New Router (including IPSec configuration)

Last spring I wrote about my IPsec configuration. At that time, I was using a laptop as a router. Since then I've purchased a Soekris Net 4801 as a router. In some ways it is a bit overkill: it has seven ethernet ports. I need two. It was really easy to configure though: I dropped a CF card in my laptop, ran debootstrap, installed some packages and copied over config files. I put the CF card on the board and booted. Of course I had managed to get something wrong (failed to create /dev/console) so I had to repeat once or twice, but that was all because I didn't understand aspects of the etch installer and I was cutting corners. I did run into trouble trying to configure grub to boot off a drive that would end up being the first bios drive but was not the first bios drive on the system where it was installed. One problem: the 2.2-based Openswan (including the one now in sarge) does
not work well. I'm using the openswan 2.3.0-2 previously in unstable and it works well enough.Here are my router configuration files. Let me know if I left anything out that is needed. The ipsec-nat script should be run after IPsec comes up. Most traffic goes through IPsec except for port 80, 443 and 22. There is also support for machines that are always NATed; I use that for Windows machines—particularly Windows machines that may generate a lot of game traffic. There are several improvements I'm considering. I'm considering dedicating an ethernet port to the wireless AP and bridging to that port. The bridge iptables support would allow me to have better control over what can be done on the wireless side. I would like to have better support for mobility of my laptop and maintaining the same address. I'm also considering adding a second tunnel to MIT.




