1 / 47

L19

L19. Linux VPN. Brian Dolan-Goecke. Atlanta, Georgia. October 8-12, 2001. Brian Dolan-Goecke. Contact. Email: Brian@Goecke-Dolan.com WebSite: www.Goecke -Dolan.com/Brian Phone: (612) 759-0967. Linux VPN. We will explain and build a basic Virtual Private Network (VPN) on Linux.

aziza
Download Presentation

L19

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. L19 Linux VPN Brian Dolan-Goecke Atlanta, Georgia October 8-12, 2001

  2. Brian Dolan-Goecke

  3. Contact • Email: Brian@Goecke-Dolan.com • WebSite: www.Goecke-Dolan.com/Brian • Phone: (612) 759-0967

  4. Linux VPN • We will explain and build a basic Virtual Private Network (VPN) on Linux. • We will begin this session looking at VPNs and how they work. Then investigate some of the solutions for building VPNs on Linux. Finally we will build a basic VPN across the Internet with Linux. A good understanding of TCP/IP and networking is preferred.

  5. Session Objectives Issues to consider when building a VPN - How it works - What is needed - What technology to use Some Linux VPN options Build a basic VPN

  6. VPN Definition • Virtual Private Network • A secure network connection across an insecure network.

  7. VPN Definition • Virtual Private Network • (VPN) The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers. • Link-level (layer 2 and 3) encryption provides extra protection by encrypting all of each datagram except the link-level information. This prevents a listener from obtaining information about network structure. While link-level encryption prevents traffic analysis (a form of attack), it must encrypt/decrypt on every hop and every path. • Protocol-level encryption (layer 3 and 4) encryption encrypts protocol data but leaves protocol and link headers clear. While protocol-level encryption requires you to encrypt/decrypt data only once, and it encrypts/decrypts only those sessions that need it, headers are sent as clear text, allowing traffic analysis. • Application (layer 5 up) encryption is based on a particular application and requires that the application be modified to incorporate encryption. • Cisco. (1999-11-15)

  8. VPN Explanation

  9. Connection Type Typical Internet Connection Traditional Remote Corporate Connection VPN Remote Cooperate Connection Detailed VPN Connection

  10. Internet Connection

  11. Traditional Connection

  12. VPN Connection

  13. VPN Connection Detail

  14. How Does It Work ? • 1) A host encrypts and encapsulates network packets in network packets. • 2) Packets are transmitted to a remote host, via an insecure network. • 3) The remote host will de-encapsulate and decrypt the network packets. • 4) The original network packets are then forwarded to the local network.

  15. How VPN Works

  16. Why Have a VPN Secure access to corporate resources Fast access Less expensive infrastructure Easier access to corporate resources One connection for Internet and corporate

  17. Why Not to have a VPN Higher cost of administration Can make your site more visible Need to be more security proactive Large possible security risk Requires more powerful systems

  18. What is Needed ? Host Computers Network Connections VPN Software

  19. Linux VPN Options

  20. Available Linux VPNs • Low Cost (Free) Solutions • GRE • CIPE • IPIP • PPTP • SSH port forwarding • IPSec

  21. Available Linux VPNs • Non-Free Solutions • AltVista Tunnel • CheckPoint FireWall-1 • IPSec • Many More...

  22. VPN We Will Investigate • GRE • CIPE • IPSec • PPTP

  23. Linux GRE • Developed by: • Cisco • Available from: • Part of standard Linux Kernel tarball • Resources: • RFC 2401 (and more...)

  24. Linux GRE • Advantages Free Comes with Linux Kernel tarball Works with cisco routers Tried and tested Can work through Masq/NAT Works with IPv6

  25. Linux GRE • Disadvantages No encryption

  26. Linux CIPE • Developed by: • Olaf Titzl • Available at: • http://sites.inka.de/~bigred/devel/cipe.html • Resources: • http://sites.inka.de/~bigred/devel/cipe.html

  27. Linux CIPE • Advantages Built for VPN Can use blowfish or PKE encryption Works through/with SOCKS, NAT, Dynamic IP Free

  28. Linux CIPE • Disadvantages Uses udp (for good reason) Seems slow now and then Only works for IPv4

  29. Linux IPSec • Developed by: • FreeS/WAN (Linux Version) • Available at: • http://www.freeswan.org/download.html • Resources: • http://www.freeswan.org

  30. IPSec Advantages Should work across platform/vendors/devices Will work with IPv6

  31. IPSec Disadvantages Difficult to implement Has problems with NAT/Masq Problems with authentication

  32. Linux PPTP • Developed by: • Matthew Ramsay, Kevin Thayer, David Luyer, • Patrick LoPresti, Philip Van Baren, Peter Galbavy • and more • Available at: • http://poptop.lineo.com/download_pptp.html • Resources: • http://poptop.lineo.com/

  33. Linux PPTP Advantages Compatible with Microsoft Can be server or client

  34. Linux PPTP Disadvantages Compatible with Microsoft Has some security holes

  35. Build Linux VPN!

  36. VPNs to Create • GRE • CIPE

  37. Need Software IP and Network Address IPChains config Routing

  38. Tools We Will Use ifconfig route ipchains

  39. VPN Basics Define devices Create devices Connect devices Adjust routing/ipchains

  40. GRE Steps Determine IP addresses & network Load module Configure GRE tunnel Setup routing Modify IPChains

  41. CIPE Steps Determine IP addresses & network Download software Compile software Configure software Load module Start ciped daemon Set up routing Modify IPChains

  42. CIPE Notes Can handle up to 99 devices Auto-creates devices Use "device ciped0" option in config file

  43. CIPE Config File #/etc/cipe/options # Surprise, this file allows comments (but only on a line by themselves) debug=yes # This is probably the minimal set of options that has to be set # Without a "device" line, the device is picked dynamically device ciped # the peer's IP address ptpaddr 10.2.13.1 # our CIPE device's IP address ipaddr 192.168.13.1 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. #me bigred.inka.de:6789 me 127.0.0.1:2048 # ...and the UDP address we connect to. Of course no wildcards here. #peer blackforest.inka.de:6543 peer 192.172.18.34:2048 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3333fd20adf9c0ccf9eff2393bbb3e41

  44. Other Issue • DNS • Broadcast or Not • Authentication

  45. Resources • Linux Docs -- www.linuxdoc.org • - Linux Route2 HowTo • - Linux Masquerade HowTo • - Linux VPN HowTo • - Linux Network Administrators Guide (NAG) • Virtual Private Network Consortium -- www.vpnc.org • FreeS/WAN IPSec -- www.freeswan.org

  46. Books IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks By Naganand Doraswamy & Dan Harkins Prentice Hall, 1999 www.phptr.com Virtual Private Networks, 2nd Edition By Charlie Scott, Paul Wolfe & Mike Erwin 2nd Edition December 1998 www.ora.com

  47. Version Info Brian Dolan-Goecke Brian@Goecke-Dolan.com http://www.goecke-dolan.com/Brian/Presentations Linux VPN Presentation Version 1.4 10/10/2001

More Related