Set up a Secure VPN in Linux

In Feburary, we gave the prerequisites for setting up a VPN using FreeS/WAN (Set up a Secure VPN in Linux, page 103). This month we discuss how to set up a VPN for two different setups, namely Net-to-Net and Road Warrior. While the first is useful for organizations wanting to connect their offices in different locations through a VPN link, the second is for
organizations wanting to provide their mobile users access into their network. 

Case I: The Road Warrior Setup

Consider a scenario where an office in Delhi (see diagram on following page) houses an application that the sales people need to use to connect and update the order status. This office has a leased line to the Internet. The server is based on Fedora Linux and most of the mobile clients use Win XP. The need is to connect the road warriors to the sales automation application server within the office. We assume that you have installed the required software on the server and client as described in the February issue.

Configuration

The Delhi office has a network range of 192.168.1.0/24, connected to the eth0 interface of the gateway server. The IP address of the public interface (eth1) of the gateway is 202.56.233.123. We will create a virtual network of 192.168.254.0/24 that will act as our overlaid VPN tunnel. We assume that the client is on fixed IP address, later we will configure it for dynamic IP addresses. On the Linux server you will need to configure IPSec, L2TP and PPP. While on the client, presuming its Win XP, we will install and configure the IPSec/L2TP client freely available from Microsoft.

Configure IPSec

The configuration for IPSec is done in the /etc/ipsec.conf file. Open the file and edit it as 

version 2.0 

config setup

conn winxp

authby=secret 

pfs=no

left=192.168.1.100

leftnexthop=%defaultroute 

leftprotoport=17/0

right=%any

rightprotoport=17/1701 

auto=add

keyingtries=3

conn block

auto=ignore

conn private

auto=ignore

conn private-or-clear

auto=ignore

conn clear-or-private

auto=ignore

conn clear

auto=ignore

conn packetdefault

auto=ignore

Here the Field called 'left=' defines the IP address of your internal interface. The right=%any means the remote client can have any address. The configuration below 'conn block, private' etc are put in place to block opportunistic encryption. Next, we need to configure the PSK (Pre-Shared Key). This is a secret password shared by both sides of the IPSec tunnel. The file that contains this information is /etc/ipsec.secrets. The rpm installation would have put some RSA entries into the file, remove them and replace with

192.168.1.1 202.54.16.3: PSK "secretkey"

192.168.1.1 is the IP address of the gateway and 202.54.16.3 is the IP address of the Road Warrior from where the IPSec connection is initiated. Remember PSK needs the client to have static IP. We will discuss the certificates at a later stage. The 'secretkey' is the password that you would want to use for the remote IPSec client to connect with. On the command line type 

service ipsec restart

Typing ifconfig on the command line will list all the interfaces on your server, and you will see an additional interface by the name of ipsec0, with a similar IP address as that of eth1. It is assumed that your system has a default route added for a gateway on eth1. If you get the following messages in the log file-which normally is /var/log/secure-then you are doing fine:

Jan 17 22:49:30 nb pluto<9924>: Using KLIPS IPsec interface code

Jan 17 22:49:30 nb pluto<9924>: Changing to directory '/etc/ipsec.d/cacerts'

Jan 17 22:49:30 nb pluto<9924>: Changing to directory '/etc/ipsec.d/crls'

Jan 17 22:49:32 nb pluto<9924>: added connection description "winxp"

Jan 17 22:49:33 nb pluto<9924>: listening for IKE messages

Jan 17 22:49:33 nb pluto<9924>: adding interface ipsec0/eth0 192.168.32.100

Jan 17 22:49:33 nb pluto<9924>: loading secrets from "/etc/ipsec.secrets"

You can ignore any warning messages. From the client machine click on the VPN icon. If you see the entries similar to the following in the log file, then your IPSec is behaving fine.

Jan 17 22:49:30 nb pluto<9924>: "winxp" #7: responding to Main Mode

Jan 17 22:49:30 nb pluto<9924>: "winxp" #7: Peer ID is ID_IPV4_ADDR: 202.54.16.3

Jan 17 22:49:30 nb pluto<9924>: "winxp" #7: STATE_MAIN_R3: sent M3, ISAKMP SA established

Jan 17 22:49:32 nb pluto<9924>: "winxp" #8: responding to Quick Mode

Configure L2TP

The configuration file for L2TP is in the file /etc/l2tpd/l2tpd.conf



Configure l2tpd.conf 



; listen-addr = 192.168.1.98





ip range = 192.168.254.64-192.168.254.128

local ip = 192.168.254.254

require chap = yes

refuse pap = yes

require authentication = yes

name = PCQ VPN Server

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

The focus area is the 'ip range'. This is the range of IP addresses that will be allocated to the incoming connections. The local IP is the IP address of the local interface on this network by the name of pppx. You will most probably not need to touch the /etc/ppp/options.l2tpd file, but if need be, you can fine-tune the same.

Configure PPP

There are some quirks in the connection type that we will need to live with, as by default Windows will want to use the MS-CHAP and MPPE protocol. RedHat PPPD is not configured with support for these protocols (of course a cvs patch is available to fix the same). However enabling this would mean having double encryption. The best option is to disable encryption and do not worry, sky will not fall, since IPSec already provides the underlying encryption. The next step is to specify a suitable authentication scheme. We recommend the use of CHAP; make changes in the
/etc/ppp/chap-secrets file

# client server secret IP addresses

VPN_user * something *

* VPN_user something * 

This will allow the user VPN_user to connect to this server with a password 'something'. This is the ID you would specify in the Win VPN dial-up client in the user ID and password field of the VPN dialer. Clicking on the VPN dial up will bring up the IPSec client, L2TP daemon and ppp(X) on the Linux server. Check the log files to see if there are error message coming up.

If you have a firewall on the local server, you need to allow your public IP address to connect to the public interface of the firewall.

Using certificates

You can choose either to set up your own certificate authority or get one issued from established CAs. Obtain a certificate in PKCS#12 (.pl2 or .pfx form extension) which is a standard for distributing keys and certificates. The CA authority signing your FreeS/WAN server must sign the certificate you obtain. Use Microsoft Management Console to import certificates under Win 2000/XP. Win 95/98/Me need to use the certificate store found under Tools>Internet Options in the browser.

Configuring Win XP client

As discussed above, we would be focus on Win XP trying to connect to the VPN server using IPSec and L2TP protocol. To configure connectivity go to Start>My Network Places>View Network connection>Create a New Connection>Connect to network at my workplace>Virtual Private Network. In the field provided for Company name, add the name of the connection that you would like to call this connection as. We will call our connection PCQ Labs. Next, select if the system should automatically run another connection, before calling this connection—for instance in a typical VPN environment, you would first dial an ISP and then execute the VPN. Lastly, in the next screen you need to enter the IP address of the gateway server. In
our case, it is 202.56.233.188.

To configure L2TP

As soon as the connect pop-up comes up, press on the Properties button. Go to the Security tab and disable the 'data encryption required' button. There is no need for data encryption, since the underlying IPSec will encrypt data. Select the Networking tab and select L2TP IPSEC VPN option. Next, select IPSec settings and enter “secretkey” as the IPSec Pre-shared key. Note this is the PSK key required to be configured on the server as well. Click on OK and save a shortcut on your desktop.To launch the VPN connection, you will need to click the “VPN” icon on your desktop, after you have established a dial-up to the Internet.

Case II: Net to Net

In this setup we consider we have two offices, one in Delhi and one in Mumbai and we have a leased line in Delhi to Internet while a DSL link in Mumbai. We have a Fedora Linux server and most of our clients are on Win XP. Here, the need is to connect a PC in Mumbai with the financial server in Delhi over the public network, but in a secure manner; and connect the
Delhi LAN transparently to Mumbai LAN.

Most of the Delhi office configuration remains the same. We replaced the Road Warrior with a network in Mumbai having an internal IP address range of 192.168.2.0/24. Believe it or not, if you have come this far, configuring gateway server is fairly simple. The local server in Mumbai will be the same as the Delhi server, except that the IP address network is to be reversed on each side. Since both servers are on Linux, we can safely uninstall L2TP, as IPSec is natively supported at both the locations. Along with L2TP, you can also dump PPP. Once you have configured IPSec, just restarting IPSec will bring up the interface. Pinging the remote IP address (192.168.254.1) from Delhi will set up the VPN. It may take a few moments for this and then it is done.

Alok Sinha