PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN

IBM Corporation 2001 pSeries Technical Conference

L19

Brian Dolan-Goecke

Atlanta, Georgia October 8-12, 2001

Linux VPN


Brian Dolan-Goecke


Contact

Email: [email protected]

WebSite: www.Goecke-Dolan.com/Brian

Phone: (612) 759-0967


Linux VPN

We will explain and build a basic Virtual Private Network (VPN) on Linux.

We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across

the Internet with Linux. A good understanding of TCP/IP and networking is preferred.


Session Objectives

Issues to consider when building a VPN

- How it works

- What is needed

- What technology to use

Some Linux VPN options

Build a basic VPN


VPN Definition

Virtual Private Network

A secure network connection across an insecure network.


VPN DefinitionVirtual Private Network

(VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.

Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path.

Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis.

Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption.

Cisco. (1999-11-15)


VPN Explanation


Connection Type

Typical Internet Connection

Traditional Remote Corporate Connection

VPN Remote Cooperate Connection

Detailed VPN Connection


Internet Connection

Internet

Remote Host

Corp Host


Traditional Connection

Remote Host

Internet

Corp Network

DMZ

Firewall

Corporate Resources


VPN Connection

Remote Host

Internet

Corp Network

DMZ

Firewall

Corporate Resources


VPN Connection Detail

Remote Host

Internet

Corp Network

Corporate Resources

ISP

ISP

Firewall

DMZ


How Does It Work ?

1) A host encrypts and encapsulates network packets in network packets.

2) Packets are transmitted to a remote host, via an insecure network.

3) The remote host will de-encapsulate and decrypt the network packets.

4) The original network packets are then forwarded to the local network.


How VPN Works

1011110101010010001000101000101101001011

Data10.1.1.12

10.2.1.22

206.8.134.2

36.12.11.222

Encrypt

OutAcrossInternet


Why Have a VPN

Secure access to corporate resources

Fast access

Less expensive infrastructure

Easier access to corporate resources

One connection for Internet and corporate


Why Not to have a VPN

Higher cost of administration

Can make your site more visible

Need to be more security proactive

Large possible security risk

Requires more powerful systems


What is Needed ?

Host Computers

Network Connections

VPN Software


Linux VPN Options


Available Linux VPNs

Low Cost (Free) Solutions

GRE

CIPE

IPIP

PPTP

SSH port forwarding

IPSec


Available Linux VPNs

Non-Free Solutions

AltVista Tunnel

CheckPoint FireWall-1

IPSec

Many More...


VPN We Will Investigate

GRE

CIPE

IPSec

PPTP


Linux GRE

Developed by:

Cisco

Available from:

Part of standard Linux Kernel tarball

Resources:

RFC 2401 (and more...)


Linux GRE

Advantages Free

Comes with Linux Kernel tarball

Works with cisco routers

Tried and tested

Can work through Masq/NAT

Works with IPv6


Linux GRE

Disadvantages

No encryption


Linux CIPE

Developed by:

Olaf Titzl

Available at:

http://sites.inka.de/~bigred/devel/cipe.html

Resources:

http://sites.inka.de/~bigred/devel/cipe.html


Linux CIPE

Advantages

Built for VPN

Can use blowfish or PKE encryption

Works through/with SOCKS, NAT, Dynamic IP

Free


Linux CIPE

Disadvantages

Uses udp (for good reason)

Seems slow now and then

Only works for IPv4


Linux IPSec

Developed by:

FreeS/WAN (Linux Version)

Available at:

http://www.freeswan.org/download.html

Resources:

http://www.freeswan.org


IPSec

Advantages

Should work across platform/vendors/devices

Will work with IPv6


IPSec

Disadvantages

Difficult to implement

Has problems with NAT/Masq

Problems with authentication


Linux PPTP

Developed by:

Matthew Ramsay, Kevin Thayer, David Luyer,

Patrick LoPresti, Philip Van Baren, Peter Galbavy

and more

Available at:

http://poptop.lineo.com/download_pptp.html

Resources:

http://poptop.lineo.com/


Linux PPTP

Advantages

Compatible with Microsoft

Can be server or client


Linux PPTP

Disadvantages

Compatible with Microsoft

Has some security holes


Build Linux VPN!


VPNs to Create

GRE

CIPE


Need

Software

IP and Network Address

IPChains config

Routing


Tools We Will Use

ifconfig

route

ipchains


VPN Basics

Define devices

Create devices

Connect devices

Adjust routing/ipchains


GRE Steps

Determine IP addresses & network

Load module

Configure GRE tunnel

Setup routing

Modify IPChains


CIPE Steps

Determine IP addresses & network

Download software

Compile software

Configure software

Load module

Start ciped daemon

Set up routing

Modify IPChains


CIPE Notes

Can handle up to 99 devices

Auto-creates devices

Use "device ciped0" option in config file


CIPE Config File#/etc/cipe/options # Surprise, this file allows comments (but only on a line by themselves)debug=yes

# This is probably the minimal set of options that has to be set# Without a "device" line, the device is picked dynamicallydevice ciped

# the peer's IP addressptpaddr 10.2.13.1

# our CIPE device's IP addressipaddr 192.168.13.1

# my UDP address. Note: if you set port 0 here, the system will pick# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.#me bigred.inka.de:6789me 127.0.0.1:2048

# ...and the UDP address we connect to. Of course no wildcards here.#peer blackforest.inka.de:6543peer 192.172.18.34:2048

# The static key. Keep this file secret!# The key is 128 bits in hexadecimal notation.key 3333fd20adf9c0ccf9eff2393bbb3e41


Other Issue

DNS

Broadcast or Not

Authentication


Resources

Linux Docs -- www.linuxdoc.org- Linux Route2 HowTo

- Linux Masquerade HowTo

- Linux VPN HowTo

- Linux Network Administrators Guide (NAG)

Virtual Private Network Consortium -- www.vpnc.org

FreeS/WAN IPSec -- www.freeswan.org


Books

IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks

By Naganand Doraswamy & Dan Harkins

Prentice Hall, 1999

www.phptr.com

Virtual Private Networks, 2nd Edition

By Charlie Scott, Paul Wolfe & Mike Erwin

2nd Edition December 1998

www.ora.com


Version Info

Brian Dolan-Goecke

[email protected]

http://www.goecke-dolan.com/Brian/Presentations

Linux VPN Presentation

Version 1.4

10/10/2001

Documents

PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN