by April 11, 2005 0 comments



In December 2004 (VPN for Roaming Clients, page 46), we looked at configuring a VPN server for roaming clients, using ISA Server 2004. This time we will see how to configure a VPN server on SUSE Linux Enterprise Server 9. A VPN server lets remote users connect to the company’s local network, securely, over the insecure Internet. The setup consists of a SUSE Linux machine sitting between the Internet and the company’s local network. The VPN server running on the SUSE machine will accept clients’ VPN connection requests and after authentication, will grant them secure access to the local network. SUSE Linux uses the open source FreeS/WAN software for the VPN server, which uses the IPSec protocol for building secure tunnels through un-trusted networks, such as the Internet. However, SUSE provides a user-friendly GUI for configuring the VPN server, unlike other Linux distributions, which make you work with a command line interface. So, let’s see how to configure the VPN server.

Create a certificate 
Open the YaST Control Center, go to Security and Users on the left pane and open the CA Management module. In the CA Management module, create a new CA (Certification Authority) or enter an existing CA. Now click on the Certificates button, which will take you to the Certificates window. Click on the Add button and select ‘Add Server Certificate’. A new window opens; give a Common Name for the certificate, which should be the domain name of the VPN server, and click on Next. On the next screen give a password for the certificate and click on Next. And finally click on Create. After the certificate is created it will be shown in the Certificates window. Select the certificate, click on the Export button and select Export to File. In the Export Format select the last option, give the certificate
password, give a file name, with a P12 extension, and finally click on OK to create the certificate.

Import the Server Certificate to the VPN server

Direct Hit!
Applies to: Enterprises
USP:
Set up a VPN server on Linux with ease
Links:
http://vpn.ebootis.de , www.freeswan.org 
On PCQEssential CD: systems\ labs\ipsec

Open the YaST Control Center, go to Security and Users and open the VPN module. Here, enable VPN and click on Certificates. On the next window, click on the Import button and select the certificate that you had exported earlier. Give the certificate password and it will be imported. Click on Next.

Set up the VPN server connection
Click on Connections in the VPN module and then on Add. On the Connection Type, select ‘Server for Road Warriors’ and click on Next. Then enter the external IP address of the server in the Local IP address text box. Check the ‘Act as Gateway’ option, give the network address which has to be made available to the VPN clients and click on Next. The network can be specified as, say, 192.168.3.0/24. On the next screen, accept the default settings and click on OK. This will set up the VPN server to start accepting VPN connection requests from the clients.

Export the VPN client configuration file
On the VPN Connection window, select the VPN connection that we just created and click on Expert and select Export. Select Windows in the dialogo box and give the file name and path for the configuration file. Copy this file to your Windows client machines that have to create the VPN connection to the server.

Give the IP address of the interface that will listen for VPN connections and the subnet of the local network, that will be made available to VPN clients

Create a client certificate for VPN users
Procedure for this is similar to that of creating server certificates, as described above. Copy the client certificate file to the Windows client machines.

Import the certificate to Windows client machines
Open the MMC on the Windows client machine. Then click on File, Add/Remove Snap-in. A dialog box opens up, click on Add. On the next dialog box select Certificates and click on Add. This will open a configuration wizard, select ‘Computer Account’ and click on Next. Now select ‘Local Computer’ and click on Add. Next click on Close and then on OK. The certificate snap-in will be added to the MMC. Open the Certificates directory, right click on Personal and select ‘All Tasks’ and select Import. The Certificate Import Wizard opens up; click on Next. On the next page, browse to the client certificate file and click on Next. Give the password for the certificate file, and click on Next. On the ‘Certificate Store’ page, select the Automatic option and click on Next. Then click on Finish. This will add the certificate on the client machine.

Install IPSec utilities
To connect to an IPSec VPN server, you need the ipseccmd.exe and ipsecpol.exe programs on Win XP and 2000, respectively. To install them, install the support tools, found in the support\tools directory of your Windows installation CD. Once this is done, the required programs will be installed on your system but these are command line-based tools and not easy to configure. So, you will need a more program called ipsec.exe, (on this month’s PCQEssential CD or can be downloaded from
http://vpn.ebootis.de/package.zip).
Uncompress the file into a folder and copy the VPN client configuration file to
this folder. Make sure to rename the file to ipsec.conf. If a file with the same
name exists in the folder, delete the existing file.

The ipsec.exe program, after execution, gives the details about the VPN connection

Establishing the connection and testing it
Now execute the ipsec.exe file. It will give you some details about the VPN connection and the connection will get established. To check the connection, ping any machine, which is on the company’s local network. The message, ‘Negotiating IP Security’, appears once or twice after which the normal ping response starts coming. Now you can access the servers, which are residing in your local network.

Anoop Mangla

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.