Book Image

Openswan: Building and Integrating Virtual Private Networks

By : Ken Bantoft, Paul Wouters
Book Image

Openswan: Building and Integrating Virtual Private Networks

By: Ken Bantoft, Paul Wouters

Overview of this book

<p>With the widespread use of wireless and the integration of VPN capabilities in most modern laptops, PDA's and mobile phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor watching your wireless? Or are your competitors perhaps engaged in industrial espionage? Do you need to send information back to your office while on the road or on board a ship? Or do you just want to securely access your MP3's at home? IPsec is the industry standard for encrypted communication, and Openswan is the de-facto implementation of IPsec for Linux.</p> <p>Whether you are just connecting your home DSL connection with your laptop when you're on the road to access your files at home, or you are building an industry size, military strength VPN infrastructure for a medium to very large organization, this book will assist you in setting up Openswan to suit those needs.</p> <p>The topics discussed range from designing, to building, to configuring Openswan as the VPN gateway to deploy IPsec using Openswan. It not only for Linux clients, but also the more commonly used Operating Systems such as Microsoft Windows and MacOSX. Furthermore it discusses common interoperability examples for third party vendors, such as Cisco, Checkpoint, Netscreen and other common IPsec vendors.</p> <p>The authors bring you first hand information, as they are the official developers of the Openswan code. They have included the latest developments and upcoming issues. With experience in answering questions on a daily basis on the mailing lists since the creation of Openswan, the authors are by far the most experienced in a wide range of successful and not so successful uses of Openswan by people worldwide.</p>

Related Content you might be interested in

Current Title:

Small book image
Openswan: Building and Integrating Virtual Private Networks
Ken Bantoft | Paul Wouters
Feb, 2006 | 360 pages
No titles found
Table of Contents (22 chapters)
Building and Integrating Virtual Private Networks with Openswan
Building and Integrating Virtual Private Networks with Openswan
Credits
Credits
About the Authors
About the Authors
Acknowledgements
Acknowledgements
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Introduction
Introduction
The Need for Cryptography
A History of the Internet
History of Internet Engineering
The War on Crypto
Free Software
The History of Openswan
Using Openswan
Summary
2
Practical Overview of the IPsec Protocol
Practical Overview of the IPsec Protocol
A Very Brief Overview of Cryptography
IPsec: A Suite of Protocols
Kernel Mode: Packet Handling
Usermode: Handling the Trust Relationships
Summary
3
Building and Installing Openswan
Building and Installing Openswan
Linux Distributions
Deciding on the Userland
Choosing the Kernel IPsec Stack
Binary Installation of the Openswan Userland
Building from Source
Building the Openswan Userland from Source
Binary Installation of KLIPS
Building KLIPS from Source
Building KLIPS into the Linux Kernel Source Tree
Verifying the Installation
Summary
4
Configuring IPsec
Configuring IPsec
Manual versus Automatic
PSK versus RSA
Pitfalls of Debugging IPsec
Pre-Flight Check
The ipsec livetest Command
Configuration of Openswan
Host-to-Host Tunnel
Connecting Subnets Through an IPsec Connection
Avoiding Duplication
KLIPS and the ipsecX Interfaces
Pre-Shared Keys (PSKs)
Dynamic IP Addresses
Connection Management
Subnet Extrusion
NAT Traversal
Dead Peer Detection
Ciphers and Algorithms
Aggressive Mode
XAUTH
Fine Tuning
Summary
5
X.509 Certificates
X.509 Certificates
X.509 Certificates Explained
Generating Certificates with OpenSSL
Creating X.509-based Connections
Using a Certificate Authority
Summary
6
Opportunistic Encryption
Opportunistic Encryption
History of Opportunistic Encryption
Trusting Third Parties
OE in a Nutshell
DNS Key Records
Policy Groups
Internal States
Configuring OE
Testing Your OE Setup
Manipulating OE Connections Manually
Advanced OE Setups
Caveats
Summary
7
Dealing with Firewalls
Dealing with Firewalls
Where to Firewall?
Allowing IPsec Traffic
Configuring the Firewall on the Openswan Host
Summary
8
Interoperating with Microsoft Windows and Apple Mac OS X
Interoperating with Microsoft Windows and Apple Mac OS X
Microsoft Windows
Mac OS X
Layer 2 Tunneling Protocol (L2TP)
Client and Server Configurations for L2TP/IPsec
Microsoft Windows XP L2TP Configuration
Microsoft Windows 2000 L2TP Configuration
Apple Mac OS X L2TP Configuration
Server Configuration for X.509 IPsec without L2TP
Client Configuration for X.509 IPsec without L2TP
Importing X.509 Certificates into Windows
Importing X.509 Certificates on Mac OS X (Tiger)
Summary
9
Interoperating with Other Vendors
Interoperating with Other Vendors
Openswan as a Client to an Appliance
Preparing the Interop
Frequently used VPN Gateways
Frequently used VPN Client Appliances
Aftercare
Summary
10
Encrypting the Local Network
Encrypting the Local Network
Methods of Encryption
Designing a Solution for Encrypting the LAN
WaveSEC
WaveSEC for Windows
Summary
11
Enterprise Implementation
Enterprise Implementation
Cipher Performance
Handling Thousands of Tunnels
Managing Large Configuration Files
Openswan Startup Time
Limitations of the Random Device
Other Performance-Enhancing Factors
Using Anycast
Summary
12
Debugging and Troubleshooting
Debugging and Troubleshooting
Do Not Lock Yourself Out!
Narrowing Down the Problem
Configuration Problems
Openswan Error Messages
Network Issues
Debugging IPsec on Apple Mac OS X
Debugging IPsec on Microsoft Windows
Software Bugs
Common IKE Error Messages
Using tcpdump to Debug IPsec
User Mode Linux Testing
Asking the Openswan Community for Help
Summary
Unresolved and Upcoming Issues
Unresolved and Upcoming Issues
Linux Kernel Developments
Kernel API Changes between 2.6.12 and 2.6.14
Red Hat Kernel Developments
Fedora Kernel Source/Headers Packaging Change
MD5 Insecurities
Discontinuation of Openswan 1 by the End of 2005
Update on UML Testing Suite Installation
Openswan GIT Repositories
Openswan on Windows and Mac OS X Updates
Known Outstanding Bugs
Vulnerability Fixes in Openswan 2.4.4
Networking 101
Networking 101
The OSI Model and the IP Model
No Layers, Just Packets
The Protocol
IP Network Overview
IP Address Management
The Old IP Classes
Classless IP Networks
The Definition of a Subnet
Calculating with Subnets: The Subnet Mask
The Rest of the Network
Linux Networking Commands
Routing
Routing Decisions
Peering
Network Address Translation
Port Forwarding
Openswan Resources on the Internet
Openswan Resources on the Internet
Openswan Links
Community Documentation
Generic Linux Distributions Containing Openswan
Specialized Linux Distributions Containing Openswan
IPsec-Related Requests For Comments (RFCs)
IPsec-Related Requests For Comments (RFCs)
Overview RFCs
Basic Protocols
Key Management
Procedural and Operational RFCs
Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
Dead Peer Detection RFCs
NAT-Traversal and UDP Encapsulation RFCs
RFCs for Secure DNS Service, which IPSEC May Use
RFCs Related to L2TP, Often Used in Combination with IPsec
RFCs on IPsec in Relation to Other Protocols
RFCs Not in Use or Implemented across Multiple Vendors

Detailed RFCs on Specific Cryptographic Algorithms and Ciphers

RFC 1321

The MD5 Message-Digest Algorithm

RFC 1828

IP Authentication using Keyed MD5

RFC 1829

The ESP DES-CBC Transform

RFC 1851

The ESP Triple DES Transform

RFC 1852

IP Authentication using Keyed SHA

RFC 2085

HMAC-MD5 IP Authentication with Replay Prevention

RFC 2104

HMAC: Keyed-Hashing for Message Authentication

RFC 2202

Test Cases for HMAC-MD5 and HMAC-SHA-1

RFC 2403

The Use of HMAC-MD5-96 within ESP and AH

RFC 2404

The Use of HMAC-SHA-1-96 within ESP and AH

RFC 2405

The ESP DES-CBC Cipher Algorithm With Explicit IV

RFC 2410

The NULL Encryption Algorithm and Its Use With IPsec

RFC 2451

The ESP CBC-Mode Cipher Algorithms

RFC 2521

ICMP Security Failures Messages

RFC 3566

The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

RFC 3602

The AES-CBC Cipher Algorithm and Its Use with IPsec

RFC 3686

Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)

RFC 4196

The SEED Cipher Algorithm and Its Use with IPsec

RFC 4106

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

RFC 4305

Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

RFC 4307

Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)

RFC 4308

Cryptographic Suites for IPsec

RFC 4309

Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)

Previous Section
End of Section
Next Section