UWIN: Linux

University of Louisiana at Lafayette

UWIN - Instructions

Configuring a UWIN Connection: Linux

Getting Started with UWIN
The following instructions are for PCs running Linux. To use UL Lafayette's wireless network connection, you must first configure a VPN connection. This connection will be used each time you connect to the wireless Internet connection at UL Lafayette.

Statement of Support for UWIN
This document provides the steps needed to properly configure your Linux computer with a wireless card or built-in wiress to access the University's official wireless network (UWIN). All information needed to obtain a successful connection to UWIN should be found in this guide, in addition to troubleshooting techniques. Users with personally owned computers who are having network software configuration conflicts (i.e.operating system upgrades or virus and spyware infestations) and/or hardware problems should consult with a commercially available technical support provider. Computing Support Services can only provide configuration instructions and advice to users of personally owned computers.

Configuring LINUX for UWIN
Assuming you have configured your Linux system's wireless support to be able to contact a UWIN access point, the next step will be to establish an IPSec VPN over the base connection. This is accomplished in different ways, depending on the Linux kernel used, and the applications available.

Establishing an IPsec connection under Linux 2.6.x kernels
We believe that the 2.6 kernels have a built-in IPSec capability, but we have no experience with it at present.

Establishing an IPsec connection under Linux 2.4.x kernels
Making an IPSec connection to the UWIN system at UL-Lafayette can be accomplished in several ways under a 2.4 kernel. The most obvious is to integrate either FreeS/WAN or OpenS/WAN into the kernel, but the method I will describe is (perhaps) less difficult to install. I assume you can already connect to a UWIN access point, as shown by iwconfig:

eth0 IEEE 802.11-DS ESSID:"UWIN" Nickname:"linooks"
Mode:Managed Frequency:2.437GHz Access Point: 00:0F:B5:00:14:E8
Bit Rate:11Mb/s Tx-Power=15 dBm Sensitivity:1/3
Retry limit:4 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:17/92 Signal level:-77 dBm Noise level:-94 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:1
Tx excessive retries:11 Invalid misc:0 Missed beacon:0

(Slackware uses /etc/pcmcia/wireless.opts to describe and rank APs.)

You'll need a kernel which has
both the tun (tunnel/tap) and the n_hdlc drivers available (the corresponding
modules are found in /lib/modules/2.4.*/kernel/drivers as net/tun.o and
char/n_hdlc.o. If you need to edit your kernel configuration to build a
suitable kernel, the two features are called CONFIG_TUN and CONFIG_N_HDLC.
You will need the pipsec and rp-l2tp packages. These are available
from http://www.ucs.louisiana.edu/ipsec/ as source tarballs, and as Slackware
binary packages (perhaps useful on other Linux distributions).
You will need the ppp package.
The concept will be to first connect to UWIN via a wireless AP, then
establish a tunnel device, then to have the IPSec daemon use the tunnel
so that it becomes an encrypting tunnel. Then we'll
start l2tp, which will in turn start pppd to authenticate with UWIN. It would
be useful to already be able to dial the campus via a modem, to prove that your
pppd is properly configured, but it is not a requirement.
The final step is to have your default route force the use of the encrypted
tunnel rather than the initial, unencrypted path

INSTALLATION STEPS (performed as userid=root):

Load the ppp, rp-l2tp-0.4, and pipsec-19991014 packages (the latter two
have been slightly modified and are available locally (see step 2, above).
Insert your clid into the /etc/l2tp/l2tp.conf, as the name value in
the lac-pppd-opts line: lac-pppd-opts "name CLIDhere noipdefault ..."
Insert your password into the /etc/ppp/pap-secrets file:
CLID * PASSWORD *
Arrange to invoke pipsecd. I do it in /etc/rc.d/rc.local, after
determining that we are connected to a UWIN access point:
if [ -x /usr/sbin/iwconfig -a `iwconfig 2>/dev/null |grep -c '"UWIN"'` -eq 1 ]; then
[ `iwconfig 2>/dev/null | grep -A 1 '"UWIN"'|grep -c "00:00:00:00:00:00"` -eq 0 ] && \
which pipsecd > /dev/null 2>&1 && pipsecd&
fi
That's it! pipsecd will run /etc/ipsec/startup, which does the rest of the
setup.
The first time you connect to UWIN, you will need to start a browser and connect to http://netreg.ucs.louisiana.edu and register your system. After this is successfully done, you should wait a minute or so, browse to 1.1.1.1 and select logout, and finally, reboot your system. Your next IPSec connection will be given an IP address in a different range, that will allow access to hosts both inside and outside UL-Lafayette.
Your session with the UWIN system is maintained for 20 minutes after a loss of signal, so you could travel to a new UWIN Access Point and resume an interrupted session. To indicate you are finished with a session, browse to 1.1.1.1 and click on 'logout'. This is done for you after 9 hours of connection time.
If you have any improvements to this document, or have comments please contact jpd@louisiana.edu.
Example ifconfig report on a working IPSec tunnel:
eth0 Link encap:Ethernet HWaddr 00:02:2D:3F:24:C2
inet addr:42.92.195.62 Bcast:42.92.195.63 Mask:255.255.255.252
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:12 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4464 (4.3 Kb) TX bytes:6234 (6.0 Kb)
Interrupt:11 Base address:0x100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:130.70.12.255 P-t-P:130.70.8.65 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:56 (56.0 b) TX bytes:60 (60.0 b)
tun0 Link encap:Point-to-Point Protocol
inet addr:172.24.0.1 P-t-P:172.24.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Example netstat -rn report on a working IPSec tunnel:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
42.0.0.1 42.92.195.61 255.255.255.255 UGH 40 0 0 eth0
130.70.8.65 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
42.92.195.60 0.0.0.0 255.255.255.252 U 40 0 0 eth0
172.24.0.0 0.0.0.0 255.255.255.0 U 40 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 130.70.8.65 0.0.0.0 UG 40 0 0 ppp0
Useful info to know if you are developing your own IPSec solution:
42.0.0.1          far endpoint of VPN tunnel.
ulragincajuns     shared secret for IPSec VPN.
              note both esp and ah encryption are needed; 3des and
              md5 will work. Pad keys with NULs to achieve
              requisite lengths.
PAP               use PAP, not CHAP or MS-CHAP, so that the actual
              password is provided by the pppd; recall the channel
              is encrypted so it is not readily visible!