L19
Download
1 / 47

L19 - PowerPoint PPT Presentation


  • 184 Views
  • Uploaded on

L19. Linux VPN. Brian Dolan-Goecke. Atlanta, Georgia. October 8-12, 2001. Brian Dolan-Goecke. Contact. Email: [email protected] WebSite: www.Goecke -Dolan.com/Brian Phone: (612) 759-0967. Linux VPN. We will explain and build a basic Virtual Private Network (VPN) on Linux.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' L19' - aziza


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

L19

Linux VPN

Brian Dolan-Goecke

Atlanta, Georgia

October 8-12, 2001



Contact
Contact

  • Email: [email protected]

  • WebSite: www.Goecke-Dolan.com/Brian

  • Phone: (612) 759-0967


Linux vpn
Linux VPN

  • We will explain and build a basic Virtual Private Network (VPN) on Linux.

  • We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across the Internet with Linux. A good understanding of TCP/IP and networking is preferred.


Session objectives
Session Objectives

Issues to consider when building a VPN

- How it works

- What is needed

- What technology to use

Some Linux VPN options

Build a basic VPN


Vpn definition
VPN Definition

  • Virtual Private Network

  • A secure network connection across an insecure network.


Vpn definition1
VPN Definition

  • Virtual Private Network

  • (VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.

  • Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path.

  • Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis.

  • Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption.

  • Cisco. (1999-11-15)



Connection type
Connection Type

Typical Internet Connection

Traditional Remote Corporate Connection

VPN Remote Cooperate Connection

Detailed VPN Connection






How does it work
How Does It Work ?

  • 1) A host encrypts and encapsulates network packets in network packets.

  • 2) Packets are transmitted to a remote host, via an insecure network.

  • 3) The remote host will de-encapsulate and decrypt the network packets.

  • 4) The original network packets are then forwarded to the local network.



Why have a vpn
Why Have a VPN

Secure access to corporate resources

Fast access

Less expensive infrastructure

Easier access to corporate resources

One connection for Internet and corporate


Why not to have a vpn
Why Not to have a VPN

Higher cost of administration

Can make your site more visible

Need to be more security proactive

Large possible security risk

Requires more powerful systems


What is needed
What is Needed ?

Host Computers

Network Connections

VPN Software



Available linux vpns
Available Linux VPNs

  • Low Cost (Free) Solutions

  • GRE

  • CIPE

  • IPIP

  • PPTP

  • SSH port forwarding

  • IPSec


Available linux vpns1
Available Linux VPNs

  • Non-Free Solutions

  • AltVista Tunnel

  • CheckPoint FireWall-1

  • IPSec

  • Many More...


Vpn we will investigate
VPN We Will Investigate

  • GRE

  • CIPE

  • IPSec

  • PPTP


Linux gre
Linux GRE

  • Developed by:

  • Cisco

  • Available from:

  • Part of standard Linux Kernel tarball

  • Resources:

  • RFC 2401 (and more...)


Linux gre1
Linux GRE

  • Advantages

    Free

    Comes with Linux Kernel tarball

    Works with cisco routers

    Tried and tested

    Can work through Masq/NAT

    Works with IPv6


Linux gre2
Linux GRE

  • Disadvantages

    No encryption


Linux cipe
Linux CIPE

  • Developed by:

  • Olaf Titzl

  • Available at:

  • http://sites.inka.de/~bigred/devel/cipe.html

  • Resources:

  • http://sites.inka.de/~bigred/devel/cipe.html


Linux cipe1
Linux CIPE

  • Advantages

    Built for VPN

    Can use blowfish or PKE encryption

    Works through/with SOCKS, NAT, Dynamic IP

    Free


Linux cipe2
Linux CIPE

  • Disadvantages

    Uses udp (for good reason)

    Seems slow now and then

    Only works for IPv4


Linux ipsec
Linux IPSec

  • Developed by:

  • FreeS/WAN (Linux Version)

  • Available at:

  • http://www.freeswan.org/download.html

  • Resources:

  • http://www.freeswan.org


Ipsec
IPSec

Advantages

Should work across platform/vendors/devices

Will work with IPv6


Ipsec1
IPSec

Disadvantages

Difficult to implement

Has problems with NAT/Masq

Problems with authentication


Linux pptp
Linux PPTP

  • Developed by:

  • Matthew Ramsay, Kevin Thayer, David Luyer,

  • Patrick LoPresti, Philip Van Baren, Peter Galbavy

  • and more

  • Available at:

  • http://poptop.lineo.com/download_pptp.html

  • Resources:

  • http://poptop.lineo.com/


Linux pptp1
Linux PPTP

Advantages

Compatible with Microsoft

Can be server or client


Linux pptp2
Linux PPTP

Disadvantages

Compatible with Microsoft

Has some security holes



Vpns to create
VPNs to Create

  • GRE

  • CIPE


Need

Software

IP and Network Address

IPChains config

Routing


Tools we will use
Tools We Will Use

ifconfig

route

ipchains


Vpn basics
VPN Basics

Define devices

Create devices

Connect devices

Adjust routing/ipchains


Gre steps
GRE Steps

Determine IP addresses & network

Load module

Configure GRE tunnel

Setup routing

Modify IPChains


Cipe steps
CIPE Steps

Determine IP addresses & network

Download software

Compile software

Configure software

Load module

Start ciped daemon

Set up routing

Modify IPChains


Cipe notes
CIPE Notes

Can handle up to 99 devices

Auto-creates devices

Use "device ciped0" option in config file


Cipe config file
CIPE Config File

#/etc/cipe/options

# Surprise, this file allows comments (but only on a line by themselves)

debug=yes

# This is probably the minimal set of options that has to be set

# Without a "device" line, the device is picked dynamically

device ciped

# the peer's IP address

ptpaddr 10.2.13.1

# our CIPE device's IP address

ipaddr 192.168.13.1

# my UDP address. Note: if you set port 0 here, the system will pick

# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.

#me bigred.inka.de:6789

me 127.0.0.1:2048

# ...and the UDP address we connect to. Of course no wildcards here.

#peer blackforest.inka.de:6543

peer 192.172.18.34:2048

# The static key. Keep this file secret!

# The key is 128 bits in hexadecimal notation.

key 3333fd20adf9c0ccf9eff2393bbb3e41


Other issue
Other Issue

  • DNS

  • Broadcast or Not

  • Authentication


Resources
Resources

  • Linux Docs -- www.linuxdoc.org

  • - Linux Route2 HowTo

  • - Linux Masquerade HowTo

  • - Linux VPN HowTo

  • - Linux Network Administrators Guide (NAG)

  • Virtual Private Network Consortium -- www.vpnc.org

  • FreeS/WAN IPSec -- www.freeswan.org


Books
Books

IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks

By Naganand Doraswamy & Dan Harkins

Prentice Hall, 1999

www.phptr.com

Virtual Private Networks, 2nd Edition

By Charlie Scott, Paul Wolfe & Mike Erwin

2nd Edition December 1998

www.ora.com


Version info
Version Info

Brian Dolan-Goecke

[email protected]

http://www.goecke-dolan.com/Brian/Presentations

Linux VPN Presentation

Version 1.4

10/10/2001


ad