2, the size is about 2.8MB. the initrd.gz doesn't have enough space. Here, make 10MB initrd.gz mount -tvfat /dev/fd0 /mnt/floppy mkdir /tmp/initrd cp /mnt/floppy/initrd.gz /tmp/initrd-org.gz gzip -d /tmp/initrd-org.gz mkdir /mnt/org mount -r -o loop /tmp/initrd/initrd-org /mnt/org *) copy initrd from FD to HD, mount it as loop device. cd /tmp/initrd /tmp/makeinitrd.bash *) This shell script is at bottom of this document. cp /tmp/initrd/initrd.gz /mnt/floppy *) use /tmp/initrd/initrd.gz as new initrd. *) I send initrd.gz with this document. change A:\syslinux.cfg to let floppyfw know RADDISK size. ----- append initrd=initrd.gz ramdisk=10000 root=/dev/fd0 ether=0,0,0,eth0 ^^^^^^^^^^^^^ ether=0,0,0,eth1 ether=0,0,0,eth2 f) IPsec and SonicWall setting ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Network Figure) -------------SGW1_LAN(192.168.*.0) | [IPsec floppyfw] | SGW1_WAN | [SGW1_GWY] | internet | [SGW2_GWY] | | SGW2_WAN(SonicWall WAN IP Address) [SonicWall PRO] | -------------SGW2_LAN(192.168.%.0) SonicWALL PRO) Security Assosiation : ASSOCIATION IPsec Key Mode : IKE using pre-shared secret IPsec Gateway Address: SGW1_GWY Encryption Method : ESP-3DES-HMAC-MD5 Shared Secret : himitsu *) himitsu means secret in Japanese. floppyfw) A:\packages\post-ipsec.ini ---------------------- #!/bin/sh # post-ipsec.ini # # IPSec between SGW and onicwall # Create by Yoshimasa Takami # 2002/01/09 # y-takami@r2i.co.jp . /etc/config # # Build secret file # echo "${SGW1_WAN} ${SGW2_WAN} : PSK \"himitsu\"" > /etc/ipsec.secrets # # Build config file # echo "config setup" > /etc/ipsec.conf echo " interfaces=%defaultroute" >> /etc/ipsec.conf echo " klipsdebug=none" >> /etc/ipsec.conf echo " plutodebug=none" >> /etc/ipsec.conf echo " plutoload=%search" >> /etc/ipsec.conf echo " plutostart=%search" >> /etc/ipsec.conf echo "conn ${ASSOCIATION}" >> /etc/ipsec.conf echo " keyingtries=0" >> /etc/ipsec.conf echo " authby=secret" >> /etc/ipsec.conf echo " esp=3des-hmac-md5" >> /etc/ipsec.conf echo " left=${SGW1_WAN}" >> /etc/ipsec.conf echo " leftsubnet=${SGW1_LAN}/24" >> /etc/ipsec.conf echo " leftnexthop=${SGW1_GWY}" >> /etc/ipsec.conf echo " right=${SGW2_WAN}" >> /etc/ipsec.conf echo " rightsubnet=${SGW2_LAN}/24" >> /etc/ipsec.conf echo " rightnexthop=${SGW2_GWY}" >> /etc/ipsec.conf echo " pfs=no" >> /etc/ipsec.conf echo " auto=start" >> /etc/ipsec.conf /etc/rc.d/init.d/ipsec start & ---------------------- A:\network.ini ---------------------- # Don't Masquerade IPsec. # This must be before ipchains -A forward -j MASQ -i ${OUTSIDE_DEV} -l ipchains -A forward -j ACCEPT -b -s ${SGW1_LAN}/24 -d ${SGW2_LAN}/24 ---------------------- END_OF_DOCUMENT **) makeinitrd.bash ---- #!/bin/bash export SIZE=10000 dd if=/dev/zero of=/tmp/initrd/initrd bs=1k count=$SIZE /sbin/losetup /dev/loop1 /tmp/initrd/initrd /sbin/mkfs -t ext2 /dev/loop1 $SIZE mount -o loop /tmp/initrd/initrd /mnt/tmp cd /mnt/tmp cp /mnt/org/hlinks . cp /mnt/org/linuxrc . mkdir bin mkdir dev mkdir etc mkdir initrd mkdir lib mkdir mnt mkdir mnt/tmp mkdir proc ln -s bin sbin cp /mnt/org/bin/ash bin cp /mnt/org/bin/bzip2 bin cp /mnt/org/bin/ln bin cd bin ln -s ash bash ln -s bzip2 bunzip2 ln -s ln mount ln -s ash sh ln -s ln time cd .. cp /mnt/org/etc/functions.sh etc cp /mnt/org/etc/ld.so.cache etc cd etc ln -s ../proc/mounts mtab cd .. cp /mnt/org/lib/ld-2.0.7.so lib cp /mnt/org/lib/libc-2.0.7.so lib cd lib ln -s ld-2.0.7.so ld-linux.so.2 ln -s libc-2.0.7.so libc.so.6 cd .. cd dev mknod console c 5 1 mknod fd0 b 2 0 mknod fd0u1040 b 2 84 mknod fd0u1120 b 2 88 mknod fd0u1440 b 2 28 mknod fd0u1600 b 2 124 mknod fd0u1680 b 2 44 mknod fd0u1722 b 2 60 mknod fd0u1743 b 2 76 mknod fd0u1760 b 2 96 mknod fd0u1840 b 2 116 mknod fd0u1920 b 2 100 mknod fd0u360 b 2 12 mknod fd0u720 b 2 16 mknod fd0u800 b 2 120 mknod fd0u820 b 2 52 mknod fd0u830 b 2 68 mknod fd1 b 2 1 mknod fd1u1040 b 2 85 mknod fd1u1120 b 2 89 mknod fd1u1440 b 2 29 mknod fd1u1600 b 2 125 mknod fd1u1680 b 2 45 mknod fd1u1722 b 2 61 mknod fd1u1743 b 2 77 mknod fd1u1760 b 2 97 mknod fd1u1840 b 2 117 mknod fd1u1920 b 2 101 mknod fd1u2880 b 2 33 mknod fd1u3200 b 2 105 mknod fd1u3520 b 2 109 mknod fd1u360 b 2 13 mknod fd1u3840 b 2 113 mknod fd1u720 b 2 17 mknod fd1u800 b 2 121 mknod fd1u820 b 2 53 mknod fd1u830 b 2 69 mknod hdc b 22 0 mknod loop0 b 7 0 mknod loop1 b 7 1 mknod loop2 b 7 2 mknod lp0 c 6 0 mknod lp1 c 6 1 mknod null c 1 3 mknod ram b 1 1 mknod ram0 b 1 0 mknod ram1 b 1 1 mknod ram2 b 1 2 mknod ram3 b 1 3 mknod ram4 b 1 4 mknod systty c 4 0 mknod tty c 5 0 mknod tty0 c 4 0 mknod tty1 c 4 1 mknod tty2 c 4 2 mknod tty3 c 4 3 mknod tty4 c 4 4 mknod tty5 c 4 5 mknod tty6 c 4 6 mknod tty7 c 4 7 mknod tty8 c 4 8 mknod ttyS0 c 4 64 mknod ttyS1 c 4 65 mknod ttyp0 c 3 0 mknod ttyp1 c 3 1 mknod ttyp2 c 3 2 mknod ttyp3 c 3 3 mknod ttyp4 c 3 4 mknod ttyp5 c 3 5 mknod ttyp6 c 3 6 mknod ttyp7 c 3 7 mknod zero c 1 5 cd /tmp/initrd umount /mnt/tmp /bin/rm /tmp/initrd/initrd.gz gzip --best /tmp/initrd/initrd /sbin/losetup -d /dev/loop1