slide1 n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 47

L19 - PowerPoint PPT Presentation

  • Uploaded on

L19. Linux VPN. Brian Dolan-Goecke. Atlanta, Georgia. October 8-12, 2001. Brian Dolan-Goecke. Contact. Email: WebSite: www.Goecke Phone: (612) 759-0967. Linux VPN. We will explain and build a basic Virtual Private Network (VPN) on Linux.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'L19' - aziza

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


Linux VPN

Brian Dolan-Goecke

Atlanta, Georgia

October 8-12, 2001

  • Email:
  • WebSite:
  • Phone: (612) 759-0967
linux vpn
Linux VPN
  • We will explain and build a basic Virtual Private Network (VPN) on Linux.
  • We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across the Internet with Linux. A good understanding of TCP/IP and networking is preferred.
session objectives
Session Objectives

Issues to consider when building a VPN

- How it works

- What is needed

- What technology to use

Some Linux VPN options

Build a basic VPN

vpn definition
VPN Definition
  • Virtual Private Network
  • A secure network connection across an insecure network.
vpn definition1
VPN Definition
  • Virtual Private Network
  • (VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.
  • Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path.
  • Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis.
  • Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption.
  • Cisco. (1999-11-15)
connection type
Connection Type

Typical Internet Connection

Traditional Remote Corporate Connection

VPN Remote Cooperate Connection

Detailed VPN Connection

how does it work
How Does It Work ?
  • 1) A host encrypts and encapsulates network packets in network packets.
  • 2) Packets are transmitted to a remote host, via an insecure network.
  • 3) The remote host will de-encapsulate and decrypt the network packets.
  • 4) The original network packets are then forwarded to the local network.
why have a vpn
Why Have a VPN

Secure access to corporate resources

Fast access

Less expensive infrastructure

Easier access to corporate resources

One connection for Internet and corporate

why not to have a vpn
Why Not to have a VPN

Higher cost of administration

Can make your site more visible

Need to be more security proactive

Large possible security risk

Requires more powerful systems

what is needed
What is Needed ?

Host Computers

Network Connections

VPN Software

available linux vpns
Available Linux VPNs
  • Low Cost (Free) Solutions
  • GRE
  • CIPE
  • IPIP
  • PPTP
  • SSH port forwarding
  • IPSec
available linux vpns1
Available Linux VPNs
  • Non-Free Solutions
  • AltVista Tunnel
  • CheckPoint FireWall-1
  • IPSec
  • Many More...
vpn we will investigate
VPN We Will Investigate
  • GRE
  • CIPE
  • IPSec
  • PPTP
linux gre
Linux GRE
  • Developed by:
  • Cisco
  • Available from:
  • Part of standard Linux Kernel tarball
  • Resources:
  • RFC 2401 (and more...)
linux gre1
Linux GRE
  • Advantages


Comes with Linux Kernel tarball

Works with cisco routers

Tried and tested

Can work through Masq/NAT

Works with IPv6

linux gre2
Linux GRE
  • Disadvantages

No encryption

linux cipe
Linux CIPE
  • Developed by:
  • Olaf Titzl
  • Available at:
  • Resources:
linux cipe1
Linux CIPE
  • Advantages

Built for VPN

Can use blowfish or PKE encryption

Works through/with SOCKS, NAT, Dynamic IP


linux cipe2
Linux CIPE
  • Disadvantages

Uses udp (for good reason)

Seems slow now and then

Only works for IPv4

linux ipsec
Linux IPSec
  • Developed by:
  • FreeS/WAN (Linux Version)
  • Available at:
  • Resources:


Should work across platform/vendors/devices

Will work with IPv6



Difficult to implement

Has problems with NAT/Masq

Problems with authentication

linux pptp
Linux PPTP
  • Developed by:
  • Matthew Ramsay, Kevin Thayer, David Luyer,
  • Patrick LoPresti, Philip Van Baren, Peter Galbavy
  • and more
  • Available at:
  • Resources:
linux pptp1
Linux PPTP


Compatible with Microsoft

Can be server or client

linux pptp2
Linux PPTP


Compatible with Microsoft

Has some security holes



IP and Network Address

IPChains config


tools we will use
Tools We Will Use




vpn basics
VPN Basics

Define devices

Create devices

Connect devices

Adjust routing/ipchains

gre steps
GRE Steps

Determine IP addresses & network

Load module

Configure GRE tunnel

Setup routing

Modify IPChains

cipe steps
CIPE Steps

Determine IP addresses & network

Download software

Compile software

Configure software

Load module

Start ciped daemon

Set up routing

Modify IPChains

cipe notes
CIPE Notes

Can handle up to 99 devices

Auto-creates devices

Use "device ciped0" option in config file

cipe config file
CIPE Config File


# Surprise, this file allows comments (but only on a line by themselves)


# This is probably the minimal set of options that has to be set

# Without a "device" line, the device is picked dynamically

device ciped

# the peer's IP address


# our CIPE device's IP address


# my UDP address. Note: if you set port 0 here, the system will pick

# one and tell it to you via the ip-up script. Same holds for IP



# ...and the UDP address we connect to. Of course no wildcards here.



# The static key. Keep this file secret!

# The key is 128 bits in hexadecimal notation.

key 3333fd20adf9c0ccf9eff2393bbb3e41

other issue
Other Issue
  • DNS
  • Broadcast or Not
  • Authentication
  • Linux Docs --
  • - Linux Route2 HowTo
  • - Linux Masquerade HowTo
  • - Linux VPN HowTo
  • - Linux Network Administrators Guide (NAG)
  • Virtual Private Network Consortium --
  • FreeS/WAN IPSec --

IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks

By Naganand Doraswamy & Dan Harkins

Prentice Hall, 1999

Virtual Private Networks, 2nd Edition

By Charlie Scott, Paul Wolfe & Mike Erwin

2nd Edition December 1998

version info
Version Info

Brian Dolan-Goecke

Linux VPN Presentation

Version 1.4