I've been playing around with FreeS/WAN on a few of the Linux boxes I
own or admin.  I was amazed when I actually got a connection or two to
work.  I'm still having some problems, though, and I figured someone
else has attacked the problem before.

First off is the big problem of NAT boxes.  We have a wireless network,
and a box firewalling it.  Does anyone have a good idea of what has to
be done to get IPSec going through it (from a NATed client to a host
elsewhere with a real IP)?  Is it just a few iptables rules, or more
complicated than that?

Working along a different tack, I just installed FreeS/WAN on the
firewall itself.  It has a signed certificate from Thawte for the web
sign-on page it uses, and I was wondering if it's possible to use that
same cert for IPsec.  If it's possible, do I have to extract information
from the certificate somehow, or can I just point to it in a
configuration file somewhere?

Lastly, I thought I'd give a quick micro-howto on getting FreeS/WAN
installed (though not configured) on Debian.  Here are the basic steps
I've used:

# Install these packages with apt-get
freeswan
kernel-package
kernel-image-2.4.18-686  # use whatever version and arch you need
kernel-source-2.4.18
kernel-patch-freeswan

cd /usr/src
tar jxvf kernel-source-2.4.18.tar.bz2
cd kernel-source-2.4.18
cp /boot/config-2.4.18 .config
export PATCH_THE_KERNEL=YES
make-kpkg --append-to-version '-fs1' --config=menuconfig \
  --revision 20020620 --initrd binary-arch modules_image
cd ..
dpkg -i kernel-image-2.4.18-fs1_20020620_i386.deb

Make sure that LILO (or whatever bootloader you use) is happy, and
reboot

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   If it walks out of your
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   refrigerator, LET IT GO!!
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020620/b8066bf3/attachment.pgp