Book Image

Openswan: Building and Integrating Virtual Private Networks

By : Ken Bantoft, Paul Wouters
Book Image

Openswan: Building and Integrating Virtual Private Networks

By: Ken Bantoft, Paul Wouters

Overview of this book

<p>With the widespread use of wireless and the integration of VPN capabilities in most modern laptops, PDA's and mobile phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor watching your wireless? Or are your competitors perhaps engaged in industrial espionage? Do you need to send information back to your office while on the road or on board a ship? Or do you just want to securely access your MP3's at home? IPsec is the industry standard for encrypted communication, and Openswan is the de-facto implementation of IPsec for Linux.</p> <p>Whether you are just connecting your home DSL connection with your laptop when you're on the road to access your files at home, or you are building an industry size, military strength VPN infrastructure for a medium to very large organization, this book will assist you in setting up Openswan to suit those needs.</p> <p>The topics discussed range from designing, to building, to configuring Openswan as the VPN gateway to deploy IPsec using Openswan. It not only for Linux clients, but also the more commonly used Operating Systems such as Microsoft Windows and MacOSX. Furthermore it discusses common interoperability examples for third party vendors, such as Cisco, Checkpoint, Netscreen and other common IPsec vendors.</p> <p>The authors bring you first hand information, as they are the official developers of the Openswan code. They have included the latest developments and upcoming issues. With experience in answering questions on a daily basis on the mailing lists since the creation of Openswan, the authors are by far the most experienced in a wide range of successful and not so successful uses of Openswan by people worldwide.</p>

Related Content you might be interested in

Current Title:

Small book image
Openswan: Building and Integrating Virtual Private Networks
Ken Bantoft | Paul Wouters
Feb, 2006 | 360 pages
No titles found
Table of Contents (22 chapters)
Building and Integrating Virtual Private Networks with Openswan
Building and Integrating Virtual Private Networks with Openswan
Credits
Credits
About the Authors
About the Authors
Acknowledgements
Acknowledgements
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Introduction
Introduction
The Need for Cryptography
A History of the Internet
History of Internet Engineering
The War on Crypto
Free Software
The History of Openswan
Using Openswan
Summary
2
Practical Overview of the IPsec Protocol
Practical Overview of the IPsec Protocol
A Very Brief Overview of Cryptography
IPsec: A Suite of Protocols
Kernel Mode: Packet Handling
Usermode: Handling the Trust Relationships
Summary
3
Building and Installing Openswan
Building and Installing Openswan
Linux Distributions
Deciding on the Userland
Choosing the Kernel IPsec Stack
Binary Installation of the Openswan Userland
Building from Source
Building the Openswan Userland from Source
Binary Installation of KLIPS
Building KLIPS from Source
Building KLIPS into the Linux Kernel Source Tree
Verifying the Installation
Summary
4
Configuring IPsec
Configuring IPsec
Manual versus Automatic
PSK versus RSA
Pitfalls of Debugging IPsec
Pre-Flight Check
The ipsec livetest Command
Configuration of Openswan
Host-to-Host Tunnel
Connecting Subnets Through an IPsec Connection
Avoiding Duplication
KLIPS and the ipsecX Interfaces
Pre-Shared Keys (PSKs)
Dynamic IP Addresses
Connection Management
Subnet Extrusion
NAT Traversal
Dead Peer Detection
Ciphers and Algorithms
Aggressive Mode
XAUTH
Fine Tuning
Summary
5
X.509 Certificates
X.509 Certificates
X.509 Certificates Explained
Generating Certificates with OpenSSL
Creating X.509-based Connections
Using a Certificate Authority
Summary
6
Opportunistic Encryption
Opportunistic Encryption
History of Opportunistic Encryption
Trusting Third Parties
OE in a Nutshell
DNS Key Records
Policy Groups
Internal States
Configuring OE
Testing Your OE Setup
Manipulating OE Connections Manually
Advanced OE Setups
Caveats
Summary
7
Dealing with Firewalls
Dealing with Firewalls
Where to Firewall?
Allowing IPsec Traffic
Configuring the Firewall on the Openswan Host
Summary
8
Interoperating with Microsoft Windows and Apple Mac OS X
Interoperating with Microsoft Windows and Apple Mac OS X
Microsoft Windows
Mac OS X
Layer 2 Tunneling Protocol (L2TP)
Client and Server Configurations for L2TP/IPsec
Microsoft Windows XP L2TP Configuration
Microsoft Windows 2000 L2TP Configuration
Apple Mac OS X L2TP Configuration
Server Configuration for X.509 IPsec without L2TP
Client Configuration for X.509 IPsec without L2TP
Importing X.509 Certificates into Windows
Importing X.509 Certificates on Mac OS X (Tiger)
Summary
9
Interoperating with Other Vendors
Interoperating with Other Vendors
Openswan as a Client to an Appliance
Preparing the Interop
Frequently used VPN Gateways
Frequently used VPN Client Appliances
Aftercare
Summary
10
Encrypting the Local Network
Encrypting the Local Network
Methods of Encryption
Designing a Solution for Encrypting the LAN
WaveSEC
WaveSEC for Windows
Summary
11
Enterprise Implementation
Enterprise Implementation
Cipher Performance
Handling Thousands of Tunnels
Managing Large Configuration Files
Openswan Startup Time
Limitations of the Random Device
Other Performance-Enhancing Factors
Using Anycast
Summary
12
Debugging and Troubleshooting
Debugging and Troubleshooting
Do Not Lock Yourself Out!
Narrowing Down the Problem
Configuration Problems
Openswan Error Messages
Network Issues
Debugging IPsec on Apple Mac OS X
Debugging IPsec on Microsoft Windows
Software Bugs
Common IKE Error Messages
Using tcpdump to Debug IPsec
User Mode Linux Testing
Asking the Openswan Community for Help
Summary
Unresolved and Upcoming Issues
Unresolved and Upcoming Issues
Linux Kernel Developments
Kernel API Changes between 2.6.12 and 2.6.14
Red Hat Kernel Developments
Fedora Kernel Source/Headers Packaging Change
MD5 Insecurities
Discontinuation of Openswan 1 by the End of 2005
Update on UML Testing Suite Installation
Openswan GIT Repositories
Openswan on Windows and Mac OS X Updates
Known Outstanding Bugs
Vulnerability Fixes in Openswan 2.4.4
Networking 101
Networking 101
The OSI Model and the IP Model
No Layers, Just Packets
The Protocol
IP Network Overview
IP Address Management
The Old IP Classes
Classless IP Networks
The Definition of a Subnet
Calculating with Subnets: The Subnet Mask
The Rest of the Network
Linux Networking Commands
Routing
Routing Decisions
Peering
Network Address Translation
Port Forwarding
Openswan Resources on the Internet
Openswan Resources on the Internet
Openswan Links
Community Documentation
Generic Linux Distributions Containing Openswan
Specialized Linux Distributions Containing Openswan
IPsec-Related Requests For Comments (RFCs)
IPsec-Related Requests For Comments (RFCs)
Overview RFCs
Basic Protocols
Key Management
Procedural and Operational RFCs
Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
Dead Peer Detection RFCs
NAT-Traversal and UDP Encapsulation RFCs
RFCs for Secure DNS Service, which IPSEC May Use
RFCs Related to L2TP, Often Used in Combination with IPsec
RFCs on IPsec in Relation to Other Protocols
RFCs Not in Use or Implemented across Multiple Vendors

Vulnerability Fixes in Openswan 2.4.4

(or "A week in the life of the Openswan developers" )

When this book entered the final edit stage, we were at version 2.4.1. Two weeks later version 2.4.4 was out. With Openswan releases normally going out every few months, this is rather odd. We decided to write up our clarification in this appendix, as these events are truly the latest developments, and we could no longer update the texts in the regular chapters, as they had already gone into the final publishing stage.

On August 31 2005, Xelerance was notified by the UK's National Infrastructure Security Coordination Centre (NISCC) that a cross-vendor vulnerability had been found in various implementations of the IKE protocol. They could not tell if Openswan was vulnerable, since they did not test it. They required us to sign a "Social Contract" that included terms that the Openswan developers could not agree to.

The biggest problem was that the Openswan developers could not disclose any information about this vulnerability, until NISCC chose to go public themselves, yet no deadline was given for a publication date. This limitation meant that developers could not even fix the bug until the announcement, since Openswan is open-source software. Any change in the code is automatically published, and would disclose the vulnerability information. NISCC said they would likely publish the vulnerability on October 31 2005 but could not make any hard guarantees. No contract was signed.

October 31 came and passed. Then we were told this vulnerability would be disclosed in January, since a large vendor needed more time to repair its IPsec devices. Meanwhile, Openswan developers still did not know whether they were vulnerable or not.

On November 14, NISCC and CERT-FI, the Finnish CERT department, released the vulnerability information including a substantial test suite written by the University of Oulu, Finland. This was probably the worst timing they could have done, since the week before a lot of IPsec developers, including some of the Openswan developers, had been at the IETF meeting in Vancouver, Canada, and were still traveling back home. Even worse was that Openswan developers were not notified beforehand (nor in fact, afterwards). They were given a "0-day exploit" by a National Security organization who had been sitting on this bug for months.

The developers scrambled to run the test suite, which alone took over three hours to run, since it consisted of 5000 test cases that had to run sequentially. They then decided to release Openswan 2.4.2 late that same day, even though it only fixed one of the two bugs that had been encountered. A day later, Openswan 2.4.3 was created, but it turned out to be a dud—the second bug was not properly fixed, and this version was pulled from the web and FTP servers. On November 18, Openswan 2.4.4 was released that properly fixed the second bug.

Looking back after the events, the vulnerabilities were not as shocking as first assumed. The Openswan code actually caught the bogus packets in a controlled matter, in the 'assertion' functions, meaning no buffer overflows or other methods to inject malicious code were ever possible with these exploits. Furthermore, it turned out these two bugs were only triggered in Phase 2, meaning one had to know the shared secret (PSK) to perform an attack. Furthermore, one of the two bugs required Aggressive Mode as well. Aggressive Mode is really only used to talk to Cisco routers, and is hardly used with Openswan at all. The only attack vector for a malicious attacker could be someone from within the organization, severely limiting the impact of these bugs. None of this is discussed in the vulnerability release, nor in the updates that NISCC has since issued.

For more details, see the announcements of Openswan 2.4.3 and Openswan 2.4.4 and our public response to the NISCC vulnerability announcement. These texts can be read at:

http://www.openswan.org/niscc2/

http://lists.openswan.org/pipermail/announce/2005-November/000008.html

http://lists.openswan.org/pipermail/announce/2005-November/000009.html

Previous Section
End of Chapter
Next Chapter