pseries technical conference l19 brian dolan-goecke atlanta, georgiaoctober 8-12, 2001 linux vpn
TRANSCRIPT
IBM Corporation 2001 pSeries Technical Conference
L19
Brian Dolan-Goecke
Atlanta, Georgia October 8-12, 2001
Linux VPN
IBM Corporation 2001 pSeries Technical Conference
Brian Dolan-Goecke
IBM Corporation 2001 pSeries Technical Conference
Contact
Email: [email protected]
WebSite: www.Goecke-Dolan.com/Brian
Phone: (612) 759-0967
IBM Corporation 2001 pSeries Technical Conference
Linux VPN
We will explain and build a basic Virtual Private Network (VPN) on Linux.
We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across
the Internet with Linux. A good understanding of TCP/IP and networking is preferred.
IBM Corporation 2001 pSeries Technical Conference
Session Objectives
Issues to consider when building a VPN
- How it works
- What is needed
- What technology to use
Some Linux VPN options
Build a basic VPN
IBM Corporation 2001 pSeries Technical Conference
VPN Definition
Virtual Private Network
A secure network connection across an insecure network.
IBM Corporation 2001 pSeries Technical Conference
VPN DefinitionVirtual Private Network
(VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.
Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path.
Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis.
Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption.
Cisco. (1999-11-15)
IBM Corporation 2001 pSeries Technical Conference
VPN Explanation
IBM Corporation 2001 pSeries Technical Conference
Connection Type
Typical Internet Connection
Traditional Remote Corporate Connection
VPN Remote Cooperate Connection
Detailed VPN Connection
IBM Corporation 2001 pSeries Technical Conference
Internet Connection
Internet
Remote Host
Corp Host
IBM Corporation 2001 pSeries Technical Conference
Traditional Connection
Remote Host
Internet
Corp Network
DMZ
Firewall
Corporate Resources
IBM Corporation 2001 pSeries Technical Conference
VPN Connection
Remote Host
Internet
Corp Network
DMZ
Firewall
Corporate Resources
IBM Corporation 2001 pSeries Technical Conference
VPN Connection Detail
Remote Host
Internet
Corp Network
Corporate Resources
ISP
ISP
Firewall
DMZ
IBM Corporation 2001 pSeries Technical Conference
How Does It Work ?
1) A host encrypts and encapsulates network packets in network packets.
2) Packets are transmitted to a remote host, via an insecure network.
3) The remote host will de-encapsulate and decrypt the network packets.
4) The original network packets are then forwarded to the local network.
IBM Corporation 2001 pSeries Technical Conference
How VPN Works
1011110101010010001000101000101101001011
Data10.1.1.12
10.2.1.22
206.8.134.2
36.12.11.222
Encrypt
OutAcrossInternet
IBM Corporation 2001 pSeries Technical Conference
Why Have a VPN
Secure access to corporate resources
Fast access
Less expensive infrastructure
Easier access to corporate resources
One connection for Internet and corporate
IBM Corporation 2001 pSeries Technical Conference
Why Not to have a VPN
Higher cost of administration
Can make your site more visible
Need to be more security proactive
Large possible security risk
Requires more powerful systems
IBM Corporation 2001 pSeries Technical Conference
What is Needed ?
Host Computers
Network Connections
VPN Software
IBM Corporation 2001 pSeries Technical Conference
Linux VPN Options
IBM Corporation 2001 pSeries Technical Conference
Available Linux VPNs
Low Cost (Free) Solutions
GRE
CIPE
IPIP
PPTP
SSH port forwarding
IPSec
IBM Corporation 2001 pSeries Technical Conference
Available Linux VPNs
Non-Free Solutions
AltVista Tunnel
CheckPoint FireWall-1
IPSec
Many More...
IBM Corporation 2001 pSeries Technical Conference
VPN We Will Investigate
GRE
CIPE
IPSec
PPTP
IBM Corporation 2001 pSeries Technical Conference
Linux GRE
Developed by:
Cisco
Available from:
Part of standard Linux Kernel tarball
Resources:
RFC 2401 (and more...)
IBM Corporation 2001 pSeries Technical Conference
Linux GRE
Advantages Free
Comes with Linux Kernel tarball
Works with cisco routers
Tried and tested
Can work through Masq/NAT
Works with IPv6
IBM Corporation 2001 pSeries Technical Conference
Linux GRE
Disadvantages
No encryption
IBM Corporation 2001 pSeries Technical Conference
Linux CIPE
Developed by:
Olaf Titzl
Available at:
http://sites.inka.de/~bigred/devel/cipe.html
Resources:
http://sites.inka.de/~bigred/devel/cipe.html
IBM Corporation 2001 pSeries Technical Conference
Linux CIPE
Advantages
Built for VPN
Can use blowfish or PKE encryption
Works through/with SOCKS, NAT, Dynamic IP
Free
IBM Corporation 2001 pSeries Technical Conference
Linux CIPE
Disadvantages
Uses udp (for good reason)
Seems slow now and then
Only works for IPv4
IBM Corporation 2001 pSeries Technical Conference
Linux IPSec
Developed by:
FreeS/WAN (Linux Version)
Available at:
http://www.freeswan.org/download.html
Resources:
http://www.freeswan.org
IBM Corporation 2001 pSeries Technical Conference
IPSec
Advantages
Should work across platform/vendors/devices
Will work with IPv6
IBM Corporation 2001 pSeries Technical Conference
IPSec
Disadvantages
Difficult to implement
Has problems with NAT/Masq
Problems with authentication
IBM Corporation 2001 pSeries Technical Conference
Linux PPTP
Developed by:
Matthew Ramsay, Kevin Thayer, David Luyer,
Patrick LoPresti, Philip Van Baren, Peter Galbavy
and more
Available at:
http://poptop.lineo.com/download_pptp.html
Resources:
http://poptop.lineo.com/
IBM Corporation 2001 pSeries Technical Conference
Linux PPTP
Advantages
Compatible with Microsoft
Can be server or client
IBM Corporation 2001 pSeries Technical Conference
Linux PPTP
Disadvantages
Compatible with Microsoft
Has some security holes
IBM Corporation 2001 pSeries Technical Conference
Build Linux VPN!
IBM Corporation 2001 pSeries Technical Conference
VPNs to Create
GRE
CIPE
IBM Corporation 2001 pSeries Technical Conference
Need
Software
IP and Network Address
IPChains config
Routing
IBM Corporation 2001 pSeries Technical Conference
Tools We Will Use
ifconfig
route
ipchains
IBM Corporation 2001 pSeries Technical Conference
VPN Basics
Define devices
Create devices
Connect devices
Adjust routing/ipchains
IBM Corporation 2001 pSeries Technical Conference
GRE Steps
Determine IP addresses & network
Load module
Configure GRE tunnel
Setup routing
Modify IPChains
IBM Corporation 2001 pSeries Technical Conference
CIPE Steps
Determine IP addresses & network
Download software
Compile software
Configure software
Load module
Start ciped daemon
Set up routing
Modify IPChains
IBM Corporation 2001 pSeries Technical Conference
CIPE Notes
Can handle up to 99 devices
Auto-creates devices
Use "device ciped0" option in config file
IBM Corporation 2001 pSeries Technical Conference
CIPE Config File#/etc/cipe/options # Surprise, this file allows comments (but only on a line by themselves)debug=yes
# This is probably the minimal set of options that has to be set# Without a "device" line, the device is picked dynamicallydevice ciped
# the peer's IP addressptpaddr 10.2.13.1
# our CIPE device's IP addressipaddr 192.168.13.1
# my UDP address. Note: if you set port 0 here, the system will pick# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.#me bigred.inka.de:6789me 127.0.0.1:2048
# ...and the UDP address we connect to. Of course no wildcards here.#peer blackforest.inka.de:6543peer 192.172.18.34:2048
# The static key. Keep this file secret!# The key is 128 bits in hexadecimal notation.key 3333fd20adf9c0ccf9eff2393bbb3e41
IBM Corporation 2001 pSeries Technical Conference
Other Issue
DNS
Broadcast or Not
Authentication
IBM Corporation 2001 pSeries Technical Conference
Resources
Linux Docs -- www.linuxdoc.org- Linux Route2 HowTo
- Linux Masquerade HowTo
- Linux VPN HowTo
- Linux Network Administrators Guide (NAG)
Virtual Private Network Consortium -- www.vpnc.org
FreeS/WAN IPSec -- www.freeswan.org
IBM Corporation 2001 pSeries Technical Conference
Books
IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks
By Naganand Doraswamy & Dan Harkins
Prentice Hall, 1999
www.phptr.com
Virtual Private Networks, 2nd Edition
By Charlie Scott, Paul Wolfe & Mike Erwin
2nd Edition December 1998
www.ora.com
IBM Corporation 2001 pSeries Technical Conference
Version Info
Brian Dolan-Goecke
http://www.goecke-dolan.com/Brian/Presentations
Linux VPN Presentation
Version 1.4
10/10/2001