My Sme7 howto's-

SME server resources

This is really just a post to a contribs forum, but it roughtly lines out how you can install and use ipsec on your sme7 server. You will still have to adjust your iptables and so on. Although this is just enough to get you started, it is better than nothing.
If you are looking to conncts to sites with a vpn tunnel you can better have a look at the howto for openvpn.

Use ipsec to secure wifi between windows and sme7beta4.

My scenario secures an internal wifi network with ipsec. That way you can use wifi without wep or wpa (since this is often a problem to get working between all kinds of wifi-equipment).

All traffic between sme-server and wifi hosts must use ipsec and thus cannot be sniffed. Secondly you can keep strangers from using your network by using authentication.

Pre-shared keys.
The setup uses pre-shared keys for authentication. This avoids the hassle of using certificates. This has a drawback: you must use fixed ip addresses. If you do not wnat that you must use certificates.
This is because you can only assign one pre-shared key to an identifier in the *.key file.
In ipsec main mode (windows can only do phase 1 main mode and not aggressive mode) you can only use ip-address as identifier. Therefore you can only couple one pre-shared key to one ip-address.

Test setup
My working test-setup uses icmp only with one windows host. If you change icmp to all protocols you have all traffic secured.

The smeserver (7 beta 4, kernel 2.6 is needed) in the test has ip wifi-host has and is windows 2000 prof. The wifi host uses the sme as gateway to the internet via the wifi accesspoint. Tunnel endpoints are on the sme and the windows host.

Sme setup.
On the sme server you need to add ipsec-tools with yum. This adds racoon and setkey. See man racoon.conf and man setkey.

Thus install ipsec-tools with yum.

You need to change /etc/modprobe.conf:
#alias block-major-3 off
#alias net-pf-4 off
#alias net-pf-10 off
#alias net-pf-15 ipsec
#alias net-pf-47 ip_gre
#alias net-pf-50 ipsec
#alias net-pf-24 pppoe

After you changed this please reboot. (perhaps some of these are not neccesary?).

Make a directory for ipsec.
mkdir /root/ipsec
cd /root/ipsec

Make three files (psk.key; racoon.conf, setkeyfile):

1. psk.key
touch psk.key
chmod 400 psk.key

file psk.key content (see man racoon.conf): twiljetochmeti1234567890

2. setkeyconfig
#ipsec from to anywhere. Tunnel from to (and back)
#flush sad and spd entries in the kernell
#only icmp by ipsec
##add spd (policy) entries here
spdadd icmp -P in ipsec esp/tunnel/;
spdadd icmp -P out ipsec esp/tunnel/;
#sad will be handled by racoon isa-kmp

3. racoon.conf

path pre_shared_key "/root/ipsec/psk.key" ;

#remote anonymous #you can do this too since psk.key authenticates
exchange_mode main ;
#my_identifier address ;
#peers_identifier address ;
#verify_identifier on ;
lifetime time 24 hours ;
#proposal_check obey ;

#phase 1 proposal
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2; #modp 1024

#phase 2 proposal
#sainfo address icmp address icmp # you can use this but then you need another for traffic back

sainfo anonymous #this would allow all ip-addresses
pfs_group 2; #in fase 2 also diffy hellman: pfs
lifetime time 1 hour;
encryption_algorithm 3des,rijndael;
authentication_algorithm hmac_sha1,non_auth ; #no AH.
compression_algorithm deflate; #often much faster

When windows configuration is also finished, apply this by doing:
cd /root/ipsec
setkey -f setkeyfile #this loads spd into kernel (ipsec policy)
racoon -v -f racoon.conf -F # -F -v only for testing: foreground

Windows setup.

Read here how to make this:

Read here how to make this: section setting up the the windows machine

make this in windows:

There is only one ipsec tunnel policy.

ip policy wifitunnel
...inbound wifi tunnel (rule1)
....filter list inbound ipsec {from any ip to myip not-mirrored}{authentication:preshared} {tunnelendpoint "myip"} {connection type NOT-remote} {filter action wifiinbound}
....filteraction wifiinbound {3DES SHA1 0/86400} {spf yes} {dont allow unsecure communication}

...outboundwifi tunnel (rule2)
....filter list inbound ipsec {from myip to any ip not-mirrored}{authentication:preshared} {tunnelendpoint} {connection type NOT-remote} {filter action wifoutbound}
....filteraction wifoutbound {3DES SHA1 0/86400} {spf yes} {dont allow unsecure communication}

When all is finisched "apply" this policy (right click policy and apply).

Create a Oakley Log for IPSec Troubleshooting

Test it

Ping (ping -t) from wifi host to anything on internet. A tcpdump should show:

- firstly ine phase 1 traffic
- secondly ike phase 2 traffic
- thirdly esp traffic (ipsec)

Have fun!