Book Image

Openswan: Building and Integrating Virtual Private Networks

By : Ken Bantoft, Paul Wouters
Book Image

Openswan: Building and Integrating Virtual Private Networks

By: Ken Bantoft, Paul Wouters

Overview of this book

<p>With the widespread use of wireless and the integration of VPN capabilities in most modern laptops, PDA's and mobile phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor watching your wireless? Or are your competitors perhaps engaged in industrial espionage? Do you need to send information back to your office while on the road or on board a ship? Or do you just want to securely access your MP3's at home? IPsec is the industry standard for encrypted communication, and Openswan is the de-facto implementation of IPsec for Linux.</p> <p>Whether you are just connecting your home DSL connection with your laptop when you're on the road to access your files at home, or you are building an industry size, military strength VPN infrastructure for a medium to very large organization, this book will assist you in setting up Openswan to suit those needs.</p> <p>The topics discussed range from designing, to building, to configuring Openswan as the VPN gateway to deploy IPsec using Openswan. It not only for Linux clients, but also the more commonly used Operating Systems such as Microsoft Windows and MacOSX. Furthermore it discusses common interoperability examples for third party vendors, such as Cisco, Checkpoint, Netscreen and other common IPsec vendors.</p> <p>The authors bring you first hand information, as they are the official developers of the Openswan code. They have included the latest developments and upcoming issues. With experience in answering questions on a daily basis on the mailing lists since the creation of Openswan, the authors are by far the most experienced in a wide range of successful and not so successful uses of Openswan by people worldwide.</p>

Related Content you might be interested in

Current Title:

Small book image
Openswan: Building and Integrating Virtual Private Networks
Ken Bantoft | Paul Wouters
Feb, 2006 | 360 pages
No titles found
Table of Contents (22 chapters)
Building and Integrating Virtual Private Networks with Openswan
Building and Integrating Virtual Private Networks with Openswan
Credits
Credits
About the Authors
About the Authors
Acknowledgements
Acknowledgements
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Introduction
Introduction
The Need for Cryptography
A History of the Internet
History of Internet Engineering
The War on Crypto
Free Software
The History of Openswan
Using Openswan
Summary
2
Practical Overview of the IPsec Protocol
Practical Overview of the IPsec Protocol
A Very Brief Overview of Cryptography
IPsec: A Suite of Protocols
Kernel Mode: Packet Handling
Usermode: Handling the Trust Relationships
Summary
3
Building and Installing Openswan
Building and Installing Openswan
Linux Distributions
Deciding on the Userland
Choosing the Kernel IPsec Stack
Binary Installation of the Openswan Userland
Building from Source
Building the Openswan Userland from Source
Binary Installation of KLIPS
Building KLIPS from Source
Building KLIPS into the Linux Kernel Source Tree
Verifying the Installation
Summary
4
Configuring IPsec
Configuring IPsec
Manual versus Automatic
PSK versus RSA
Pitfalls of Debugging IPsec
Pre-Flight Check
The ipsec livetest Command
Configuration of Openswan
Host-to-Host Tunnel
Connecting Subnets Through an IPsec Connection
Avoiding Duplication
KLIPS and the ipsecX Interfaces
Pre-Shared Keys (PSKs)
Dynamic IP Addresses
Connection Management
Subnet Extrusion
NAT Traversal
Dead Peer Detection
Ciphers and Algorithms
Aggressive Mode
XAUTH
Fine Tuning
Summary
5
X.509 Certificates
X.509 Certificates
X.509 Certificates Explained
Generating Certificates with OpenSSL
Creating X.509-based Connections
Using a Certificate Authority
Summary
6
Opportunistic Encryption
Opportunistic Encryption
History of Opportunistic Encryption
Trusting Third Parties
OE in a Nutshell
DNS Key Records
Policy Groups
Internal States
Configuring OE
Testing Your OE Setup
Manipulating OE Connections Manually
Advanced OE Setups
Caveats
Summary
7
Dealing with Firewalls
Dealing with Firewalls
Where to Firewall?
Allowing IPsec Traffic
Configuring the Firewall on the Openswan Host
Summary
8
Interoperating with Microsoft Windows and Apple Mac OS X
Interoperating with Microsoft Windows and Apple Mac OS X
Microsoft Windows
Mac OS X
Layer 2 Tunneling Protocol (L2TP)
Client and Server Configurations for L2TP/IPsec
Microsoft Windows XP L2TP Configuration
Microsoft Windows 2000 L2TP Configuration
Apple Mac OS X L2TP Configuration
Server Configuration for X.509 IPsec without L2TP
Client Configuration for X.509 IPsec without L2TP
Importing X.509 Certificates into Windows
Importing X.509 Certificates on Mac OS X (Tiger)
Summary
9
Interoperating with Other Vendors
Interoperating with Other Vendors
Openswan as a Client to an Appliance
Preparing the Interop
Frequently used VPN Gateways
Frequently used VPN Client Appliances
Aftercare
Summary
10
Encrypting the Local Network
Encrypting the Local Network
Methods of Encryption
Designing a Solution for Encrypting the LAN
WaveSEC
WaveSEC for Windows
Summary
11
Enterprise Implementation
Enterprise Implementation
Cipher Performance
Handling Thousands of Tunnels
Managing Large Configuration Files
Openswan Startup Time
Limitations of the Random Device
Other Performance-Enhancing Factors
Using Anycast
Summary
12
Debugging and Troubleshooting
Debugging and Troubleshooting
Do Not Lock Yourself Out!
Narrowing Down the Problem
Configuration Problems
Openswan Error Messages
Network Issues
Debugging IPsec on Apple Mac OS X
Debugging IPsec on Microsoft Windows
Software Bugs
Common IKE Error Messages
Using tcpdump to Debug IPsec
User Mode Linux Testing
Asking the Openswan Community for Help
Summary
Unresolved and Upcoming Issues
Unresolved and Upcoming Issues
Linux Kernel Developments
Kernel API Changes between 2.6.12 and 2.6.14
Red Hat Kernel Developments
Fedora Kernel Source/Headers Packaging Change
MD5 Insecurities
Discontinuation of Openswan 1 by the End of 2005
Update on UML Testing Suite Installation
Openswan GIT Repositories
Openswan on Windows and Mac OS X Updates
Known Outstanding Bugs
Vulnerability Fixes in Openswan 2.4.4
Networking 101
Networking 101
The OSI Model and the IP Model
No Layers, Just Packets
The Protocol
IP Network Overview
IP Address Management
The Old IP Classes
Classless IP Networks
The Definition of a Subnet
Calculating with Subnets: The Subnet Mask
The Rest of the Network
Linux Networking Commands
Routing
Routing Decisions
Peering
Network Address Translation
Port Forwarding
Openswan Resources on the Internet
Openswan Resources on the Internet
Openswan Links
Community Documentation
Generic Linux Distributions Containing Openswan
Specialized Linux Distributions Containing Openswan
IPsec-Related Requests For Comments (RFCs)
IPsec-Related Requests For Comments (RFCs)
Overview RFCs
Basic Protocols
Key Management
Procedural and Operational RFCs
Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
Dead Peer Detection RFCs
NAT-Traversal and UDP Encapsulation RFCs
RFCs for Secure DNS Service, which IPSEC May Use
RFCs Related to L2TP, Often Used in Combination with IPsec
RFCs on IPsec in Relation to Other Protocols
RFCs Not in Use or Implemented across Multiple Vendors

Network Address Translation

Every host on the Internet has to have a unique routable IP address, or else it would not be considered a host on the Internet. For various reasons, people have started to use tricks to get more IP addresses. ISPs often give an end user only one IP address, while those end users want to connect more than one computer. The trick mostly deployed now is Network Address Translation (NAT, sometimes also called NAPT). The end user connects these computers together using internal IP addresses. On the machine that is actually connected to the Internet, which could be a phone, cable or DSL line, the real globally routable IP address is configured. This is the IP address that everyone on the Internet can talk to. The address is given out by the ISP.

This computer, technically speaking now acting as a router, takes incoming packets from the LAN's private IP addresses, and rewrites these packets so they appear to come from its own real IP address. It remembers which local machine these packets were translated for. When the remote machine it were trying to reach answers, that machine thinks it is talking to the router. Once the router receives the response packet, it matches it with the list of local computers and their network connections, and translates the destination IP address back to the local machine's private IP address and sends the packets onto the local network.

Of course, there is one problem. A remote machine cannot reach the local machine behind the router, since it has no public routable IP address. It cannot just connect to the public IP address either, because the router would have no idea for whom this packet was intended, since no local machine has initiated the communication.

People began to see this as more than a shortcoming. After all, this setup is ideal for protecting those internal machines. Since the world cannot reach them, no hackers or viruses could ever reach them either. It sort of works like a firewall, and this is why you often see NAT and firewalls combined on one device. All common DSL and cable modem routers can do NAT and firewalling.

Previous Section
End of Section
Next Section