Implementing VPNs With Clients You Already Paid For (v0.9b) Alan Whinery [email protected] July 19, 2005

Implementing VPNs With Clients You Already Paid For(v0.9b) Alan Whinery

[email protected]

July 19, 2005

What This Is About

An exercise in making virtual networks available to as many users, with as little cost, as possible.

An exercise in implementing a single service that will work with a viable client for each prominent operating system.

Exploiting pre-deployed resources Exploiting recent developments in IPSec

implementations

Copyright 2005, University Of Hawaii ITS

Why My Customers Are Interested In Virtual Networks Home/Roadwarrior access to restricted

resources– File shares– SMTP servers– Etc.

Side-stepping site network restrictions and tampering (i.e. hotel networks)

Some privacy concerns


What Do We Want?

To appear as if we’re at UH, no matter where we are. (tunneling)

To identify us, as we are distinct from them (authentication)

To acknowledge and grant our individual special privileges (?) (authorization)

Acceptable cost Most people only want a VN


Why Do We Want It?

Access restricted resources from anywhere– File servers– Printers– Remote Desktops– Mail servers– Restricted Web Content, Databases

Conceal data from eavesdroppers Alternate Internet Access Exotic Protocols


The Questions

Can a useful, non-proprietary, low-cost VPN service be developed to make use of the clients that are pre-deployed?

Can the procedural aspects of implementation be designed for security and deploy-ability?

Can the user setup be designed such that users can set it up?


Client OS Distribution @hawaii.edu

Unices3%

Windows85%

MacOS12%


Windows OS Client Machines

XP63%

NT0%

989%

950%

200028%

20030%


Macintosh OS Client Machines

X37%

Non-X63%


Unix(ish) Client Machines

Solaris24%

OSF1%

Linux73%

IRIX1%

FreeBSD1%


VPN Implementations ($$$) Cisco VPN

– Free client

– Proprietary; only works with Cisco Solutions

– Expensive, complete solutions

– Not already installed on thousands of computers

Netscreen VPN– Expensive, complete solutions

– You can apparently use the clients I will describe today, instead of the Netscreen ones.


VPN Implementations ($) Microsoft-style VPNs

– Included client (already paid for)• Windows XP, Windows 2000, Windows Mobile 2003

(IPSec/L2TP, PPTP*)• Mac OS 10.3+ (IPSec/L2TP, PPTP)• Mac OS 10.2 (PPTP)

– Standards-based, works with many things– Free client

• Windows 98SE, Windows ME, Windows NT 4.1– IPSec/L2TP, PPTP*

– Already installed on thousands of computers– Capable of good functionality– Included Server in Windows XP Pro


Wait! They all do PPTP!Hooray! We’re saved! PPTP is:

– A viable VPN solution– Developed by Cisco and Microsoft

Cisco doesn’t do it Microsoft’s Implementation is WORTHLESS.

– Using PPTP with Windows clients will expose sensitive information to eavesdroppers.

– After denying that it had problems for years, Microsoft has now designated PPTP as “non-strategic”

– Setting up a PPTP server for Macs would probably result in Windows users connecting to it.


VPN Implementations ($) Microsoft-style VPNs (PVPN)

– Included client (already paid for)• Windows XP, Windows 2000, Windows Mobile 2003

(IPSec/L2TP, PPTP*)• Mac OS 10.3+ (IPSec/L2TP, PPTP)• Mac OS 10.2 (PPTP)

– Standards-based, works with many things– Free client

• Windows 98, Windows NT 4.1– IPSec/L2TP, PPTP*

– Already installed on thousands of computers– Capable of good functionality– Included Server in Windows XP Pro


Um, OK… Go on…

IPSec– Standard from the IETF

– A security technology first

– Very flexible• Can be used with strong encryption

• Can be used with strong authentication

– Quirky

Many experts seem to agree that IPSec is the network Encryption/Authentication technology that has the fewest things wrong with it.


The Set-up

There is a VPN client included in MS Windows XP, 2000, and Mobile 2003

There is a free MS VPN client for Windows 98SE, ME, NT 4.0

There is a VPN Client included in Apple OS X.III and X.IV

There are several free VPN approaches for Unices****


Voice Over IP

Using free packet sniffer Ethereal, someone with access to your VOIP packets can dump the audio to a file and listen to it with Windows Media Player, all within about 60 seconds.

Most VOIP sends key presses “in the clear” There should not be many places where

someone can get access to these packets, but hey: “Should not”…


About Encryption

Key Management is key– Holy crap, I accidentally created a PKI!

Open standards are stronger than closed ones

Much that is sensitive is already encrypted (SSL,TLS)


Common VPN Protocols

PPTP: Point-to-Point Tunneling Protocol– Microsoft, Cisco

L2TP: Layer 2 Tunneling protocol– RFC 2661

IPSec: IETF “Secure” IP


IPSec In The Real World

The standards are complex. Deciding which bits of standard are useful

is difficult. From the user POV, who cares, anyways? We want to know what can be done with

what’s available



Authentication– Shared secret– X.509 certificates from local CA



Authentication– Shared secret– X.509 certificates from local CA



NAT sensitivity– IPSec has been redesigned to work with NAT

– NAT is what your Netgear/Linksys/Asante/etc. home gateway does.

– Stands for “Network Address Translation”

– Typically, only one IPSec client can go through a NAT device at a time

– This is appropriate for most home-to-work scenarios

– The addition to IPSec is called “NAT Traversal” or NAT-T


Exploiting The Installed Clients

We have thousands of usable clients installed

What do we need to use them?– IPSec/L2TP Service

• Authentication/Key Distribution Strategy– Configuration

– UH ID/Password Authentication• RADIUS, et al.


PVPN Client Capabilities

Win XP Win 2000 98/ME/NT Win Mobile OS X.III OSX.IVPSK Yes Yes Yes Yes Yes YesCerts Yes Yes Yes Yes Sort Of YesNAT-T Yes* Yes Yes Yes Sort Of Sort OfL2TP/PPP Yes Yes Yes Yes Yes Yes


Making A Linux VPN Server

Relatively mature implementations exist as kernel patches– *S/Wan (kernel patches, userland tools)– Kame (kernel patches, userland tools)

3P Kernel patches are not optimal– Loss of patch development can stall upgrades

Recent kernel 2.6 includes built-in IPSec– Both *S/wan and Kame tools work with 2.6

kernel IPSec


Choosing Turtle or Swan

I have set up ipsec-tools (Kame)– Works great with kernel IPSec– Except NAT-T in transport mode

Openswan 2.3.1dr3/K2.6.11.6– Does everything I need


L2TPD

L2tpd (l2tpd.sourceforge.net)– Most common Unix(ish) L2TP package– Hasn’t been developed for 4 years– Has some issues with Windows L2TP– Works as either client and server– Requires configuration of Linux PPP– Does not do dynamic address assignment– Branch project, rp-l2tpd, is also stalled


L2TPNS l2tpns ( l2tpns.sourceforge.net )

– Acts as server side only– Handles PPP internally– Better performance than l2tpd– Assigns dynamic addresses– Supports multiple-server clustering– Speaks BGP– Active development: Last release: July 2, 2005– Has CLI interface with “show banana” command

ns = “network server”


Sold!


Server Set-Up

Compile Linux 2.6.xx kernel for IPSec, tap/tun, etc.

OpenSSL is already present in most Linux distributions ( www.OpenSSL.org )

Get Openswan ( www.openswan.org ) Get l2tpns ( l2tpns.sourceforge.net ) Compile and install everything Set up OpenSSL and mkca on isolated server Generate server certificate


Server As A Package

Once set up for this purpose, there are minimal differences between installations

Server could be packaged as a live CD distribution with CD/Flash/floppy based site configs

VPN service needs its own box, because you can’t route tunnel endpoints through the tunnel.


X.509 Certificates Certificates can be individual, revocable If there is limited, local use, may as well root the

CA here at home PVPNs use the *.p12 cert distribution scheme

incorporates 3DES encryption and a copy of the CA certificate

CA and certificate creation can be done with:– OpenSSL ( www.openssl.org )– mkca ( http://klake.org/~jt/mkca/ )

Revocation list can be distributed to clients via a web server


Certificate Distribution Currently, requests are submitted via an SSL web

page– User enters encryption password

Personal certificates are ID’ed by <name>@hawaii.edu email address.

Existence and status of email address is checked, cert package is sent back to said address

Currently, there are manual steps Currently issuing certs valid for one year, renewal

strategy involves panicking PHPki : http://sourceforge.net/projects/phpki/


Windows Configuration

Import certificate into proper place with “easy”* 19-step procedure

Configure VPN connection with “easy”* 17-step procedure

For NAT-T:– Win2000/XP-SP0/XP-SP1 must be patched

– Windows XP SP2 requires altering a registry entry

Double-click connection icon, enter password You’re connected


Windows Configuration

The cert import procedure can be replaced by a single command, with certimport

The Win XP SP2 registry entry is relatively easy to alter with a script

The connection can be created with a script (or so it seems)

The NSIS installer ( nsis.sourceforge.net ) automate everything


Macintosh OS X 10.3 Panther does GUI IPSec/L2TP, but not

certificates. 10.4 Tiger does GUI IPSec/L2TP, with certificates,

but is more finicky about certificates than Windows NAT-T as implemented in OS X uses the wrong rfc

identifier in negotiating NAT-T with the IKE daemon, and will not work unless it’s fixed, or a hack is done in Openswan

PPTP is potentially secure, but if you set it up, how do you prevent Windows users from connecting to it?


Macintosh OS X The OS X GUI client can probably be made

to work A work-around can be effected by editing

the Kame IPSec config files in vi


Win XP Pro Built-In Included in Windows XP Accepts 1 connection at a time Will do PPTP – MS-PPTP is BAD

– Accepts PPTP connections from Mac OS X Will do L2TP/IPSec

– Authenticates IPSec with certificates– Authenticates access with a Windows password– I have used it with the Windows Mobile 2003 client

With Internet Connection Sharing, will act like a home gateway


Win XP Pro Built-In

All you need is Windows XP machine which can reach your restricted resource

Will (supposedly) allow you to access LAN resources at the server end.

Will allow you to use Remote Desktop Securely


Acknowledgments

Jacco De Leeuw– http://www.jacco2.dds.nl/index.html– Guardian of the PVPN web page

Paul Wouters, Xelerence Corp.– Patient answerer of the same questions, over

and over…


Documents

Implementing VPNs With Clients You Already Paid For (v0.9b) Alan Whinery [email protected] July 19, 2005