2 <!DOCTYPE article PUBLIC
"-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://docbook.org/xml/4.4/docbookx.dtd">
7 <title>Practical VPNs
</title>
8 <subtitle>Implementing Full-scale VPNs
</subtitle>
11 <firstname>Liran
</firstname>
12 <surname>Tal
</surname>
15 <email>liran@enginx.com
</email>
21 <firstname>Yakov
</firstname>
22 <surname>Shtutz
</surname>
23 <contrib>Special thanks
</contrib>
27 <firstname>Shahar
</firstname>
28 <surname>Fermon
</surname>
29 <contrib>Testing and feedback
</contrib>
34 This document was compiled from the administrator's point of
35 view, to explain what are VPNs, how they are deployed today
36 and to detail the necessary steps and tools to achieve and
37 create a fully working VPN solution, integrated with RADIUS
42 I will not dwell in this document on how to compile source
43 packages or kernel patching, and with the same tone I'm
44 assuming the reader is an exprerienced Linux user.
48 VPNs have their share amount of gossip for being a very
49 complex thing, and in some cases this may be true as they tend
50 to be more security intenssive which require adding more and
51 more layers to the scheme. With this said, we'll take a look
52 at how fairly straight-forward it is to setup VPNs and
53 maintain them with varius Open-Source tools.
59 <title>Overview of VPNs and IPsec
</title>
61 <title>Virtual Private Networks
</title>
63 The purpose of a VPN is to create a secure channel ontop of an
64 un-secure medium, where a computer or a device are put in each
65 end-point in order to establish communication, each of these
66 end-points are often reffered to as Point of Presense, or POP.
67 This kind of a communication allows the capability of creating
68 a Virtual Private Network, which is accesable over a medium
69 such as the Internet and thus, extend the physical boundaries
70 of an existing local network.
74 VPNs have three forms:
77 <term>Site-To-Site VPNs
</term>
80 these setups exist in order to extend the local network
81 to create a much bigger LAN over the Internet.
87 <term>Network-To-Host or Remote access VPNs
</term>
90 where a central VPN server is able to achieve multiple
91 connections, often reffered to as RoadWarrior VPNs.
92 (This setup is very common among ISPs)
98 <term>Network-To-Network
</term>
101 extranet VPNs allow secure connections within branches
102 and business partners, they are an extension of a
111 <xref linkend=
"site-to-site"/> shows a Site-To-Site VPN diagram.
112 <figure id=
"site-to-site">
113 <title>Site to Site VPN
</title>
116 <imagedata fileref=
"site-to-site-vpn.png"/>
123 IP/VPNs are connections which are based upon IP tunnels. A
124 tunnel is a way to encapsulate an IP packet inside another IP
125 packet or some other type of packet. Why do we need
126 tunneling? A Virtual Private Network is identified by IANA's
127 private IP assignments and so such packet can not go beyond
128 the uplink Internet interface.
132 <xref linkend=
"tunneling-process"/> shows the tunneling process.
133 <figure id=
"tunneling-process">
134 <title>Tunneling Process
</title>
137 <imagedata fileref=
"tunneling-process.png"/>
144 Several tunneling protocols are available for manifesting
152 Layer
2 Forwarding, an older implementation which
153 assume position at the link layer of the OSI. It has
154 no encryption capabilities and hence, deprecated.
163 Layer
2 Tunneling Protocol, still no encryption
173 Point-to-Point Tunneling Protocol, and yet again, no
182 As seen, the requirement of encryption enhancement is urgent
183 in order to assure authentication, data integrity and privacy.
184 IPsec solves this by providing a suite of security measures
185 implemented at layer
3.
190 <title>IP Security Suite (IPsec)
</title>
192 VPN Security is now appearing, this complex things. How so?
193 VPN tunnels by themselves are easily maintained by
194 single-standalone tools like pppd, l2tpns, stunnel and others.
195 Involving security with VPNs though requires more:
199 <para>authentication, data integrity and privacy
</para>
203 <para>keying management
</para>
210 Keys are secrets being shared by two end-points to provide a
211 secure mean of communication against a third-party
212 connection from sniffing the actual data.
217 Different ways to handle key management include RADIUS (Remote
218 Authentication Dial In User Service) systems which provide AAA
219 (Authentication, Authorization and Accounting). Another
220 solution is ISAKMP/Oackly - Internet Security Association and
221 Key Management Protocol. This solution requires you to posess
222 one of the following:
226 <para>something you have
</para>
230 <para>something you know
</para>
234 <para>something you are
</para>
240 The more requirements you meet the more secure is the medium,
241 once established. Let's review, something we have is like a
242 certificate, it proves who we are. Something we know, is a
243 key, a secret password which we were told in a whisper, and
244 something we are is our-fingerprint which identifies ourselves
245 from other individuals.
248 <sect3 id=
"ipsec-in-depth">
249 <title>IPsec in Depth
</title>
251 IPsec consists of two main protocols, an Authentication
252 Header and Encapsulation Security Payload, also known as AH
253 and ESP. Although it is not bound to these and can be
254 extended (and often is) to other standarts such as
258 <para>Data Encryption Standart (DES and
3DES)
</para>
262 <para>Diffie-Hellman (DH)
</para>
266 <para>Secure Hash Algorithm-
1 (SHA1)
</para>
270 <para>Message Digest
5 (MD5)
</para>
274 <para>Internet Key Exchange (IKE)
</para>
278 <para>Certification Authorities (CA)
</para>
284 We'll be deploying an IKE daemon to handle the key
285 management, which uses the Diffie- Hellman cryptography
286 protocol in order to allow two parties to establish a
287 connection based upon a shared secret key that both parties
288 posess. (Authentication within IKE is handled by MD5
293 IKE is responsible for authentication of two IPsec parties,
294 negotiation of keys for encryption algorithms and security
295 associations. This process is commonly regarded as two
300 <term>Phase
1: IKE Security Association
</term>
303 The IKE daemon authenticates against the peers in
304 order to achieve a secure channel, according to the
305 Diffie-Hellman key agreement.
311 <term>Phase
2: IKE IPsec Negotiation
</term>
314 After achieving an authenticated channel, the
315 parties now negotiate a secure transform (the way to
316 encrypt and secure the medium) where the sender is
317 offering his/hers transform set after which the
318 receiver decides upon one. An IPsec session can now
327 Just to be clear, a Security Association is an agreed
328 relation between two parties which describes how they will
329 use security services (from IPsec) to communicate.
333 <sect3 id=
"ipsec-modes">
334 <title>IPsec Modes
</title>
336 IPsec can operate in two different modes:
340 <term>Transport mode
</term>
343 takes place when two devices (like a station and a
344 gateway (now considered a host)) are establishing a
345 connection which upon they both support IPsec.
351 <term>Tunnel mode
</term>
354 we require tunnel mode when we proxy IPsec
355 connetions between two stations behind the IPsec
356 gateway. For example, in a Site-to-Site VPN a
357 tunnel mode lives, since it exists in order to
358 provide the stations behind these gateways runing
359 the VPN/IPsec to communicate securely. In this
360 situation, both end-points are runing an IPsec
369 In definition, a tunnel mode IPsec is better secured than
370 transport. Without going too deep into the ins-and-outs of
371 the technical side, transport mode doesn't encapsulate the
372 actual IP layer but only the tcp/udp (Transport layer of the
373 OSI) where-as a tunnel mode encapsulate both the Transport
374 layer and the IP layer into a new IP packet.
378 To summarize, we need VPNs for data-exchange methods and a
379 set of IPsec tools for security reasons.
385 <sect1 id=
"deployment">
386 <title>VPN Deployment
</title>
388 I've assembled another diagram to view the actual VPN setup.
389 <xref linkend=
"vpn-deployment"/> gives a general description of
390 how the network will be layed out in real-world scenario.
392 <figure id=
"vpn-deployment">
393 <title>VPN Deployment
</title>
396 <imagedata fileref=
"vpn-deployment.png"/>
403 We notice that a single Linux box is acting as a Gateway and has
404 all the services included with it. This is a bad idea from a
405 security prespective but it's easy to just deploy the FreeRADIUS
406 and MySQL servers on another machine. Of course the L2TPns and
407 the rest of the IPsec tools suite would have to remain on the
408 Gateway box (not necessarily the Firewall).
412 <xref linkend=
"vpn-process"/> attempts to explain the actual
413 process that the VPN takes and to detail the place that each of
414 that application-in-charge takes place.
416 <figure id=
"vpn-process">
417 <title>VPN Process
</title>
420 <imagedata fileref=
"vpn-process.png"/>
426 <sect2 id=
"deployment-requirements">
427 <title>Requirements
</title>
428 <sect3 id=
"deployment-requirements-toolbox">
429 <title>The Toolbox
</title>
431 Following is a description of the requirements you will
436 <term>A Linux box
</term>
438 <para>preferably a
2.4.27 kernel or higher.
</para>
440 Debian is the chosen distribution which means we'll
441 be using apt-get for installation, but I'll also
442 focus on basic source tarballs installation.
450 <para>ipsec configuration in the kernel
</para>
460 <para>an L2TP PPP Termination tool.
</para>
466 <para>libcli
1.8.0 or greater
</para>
471 tun/tap interface compiled in the kernel or as
481 <term>FreeRADIUS
</term>
483 <para>For authentication, and accounting.
</para>
490 <para>To act as a back-end database for the RADIUS.
</para>
495 <term>OpenSwan
</term>
497 <para>Provides the ipsec suite package.
</para>
504 <sect3 id=
"deployment-requirements-kernel">
505 <title>Kernel Support
</title>
507 Debian stock kernel
2.4.27 and up are ipsec compatible
508 although if you think otherwise check for the
509 kernel-patch-openswan package.
514 <sect2 id=
"deployment-installation">
515 <title>Installation
</title>
516 <sect3 id=
"deployment-installation-l2tpns">
517 <title>L2TPns
</title>
518 <sect4 id=
"deployment-installation-l2tpns-install">
519 <title>Installation
</title>
522 L2TPns is a layer
2 tunneling protocol network server
523 (LNS). It supports up to
65535 concurrent sessions per
524 server/cluster plus ISP features such as rate limiting,
525 walled garden, usage accounting, and more.
530 In a personal note - L2TPns is highly configurable for
531 many cases, and extremely reliable for
532 production/commerical use.
541 Make sure you have libcli-
1.8 development package
544 # apt-cache search libcli
545 libcli-dev - emulates a cisco style telnet command-line interface (dev files)
546 libcli1 - emulates a cisco style telnet command-line interface
547 # apt-get install libcli-dev
557 Download the source from
558 <ulink url=
"http://sourceforge.net/projects/l2tpns/">
569 <code>make
&& make install
</code>
578 Alternately, you can skip these steps and simply
579 <code>apt-get install l2tpns
</code>.
585 On RPM-based distributions, you should be able to make
586 packages from the libcli and l2tpns source tarballs with
587 <code>rpmbuild -ta
</code>.
592 Once compiliation is done you will have l2tpns in
593 <filename>/usr/sbin/l2tpns
</filename>, and all
594 configuration files can be found in
595 <filename>/etc/l2tpns/
</filename>.
599 <sect4 id=
"deployment-installation-l2tpns-config">
600 <title>Configuration
</title>
602 The only configuration that L2TPns takes is centralized in
603 the configuration file
604 <filename>/etc/l2tpns/startup-config
</filename>.
606 set debug
2 # Debugging level
607 set log_file
"/var/log/l2tpns" # Log file: comment out to use stderr, use
608 #
"syslog:facility" for syslog
609 set pid_file
"/var/run/l2tpns.pid" # Write pid to this file
610 set l2tp_secret
<emphasis>"secret"</emphasis> # shared secret
611 set primary_dns
<emphasis>212.117.128.6</emphasis> # Only
2 DNS server entries are allowed
612 set secondary_dns
<emphasis>212.117.129.3</emphasis>
613 set primary_radius
<emphasis>192.168.0.1</emphasis> # Can have multiple radius server entries,
614 # but ony one radius secret
615 set primary_radius_port
1812
616 set radius_secret
<emphasis>"radius_secret"</emphasis>
617 set radius_accounting yes
618 set radius_dae_port
3799
619 set accounting_dir
"/var/run/l2tpns/acct" # Write usage accounting files into specified
621 set peer_address
<emphasis>192.168.0.1</emphasis> # Gateway address given to clients
622 load plugin
"sessionctl" # Drop/kill sessions
623 load plugin
"autothrottle" # Throttle/snoop based on RADIUS
624 load plugin
"throttlectl" # Control throttle/snoop with nsctl
625 load plugin
"snoopctl"
630 This is the trimmed down version of probably most of
631 the common configuration and even some extra options.
635 Important configuration options are highlited and you
636 should adjust these to meet your network needs. We can
637 deploy all of the environment into one box which is of
638 course not a very good idea from a security point of view,
639 but will function just fine. Moreover, we will be using
640 aliased IP addresses so once you've decided to move the
641 FreeRADIUS daemon to another computer on the LAN it will
642 be fairly easy and won't take too much configuration into
647 Next, we need to setup the IP pool that L2TPns will
648 provide to each VPN client. The configuration file is
649 located at
<filename>/etc/l2tpns/ip_pool
</filename> and
650 should look like the following:
651 <programlisting>172.16.21.0/
24</programlisting>
656 Of course you can change this pool to anything else
657 (IANA IPs assigned for private internets only) just make
658 sure it is not conflicting with your current LAN network
659 addresses. This means that if you've assigned addresses
660 of
192.168.0.1 and
192.168.0.2 to your LAN boxes you
661 can't have a pool of
192.168.0.1/
24 defined since L2TPns
662 will try to route those addresses from the tun device,
663 which is needless to say a bad idea...
667 <para>Next up, creating the access-list for L2TPns.
</para>
670 Add a username and password into
671 <filename>/etc/l2tpns/users
</filename>:
672 <programlisting>admin:
12345</programlisting>
674 The password may either be plain-text as above, or
675 encrypted with MD5 or DES (to distinguish DES from
676 plain-text passwords, prefix the value with
677 <code>{crypt}
</code>).
681 L2TPns utilizes a terminal connection on port
23 which you
682 would feel very comfortable in if you have worked with
683 routers and switches devices before. The terminal
684 provides control over the ppp termination which is why
685 we've created an account to log on to.
690 <sect3 id=
"deployment-installation-ipsec">
692 <sect4 id=
"deployment-installation-ipsec-install">
693 <title>Installation
</title>
695 User-space IPsec tools for various IPsec implementations
696 exist for linux, among them is the port of KAME's
697 libipsec, setkey, and racoon. Others are the OpenSWAN (a
698 successor to the FreeSWAN project).
702 Getting IPsec installed is fairly easy with Debian:
703 <screen># apt-get install openswan
</screen>
707 The OpenSWAN project provides packages for RPM-based
712 Alternately, you may download the
713 <ulink url=
"http://www.openswan.org/code/">source
</ulink>
714 from the OpenSWAN project:
716 # tar xvzf openswan-
2.4.4.tar.gz
718 # ./configure
&& make
&& make install
723 <sect4 id=
"deployment-installation-ipsec-config">
724 <title>Configuration
</title>
726 OpenSWAN acts as the IKE daemon (remember IKE? it's job
727 is to authenticate between the two peers and negotiate a
728 secure medium). We will be setting up the IKE daemon as a
729 RoadWarrior configuration, a term for remote access
734 We desire this approach for compatibilty because after our
735 VPN solution will be complete any user from a Windows
736 machine will be easily ready to connect without any
3rd
737 party applications, same for Linux.
741 Configuration files are placed in
742 <filename>/etc/ipsec.d/
</filename>,
743 <filename>/etc/ipsec.conf
</filename> and
744 <filename>/etc/ipsec.secrets
</filename>.
748 Let's start by choosing the remote client and it's PSK
749 (Private Shared Key)
<filename>/etc/ipsec.secrets
</filename>:
751 hostname_or_ipaddress %any : PSK
"mysecretkeyisverylong"
756 This is an IP/key pair. The IP or FQDN defines the local
757 peer (like a SOHO branch), then the remote host. Here we
758 defined %any for all hosts, though it's possible to define
759 only a specific IP. At last, we define the key associated
764 A better way to create a key is to utilize /dev/random for
765 creating a unique key.
766 <screen># dd if=/dev/random count=
16 bs=
1 2>/dev/null | xxd -ps
</screen>
770 Next, let's prepare the configuration file
771 <filename>/etc/ipsec.conf
</filename>:
782 leftnexthop=%defaultroute
783 leftprotoport=
17/%any
785 rightprotoport=
17/%any
788 include /etc/ipsec.d/examples/no_oe.conf
793 In this file we have first defined version
2 which is a
794 must, then enabled NAT Traversal. To understand the
795 importance of this feature think of the following
796 scenario: A remote user attempts to connect while he's
797 behind a router and therefore NATed. The router has to
798 de-encapsulate the packet, change things and then build it
799 up again and send it. IPsec doesn't like other people
800 messing with it's packet. That's why we solve this issue
805 Next up we configure authentication type (certificates,
806 psk, rsa keys, etc) then the left and right peers. The
807 default mode OpenSWAN takes is tunnel unless told
808 otherwise. I won't go into in-depth explanation of every
809 method, you can take a quick look at
810 <filename>/etc/ipsec.d/examples
</filename> for more
811 explanation and other variations of working with RSA keys,
812 Certificates, host-to-host, and more.
820 We've configured an almost complete IPsec VPN setup.
826 We've installed and configured a VPN server (L2TPns)
827 and our IPsec security suite.
833 To control both of them we use:
834 <filename>/etc/init.d/l2tpns
</filename> and
835 <filename>/etc/init.d/racoon
</filename> (location
836 of start-up scripts may vary on non-Debian systems,
837 or if you've installed from
846 <sect3 id=
"deployment-installation-freeradius">
847 <title>FreeRADIUS
</title>
849 The VPN setup needs to authenticate against something, that
850 is the users database which we chose to be a FreeRADIUS
851 server backed with a MySQL database.
854 <sect4 id=
"deployment-installation-freeradius-install">
855 <title>Installation
</title>
858 FreeRADIUS is the premiere open source RADIUS server.
859 While detailed statistics are not available, we believe
860 that FreeRADIUS is well within the top
5 RADIUS servers
861 world-wide, in terms of the number of people who use it
862 daily for authentication. It scales from embedded
863 systems with small amounts of memory, to systems with
864 millions of users. It is fast, flexible, configurable,
865 and supports more authentication protocols than many
871 Installing on Debian:
872 <screen># apt-get install freeradius freeradius-mysql
</screen>
876 From source: Download the latest freeradius package from
877 <ulink url=
"http://freeradius.org/getting.html">freeradius.org
880 # tar xvzf freeradius.tar.gz
882 # ./configure
&& make
&& make install
887 <sect4 id=
"deployment-installation-freeradius-config">
888 <title>Configuration
</title>
890 This will appear a bit complex but it isn't, it's just a
891 lot of configuration.
895 Following are the configurations you need to have in your
896 <filename>/etc/freeradius/
</filename> files.
900 In this section I will not give you a dump of the
901 configuration since they are very long and mostly default.
902 I'll just post which changes to make.
906 We haven't yet configured MySQL, but it'll come
907 afterwards, don't worry.
911 Make the following changes to the file
912 <filename>/etc/freeradius/sql.conf
</filename>:
914 server =
"192.168.0.1"
916 password =
"12345678"
921 Add the following to the file
922 <filename>/etc/freeradius/clients.conf
</filename>:
926 shortname = localhost
933 Don't confuse the secret directive there with IPsec.
934 RADIUS server are using secret keys also to identify their
935 allowed NAS (Network Access Servers), these are the
936 clients that talk to the RADIUS server.
940 Also, change the
<code>client
127.0.0.1 {}
</code>
941 directive to hold the secret
"my_secret" like we
942 configured for
192.168.0.1 to avoid conflicts.
946 Uncomment the
<code>sql
</code> directive in the
947 <code>authorize
</code>,
<code>accounting
</code>, and
948 <code>session
</code> sections of
949 <filename>/etc/freeradius/radiusd.conf
</filename>.
953 Now for populating FreeRADIUS with MySQL. If you don't
954 know or haven't set root password for MySQL you can do it
956 <screen># mysqladmin -u root password password_here
</screen>
958 Then add the following to
959 <filename>/root/.my.cnf
</filename>:
964 password = password_here
969 Create the
<code>radius
</code> database, using the
971 <filename>/usr/share/doc/freeradius/examples/db_mysql.sql.gz
977 It may be necessary to modify the column definition of
978 <code>id
</code> in the
<code>nas
</code> table, removing
979 <code>DEFAULT '
0'
</code> such that the definition reads:
981 <programlisting>id int(
10) NOT NULL auto_increment,
</programlisting>
986 # mysqladmin create radius
988 mysql
> source db_mysql.sql
989 mysql
> GRANT ALL ON * TO 'radius'@'localhost' IDENTIFIED BY 'radius_password';
992 All the configuration is now done. Let's add a user to
996 mysql
> INSERT INTO radcheck values (
0,
"test",
"User-Password",
"==",
"1234");
1001 We have now created a user in the database of username
1002 <code>test
</code> and password
<code>1234</code>.
1006 Testing the RADIUS setup is simple using the radtest
1007 utility provided with it.
1010 Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
1011 # radtest test
1234 192.168.0.1 1812 my_secret
1016 radtest sends an Access-Request to the RADIUS server and
1017 expects an Access-Accept back from it. If you're not
1018 getting an Access-Accept from the RADIUS you're advised to
1019 check the configuration again and see what you might have
1025 <sect3 id=
"deployment-installation-firewall">
1026 <title>Firewall Configuration
</title>
1028 We need to apply a few things to iptables configuration and
1033 First off, we need to accept VPN-specific packets through
1034 the firewall. Of course you will have to adjust the rules
1035 to fits you needs, in this case, ppp0 is the Internet
1038 # iptables --append INPUT --in-interface ppp0 -p udp --dport
1701 -j ACCEPT
1039 # iptables --append INPUT --in-interface ppp0 -p udp --dport
500 -j ACCEPT
1040 # iptables --append INPUT --in-interface ppp0 -p udp --dport
4500 -j ACCEPT
1041 # iptables --append INPUT --in-interface ppp0 -p
50 -j ACCEPT
1046 If you haven't setup your Linux box as a gateway yet then
1047 you have to allow forwarding/masqing for the boxes on
1048 the LAN (and therefore for the VPN clients):
1050 # iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
1051 # iptables --append FORWARD --in-interface eth0 -j ACCEPT
1052 # echo
1 > /proc/sys/net/ipv4/ip_forward
1059 <sect1 id=
"references">
1060 <title>References
</title>
1063 <term>VPN Reference
</term>
1066 <ulink url=
"http://www.jacco2.dds.nl/networking/freeswan-l2tp.html"></ulink>
1072 <term>L2TPns Project
</term>
1074 <para><ulink url=
"http://l2tpns.sourceforge.net"></ulink></para>
1079 <term>OpenSWAN Project
</term>
1081 <para><ulink url=
"http://www.openswan.org"></ulink></para>