Flying Racoons: Networks that Work 
6 January 2003
Part Four: One network to another
As you may have noticed we’re pretty interested in IPSec around here. One of the things that really gets us tingly with IPSec is securing remote networks. For instance: you have an office in Washington, DC and an office on St. John in the U. S. Virgin Islands—lucky you! You’d like both networks to be able to see each other and better yet you’d like them to be completely secure. All this and you don’t want to have to pay any more money for networking hardware. Fair enough, you can do this.
While this article will cover a Mac OS X gateway to another Mac OS X gateway setup, the same methodology applies to non-homogenous connections. And in some cases even when it isn’t network to network. For example, the IPSec stack on the Draytek routers requires an internal network on the client side whether it is just one IP address or a whole network.
First off let’s do a quick inventory of your equipment and configuration.
In Washington you have a couple of machines. One runs Mac OS X 10.2. You have a DSL line with one public IP address, A.A.A.A. (Your actual IP address would be numeric, but this will make the examples a little easier to follow) On that Mac OS X 10.2 machine, called Hectic, you have set up an internal NAT network of 10.0.145.1/24 (only after reading our article on how to do that of course).
In St. John, you have a number of beach chairs, a hand cranked blender, and a few computers that hardly get used. You have a similar network setup to Washington in that you have a Mac OS X 10.2 machine, called Easy, running NAT with an internal network of 192.168.38.1/24 and a satellite connection to the internet with one public IP address, B.B.B.B.
You have everything that you need to get this up and running. We’re going to take the two machines running NAT and turn them in IPSec gateway machines, too. They will route traffic from each of the NAT networks to the other through an encrypted IPSec tunnel. With the gateways doing the heavy lifting you can securely communicate between the networks with any device that understands IP regardless whether it knows anything about IPSec. For instance: you can use your old Mac SE in Washington to connect to your Newton 2000 running a Web server in St. John without hesitation.
Now for putting all of this together: be careful when doing this the first time out since when you engage racoon in step 4 you’ll be forcing all traffic to use IPSec between your two gateway machines. If you messed something up, you won’t be able to get to the other machine from the first to change it. Having a third machine that you can ssh to and then ssh from there to the problem machine can be truly a life saver in this situation.
We will need to add a shared secret to each of the machines. See part 3 of this series for more information on this.
Next, you’ll need to set up the security policies. Again, see part 3 for more info about how to use setkey to do this.
On Hectic this would be:
flush: spdflush: spdadd 192.168.38.1/24 10.0.145.1/24 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; spdadd 10.0.145.1/24 192.168.38.1/24 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;
On Easy it would be:
flush: spdflush: spdadd 10.0.145.1/24 192.168.38.1/24 any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd 192.168.38.1/24 10.0.145.1/24 any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;
Now you can add the GIF tunnels. This has nothing to do with the image format—GIF stands for generic interface tunnel. These will route the packets from your network to the other over the IPSec pipe that we just created.
on Hectic you’ll need to do this:
sudo ifconfig gif0 tunnel A.A.A.A B.B.B.B sudo ifconfig gif0 inet 10.0.145.1 192.168.38.1 netmask 255.255.255.0
Then on Easy:
sudo ifconfig gif0 tunnel B.B.B.B A.A.A.A sudo ifconfig gif0 inet 192.168.38.1 10.0.145.1 netmask 255.255.255.0
Now that the tunnels are up you need to put in a route statement to let your machine know who’s on the other end of the tunnel.
On Hectic:
sudo route add -net 10.0.145.1/24 10.0.145.1
And on Easy:
sudo route add -net 192.168.38.1/24 192.168.38.1
Finally you can start up racoon by doing this on both machines.
sudo racoon -f /etc/racoon/racoon.conf
With a little faith in the powers that be you should be alright. Now all machines on either internal network can just use the other set of internal IP addresses. For instance from my wireless TiBook in St. John I can just type 10.0.145.13 into a Web browser and view my Webcam of everyone working hard in the office back on the mainland.
Once you have established that this works you can write a startup script to do all of this when each of the gateway machines boots. That way your network should be quite robust and require a minimum of effort to set up. Also when you expand into new locations you can have multiple tunnels like this working at the same time connecting a number of different IPSec gateways. Check out our article on startup items for more info on this.
Shortly we will have a updated version of VaporSec that will allow you to do this without getting your hands wet on the command line, more on this later.
For extra geek points you could actually set up an internal DNS server that hands out internal IP addresses so that slackers.joel.com would get me the webcam.
Please note that I do not have an office on St. John and that (if my memory serves) most, if not all, satellite systems do not support IPSec connections. Please check into this before moving to a more pleasant place to telecommute.
Also many thanks to Kai Cherry for some example scripts of a working installation of this.