Our Calcutta Netgear gateway/firewall/vpn router recently went up in fumes, literally. We couldn’t source any effective hardware replacement at a decent cost. So I started at looking at alternatives.

We had used Linux based gateways and firewalls for years, I had toyed with Linux IPsec about three years ago when we setup our initial VPN. Then it seemed too cumbersome and I couldn’t find a tool to create the VPN easily and quickly. So we bought new hardware from the US and deployed it in India and US. The FSV318 is a good router was easy to setup and hardly ever gave us any trouble till one of them passed on. We used it for everything from SNMP to VoIP. However there was no monitoring reporting or any fancy stuff.

This time around I decided to bite the bullet and decided to go pure Linux. The ipsec was built in kernel, and better supported. I referred to the instructions here.

http://www.ipsec-howto.org/x304.html

http://ipsec-tools.sourceforge.net/checklist.html

vpn diagram

Highlevel VPN Diagram

On a high level here is what I did

  • Turned off the firewall on both gateways. and enabled ip forwarding
    sysctl -w net.ipv4.ip_forward=1
  • Updated the kernels and using yast.
  • Updated the IPsec tools using yast.
  • Configured the Security Association Database and Security Policy DB using setkey.conf
  • Turned on the tunnel using setkey -f
  • Tested the ssh ping http between red and blue zones. Note: routers are not able to access the opposite network directly.
  • Modified /etc/sysconfig/SuSEfirewall2 and added following
    * FW_NOMASQ_NETS=”0/0,10.50.0.0/21″ on chigateway and similarly on the kolgateway.
    *FW_FORWARD=”10.50.0.0/21,10.60.8.0/21 10.60.8.0/21,10.50.0.0/24″ on both gatweays

That’s it it worked like charm.