Virtual Private Networking

In my last position with APL several people on staff asked us about providing a VPN for secure access to our intranet. I decided there were several options for meeting this goal:

continue to authorize access to our webservers based on IP address, but use some sort of tunneling to make the remote client's IP appear 'local'.
let our users authenticate against the campus pubcookie server and upgrade our webservers to use such authenication
let our webservers do their own authentication (using .htaccess or some such).

This page summarizes my work towards a solution allowing an authorized client anywhere on the Internet to appear, to my local network, as having an IP within my home network.

Summary:

Free S/Wan is can be time-consuming to install. U.S. distributions of Linux don't include the kernel code, for export control reasons. Building it requires a kernel rebuild, which takes upwards of an hour on my 400Mhz AMD-K2 machine.
Configuration is complex. Thanks to the Free S/Wan mailing list, I was able to get the PGPnet VPN client under Win2K to authenicate and establish an encrypted connection with the server on the same network
However, I'm not (yet) able to get that connection to do anything. The packets don't seem to demultiplex their way up through the protocol stack.
Next step -- use PGPnet on a remote client to establish an IPsec tunnel to my VPN gateway (65.100.135.241), and thence to a webserver on (65.100.135.242) -- to which it'll appear as another local address(?).

I decided to use the Linux Free S/Wan server implementation of IPSEC and IKE (http://www.freeswan.org) since it uses standard protocols and the code was free. From my perusal of Tina Bird's excellent VPN website (http://kubarb.phsx.ukans.edu/~tbird/vpn.html), it seemed a better choice than PPTP.

Installing and running

> wget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.91.tar.gz
> wget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.91.tar.gz.sig
> # Check signature (once I've added the public signature to my ring)
> pgp /tmp/freeswan-1.91.tar.gz.sig /tmp/freeswan-1.91.tar.gz 
> cd /usr/src
> sudo tar -zxvf freeswan-1.91.tar.gz
>$ cd freeswan-1.91
>		# Steps which shouldn't have to happen
> 		# oops, no GMP (gnu multi-precision library)
> 		rpm -ivh gmp-devel-3.1.1-3.i386.rpm 
> 		# patch ipsec_tunnel.c so 'ip_select_ident()' has
		# 'NULL' as third argument

> sudo /bin/su	# become root
$ make oldgo 	# this takes about 75 minutes to configure and 
		# compile kernel
$ make modules_install
$ cp arch/i386/boot/bzImage /boot/freeswan
$ vi /etc/lilo.conf
$ lilo

Rebooting shows IPSEC is up. At this point I have a kernel this links into IPSec, and the code under /usr/local/lib/ipsec, and the following execs running:

root       553  0.0  0.0  1916    4 ?        S    Jul24   0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes -
root       554  0.0  0.0  1308    4 ?        S    Jul24   0:00 logger -p daemon.error -t ipsec__plutorun
root       555  0.0  0.0  1916    4 ?        S    Jul24   0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes -
root       556  0.0  0.0  1788  148 ?        S    Jul24   0:00 /usr/local/lib/ipsec/pluto --nofork --debug-none --uniqueids
root       557  0.0  0.0  1904   60 ?        S    Jul24   0:00 /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --start %searc

Test Win2k client

For starters, I'll test this against a client on the local network, where my network diagram will look something like:

        West--------------------------East
                  untrusted net

(using the network notation that the FreeSwan folks do). For me, this will be hb(.241)-----------------------tko(.242) local net

PGPnet setup

PGPnet on Win2k guides you through a Wizard, where I selected host to host. Following the hints from "http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html" and "http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html", I specified authenication as shared-secret, and entered my passphrase. I then specified that the connection should happen manaully.

ipsec whack --listen 	# reloads secrets
/etc/rc.d/init.d/ipsec restart  # reloads all

Need to edit /etc/ipsec.conf and specify shared secrets. Now, on hillburkholder:

]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
compaq          compaq          255.255.255.255 UGH   0      0        0 ipsec0
65.100.135.240  *               255.255.255.248 U     0      0        0 eth0
65.100.135.240  *               255.255.255.248 U     0      0        0 ipsec0
172.16.243.0    *               255.255.255.0   U     0      0        0 vmnet1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         cisco           0.0.0.0         UG    0      0        0 eth0
[peter@hillburkholder config]$ ping compaq
PING compaq (65.100.135.242) from 65.100.135.241 : 56(84) bytes of data.

--- compaq ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

-------

These are now going over ipsec0 interface to the eth0 interface. Pinging 65.100.135.241 shows nothing coming back to the application layer, but sniffing with ethereal shows ESP (encrypted) are going back and forth. Perhaps I need to enable ip_forward?

Tearing down of connections doesn't happen cleanly. Something other than 'ipsec restart'?

I can get to 65.100.135.242 webpage in the clear. Now I should build a gateway to it.

I'll need to get back to this

The network topology host-to-host on this small network is actually more complicated than trying to access the subnet remotely

Return to Peter's Systems Administration Page.

Please feel free to contact me at pburkholder@pobox.com.