pseries technical conference l19 brian dolan-goecke atlanta, georgiaoctober 8-12, 2001 linux vpn

IBM Corporation 2001 pSeries Technical Conference

Brian Dolan-Goecke

Atlanta, Georgia October 8-12, 2001

Linux VPN

Brian Dolan-Goecke

Contact

Email: Brian@Goecke-Dolan.com

WebSite: www.Goecke-Dolan.com/Brian

Phone: (612) 759-0967

Linux VPN

We will explain and build a basic Virtual Private Network (VPN) on Linux.

We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across

the Internet with Linux. A good understanding of TCP/IP and networking is preferred.

Session Objectives

Issues to consider when building a VPN

- How it works

- What is needed

- What technology to use

Some Linux VPN options

Build a basic VPN

VPN Definition

Virtual Private Network

A secure network connection across an insecure network.

VPN DefinitionVirtual Private Network

(VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.

Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path.

Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis.

Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption.

Cisco. (1999-11-15)

VPN Explanation

Connection Type

Typical Internet Connection

Traditional Remote Corporate Connection

VPN Remote Cooperate Connection

Detailed VPN Connection

Internet Connection

Internet

Remote Host

Corp Host

Traditional Connection

Remote Host

Internet

Corp Network

Firewall

Corporate Resources

VPN Connection

Remote Host

Internet

Corp Network

Firewall

Corporate Resources

VPN Connection Detail

Remote Host

Internet

Corp Network

Corporate Resources

Firewall

How Does It Work ?

1) A host encrypts and encapsulates network packets in network packets.

2) Packets are transmitted to a remote host, via an insecure network.

3) The remote host will de-encapsulate and decrypt the network packets.

4) The original network packets are then forwarded to the local network.

How VPN Works

1011110101010010001000101000101101001011

Data10.1.1.12

10.2.1.22

206.8.134.2

36.12.11.222

Encrypt

OutAcrossInternet

Why Have a VPN

Secure access to corporate resources

Fast access

Less expensive infrastructure

Easier access to corporate resources

One connection for Internet and corporate

Why Not to have a VPN

Higher cost of administration

Can make your site more visible

Need to be more security proactive

Large possible security risk

Requires more powerful systems

What is Needed ?

Host Computers

Network Connections

VPN Software

Linux VPN Options

Available Linux VPNs

Low Cost (Free) Solutions

SSH port forwarding

Available Linux VPNs

Non-Free Solutions

AltVista Tunnel

CheckPoint FireWall-1

Many More...

VPN We Will Investigate

Linux GRE

Developed by:

Available from:

Part of standard Linux Kernel tarball

Resources:

RFC 2401 (and more...)

Linux GRE

Advantages Free

Comes with Linux Kernel tarball

Works with cisco routers

Tried and tested

Can work through Masq/NAT

Works with IPv6

Linux GRE

Disadvantages

No encryption

Linux CIPE

Developed by:

Olaf Titzl

Available at:

http://sites.inka.de/~bigred/devel/cipe.html

Resources:

http://sites.inka.de/~bigred/devel/cipe.html

Linux CIPE

Advantages

Built for VPN

Can use blowfish or PKE encryption

Works through/with SOCKS, NAT, Dynamic IP

Linux CIPE

Disadvantages

Uses udp (for good reason)

Seems slow now and then

Only works for IPv4

Linux IPSec

Developed by:

FreeS/WAN (Linux Version)

Available at:

http://www.freeswan.org/download.html

Resources:

http://www.freeswan.org

Advantages

Should work across platform/vendors/devices

Will work with IPv6

Disadvantages

Difficult to implement

Has problems with NAT/Masq

Problems with authentication

Linux PPTP

Developed by:

Matthew Ramsay, Kevin Thayer, David Luyer,

Patrick LoPresti, Philip Van Baren, Peter Galbavy

and more

Available at:

http://poptop.lineo.com/download_pptp.html

Resources:

http://poptop.lineo.com/

Linux PPTP

Advantages

Compatible with Microsoft

Can be server or client

Linux PPTP

Disadvantages

Compatible with Microsoft

Has some security holes

Build Linux VPN!

VPNs to Create

Software

IP and Network Address

IPChains config

Routing

Tools We Will Use

ifconfig

ipchains

VPN Basics

Define devices

Create devices

Connect devices

Adjust routing/ipchains

GRE Steps

Determine IP addresses & network

Load module

Configure GRE tunnel

Setup routing

Modify IPChains

CIPE Steps

Determine IP addresses & network

Download software

Compile software

Configure software

Load module

Start ciped daemon

Set up routing

Modify IPChains

CIPE Notes

Can handle up to 99 devices

Auto-creates devices

Use "device ciped0" option in config file

CIPE Config File#/etc/cipe/options # Surprise, this file allows comments (but only on a line by themselves)debug=yes

# This is probably the minimal set of options that has to be set# Without a "device" line, the device is picked dynamicallydevice ciped

# the peer's IP addressptpaddr 10.2.13.1

# our CIPE device's IP addressipaddr 192.168.13.1

# my UDP address. Note: if you set port 0 here, the system will pick# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.#me bigred.inka.de:6789me 127.0.0.1:2048

# ...and the UDP address we connect to. Of course no wildcards here.#peer blackforest.inka.de:6543peer 192.172.18.34:2048

# The static key. Keep this file secret!# The key is 128 bits in hexadecimal notation.key 3333fd20adf9c0ccf9eff2393bbb3e41

Other Issue

Broadcast or Not

Authentication

Resources

Linux Docs -- www.linuxdoc.org- Linux Route2 HowTo

- Linux Masquerade HowTo

- Linux VPN HowTo

- Linux Network Administrators Guide (NAG)

Virtual Private Network Consortium -- www.vpnc.org

FreeS/WAN IPSec -- www.freeswan.org

IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks

By Naganand Doraswamy & Dan Harkins

Prentice Hall, 1999

www.phptr.com

Virtual Private Networks, 2nd Edition

By Charlie Scott, Paul Wolfe & Mike Erwin

2nd Edition December 1998

www.ora.com

Version Info

Brian Dolan-Goecke

Brian@Goecke-Dolan.com

http://www.goecke-dolan.com/Brian/Presentations

Linux VPN Presentation

Version 1.4

10/10/2001

pseries technical conference l19 brian dolan-goecke atlanta, georgiaoctober 8-12, 2001 linux vpn

Documents

l19 character comparisons

l19 lecture

l19 mv controllability rga

pseries technical conference l17 brian dolan-goecke atlanta,...

cs f301-l19-21

l19 social

physics111 l19 - physics.sfsu.edu

l19 planning and execution

pseries ops manual 060809

cre l19 catalyst deactivation

l19 running consolidations

elementary korean l19-l10

l19-l21 - nosql - v181115c

san pseries redbook

l19 - crisis in healthcare

pseries program optimization

l19. two-dimensional arrays

spelling l19

l19-21 chapter 6

air & space capabilities < < l19 > >