Linux_VPN - Goecke
Download
Report
Transcript Linux_VPN - Goecke
L19
Linux VPN
Brian Dolan-Goecke
Atlanta, Georgia
IBM Corporation 2001
October 8-12, 2001
pSeries Technical Conference
Brian Dolan-Goecke
IBM Corporation 2001
pSeries Technical Conference
Contact
Email: [email protected]
WebSite: www.Goecke-Dolan.com/Brian
Phone: (612) 759-0967
IBM Corporation 2001
pSeries Technical Conference
Linux VPN
We will explain and build a basic Virtual Private Network
(VPN) on Linux.
We will begin this session looking at VPNs and how they
work. Then investigate some of the solutions for building
VPNs on Linux. Finally we will build a basic VPN across
the Internet with Linux. A good understanding of TCP/IP
and networking is preferred.
IBM Corporation 2001
pSeries Technical Conference
Session Objectives
Issues to consider when building a VPN
- How it works
- What is needed
- What technology to use
Some Linux VPN options
Build a basic VPN
IBM Corporation 2001
pSeries Technical Conference
VPN Definition
Virtual Private Network
A secure network connection across an
insecure network.
IBM Corporation 2001
pSeries Technical Conference
VPN Definition
Virtual Private Network
(VPN) The use of encryption in the lower protocol layers to provide a secure connection
through an otherwise insecure network, typically the Internet. VPNs are generally cheaper
than real private networks using private lines but rely on having the same encryption
system at both ends. The encryption may be performed by firewall software or possibly
by routers.
Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each
datagram except the link-level information. This prevents a listener from obtaining
information about network structure. While link-level encryption prevents traffic analysis
(a form of attack), it must encrypt/decrypt on every hop and every path.
Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves
protocol and link headers clear. While protocol-level encryption requires you to
encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it,
headers are sent as clear text, allowing traffic analysis.
Application (layer 5 up) encryption is based on a particular application and requires that
the application be modified to incorporate encryption.
Cisco. (1999-11-15)
IBM Corporation 2001
pSeries Technical Conference
VPN Explanation
IBM Corporation 2001
pSeries Technical Conference
Connection Type
Typical Internet Connection
Traditional Remote Corporate Connection
VPN Remote Cooperate Connection
Detailed VPN Connection
IBM Corporation 2001
pSeries Technical Conference
Internet Connection
Remote Host
Inte rne t
Corp Host
IBM Corporation 2001
pSeries Technical Conference
Traditional Connection
Inte rne t
DMZ
Firewa ll
Co rp
Ne tw o rk
Remote Host
Co rp o ra te Re so urc e s
IBM Corporation 2001
pSeries Technical Conference
VPN Connection
Inte rne t
DMZ
Firewa ll
Co rp
Ne tw o rk
Remote Host
Co rp o ra te Re so urc e s
IBM Corporation 2001
pSeries Technical Conference
VPN Connection Detail
Inte rne t
ISP
DMZ
ISP
Firewa ll
Co rp
Ne tw o rk
Remote Host
Co rp o ra te Re so urc e s
IBM Corporation 2001
pSeries Technical Conference
How Does It Work ?
1) A host encrypts and encapsulates network
packets in network packets.
2) Packets are transmitted to a remote host,
via an insecure network.
3) The remote host will de-encapsulate and
decrypt the network packets.
4) The original network packets are then
forwarded to the local network.
IBM Corporation 2001
pSeries Technical Conference
How VPN Works
1011110101
0100100010
0010100010
1101001011
Da ta
10.1.1.12
10.2.1.22
Enc ryp t
206.8.134.2
36.12.11.222
IBM Corporation 2001
Out
Ac ross
Internet
pSeries Technical Conference
Why Have a VPN
Secure access to corporate resources
Fast access
Less expensive infrastructure
Easier access to corporate resources
One connection for Internet and corporate
IBM Corporation 2001
pSeries Technical Conference
Why Not to have a VPN
Higher cost of administration
Can make your site more visible
Need to be more security proactive
Large possible security risk
Requires more powerful systems
IBM Corporation 2001
pSeries Technical Conference
What is Needed ?
Host Computers
Network Connections
VPN Software
IBM Corporation 2001
pSeries Technical Conference
Linux VPN Options
IBM Corporation 2001
pSeries Technical Conference
Available Linux VPNs
Low Cost (Free) Solutions
GRE
CIPE
IPIP
PPTP
SSH port forwarding
IPSec
IBM Corporation 2001
pSeries Technical Conference
Available Linux VPNs
Non-Free Solutions
AltVista Tunnel
CheckPoint FireWall-1
IPSec
Many More...
IBM Corporation 2001
pSeries Technical Conference
VPN We Will Investigate
GRE
CIPE
IPSec
PPTP
IBM Corporation 2001
pSeries Technical Conference
Linux GRE
Developed by:
Cisco
Available from:
Part of standard Linux Kernel tarball
Resources:
RFC 2401 (and more...)
IBM Corporation 2001
pSeries Technical Conference
Linux GRE
Advantages
Free
Comes with Linux Kernel tarball
Works with cisco routers
Tried and tested
Can work through Masq/NAT
Works with IPv6
IBM Corporation 2001
pSeries Technical Conference
Linux GRE
Disadvantages
No encryption
IBM Corporation 2001
pSeries Technical Conference
Linux CIPE
Developed by:
Olaf Titzl
Available at:
http://sites.inka.de/~bigred/devel/cipe.html
Resources:
http://sites.inka.de/~bigred/devel/cipe.html
IBM Corporation 2001
pSeries Technical Conference
Linux CIPE
Advantages
Built for VPN
Can use blowfish or PKE encryption
Works through/with SOCKS, NAT, Dynamic IP
Free
IBM Corporation 2001
pSeries Technical Conference
Linux CIPE
Disadvantages
Uses udp (for good reason)
Seems slow now and then
Only works for IPv4
IBM Corporation 2001
pSeries Technical Conference
Linux IPSec
Developed by:
FreeS/WAN (Linux Version)
Available at:
http://www.freeswan.org/download.html
Resources:
http://www.freeswan.org
IBM Corporation 2001
pSeries Technical Conference
IPSec
Advantages
Should work across platform/vendors/devices
Will work with IPv6
IBM Corporation 2001
pSeries Technical Conference
IPSec
Disadvantages
Difficult to implement
Has problems with NAT/Masq
Problems with authentication
IBM Corporation 2001
pSeries Technical Conference
Linux PPTP
Developed by:
Matthew Ramsay, Kevin Thayer, David Luyer,
Patrick LoPresti, Philip Van Baren, Peter
Galbavy
and more
Available at:
http://poptop.lineo.com/download_pptp.html
Resources:
http://poptop.lineo.com/
IBM Corporation 2001
pSeries Technical Conference
Linux PPTP
Advantages
Compatible with Microsoft
Can be server or client
IBM Corporation 2001
pSeries Technical Conference
Linux PPTP
Disadvantages
Compatible with Microsoft
Has some security holes
IBM Corporation 2001
pSeries Technical Conference
Build Linux VPN!
IBM Corporation 2001
pSeries Technical Conference
VPNs to Create
GRE
CIPE
IBM Corporation 2001
pSeries Technical Conference
Need
Software
IP and Network Address
IPChains config
Routing
IBM Corporation 2001
pSeries Technical Conference
Tools We Will Use
ifconfig
route
ipchains
IBM Corporation 2001
pSeries Technical Conference
VPN Basics
Define devices
Create devices
Connect devices
Adjust routing/ipchains
IBM Corporation 2001
pSeries Technical Conference
GRE Steps
Determine IP addresses & network
Load module
Configure GRE tunnel
Setup routing
Modify IPChains
IBM Corporation 2001
pSeries Technical Conference
CIPE Steps
Determine IP addresses & network
Download software
Compile software
Configure software
Load module
Start ciped daemon
Set up routing
Modify IPChains
IBM Corporation 2001
pSeries Technical Conference
CIPE Notes
Can handle up to 99 devices
Auto-creates devices
Use "device ciped0" option in config file
IBM Corporation 2001
pSeries Technical Conference
CIPE Config File
#/etc/cipe/options
# Surprise, this file allows comments (but only on a line by themselves)
debug=yes
# This is probably the minimal set of options that has to be set
# Without a "device" line, the device is picked dynamically
device ciped
# the peer's IP address
ptpaddr
10.2.13.1
# our CIPE device's IP address
ipaddr
192.168.13.1
# my UDP address. Note: if you set port 0 here, the system will pick
# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.
#me
bigred.inka.de:6789
me
127.0.0.1:2048
# ...and the UDP address we connect to. Of course no wildcards here.
#peer
blackforest.inka.de:6543
peer
192.172.18.34:2048
# The static key. Keep this file secret!
# The key is 128 bits in hexadecimal notation.
key
3333fd20adf9c0ccf9eff2393bbb3e41
IBM Corporation 2001
pSeries Technical Conference
Other Issue
DNS
Broadcast or Not
Authentication
IBM Corporation 2001
pSeries Technical Conference
Resources
Linux Docs -- www.linuxdoc.org
- Linux Route2 HowTo
- Linux Masquerade HowTo
- Linux VPN HowTo
- Linux Network Administrators Guide (NAG)
Virtual Private Network Consortium -- www.vpnc.org
FreeS/WAN IPSec -- www.freeswan.org
IBM Corporation 2001
pSeries Technical Conference
Books
IPSec: The New Security Standard for the Internet, Intranets,
and Virtual Private Networks
By Naganand Doraswamy & Dan Harkins
Prentice Hall, 1999
www.phptr.com
Virtual Private Networks, 2nd Edition
By Charlie Scott, Paul Wolfe & Mike Erwin
2nd Edition December 1998
www.ora.com
IBM Corporation 2001
pSeries Technical Conference
Version Info
Brian Dolan-Goecke
[email protected]
http://www.goecke-dolan.com/Brian/Presentations
Linux VPN Presentation
Version 1.4
10/10/2001
IBM Corporation 2001
pSeries Technical Conference