Preface
With the widespread use of wireless networking and the integration of VPN capabilities in most modern laptops, PDAs, and even cellular phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor snooping on your WiFi network? Or are your competitors perhaps engaged in industrial espionage? You might need to send confidential information to your office while on the road or on board a ship, or perhaps you just want to securely access your MP3s at home. IPsec is the industry standard for encrypted communication, and Openswan is the de facto IPsec implementation for Linux.
Whether you want to connect your home network with your laptop when on the road, or you need an industrial-size, military-strength VPN infrastructure for a very large organization, this book will assist you in setting up Openswan for those needs.
The book will take you through the process of designing, building, and configuring Openswan as your VPN gateway, covering these topics with the detail and depth of explanation you would expect from key members of the Openswan development team. You should note that Openswan is not restricted to only Linux clients, but can support all common operating systems such as Microsoft Windows and Mac OS X. Furthermore, we look at some common interoperability examples for third-party hardware, from vendors such as Cisco, Check Point, NetScreen, and others.
As official developers of the Openswan code, the authors give you the inside view on essential techniques. This book includes the latest developments and upcoming issues. With their experience in answering queries from users on the mailing lists since the creation of Openswan, and its predecessor FreeS/WAN, the authors are authority figures well known and respected by the community. They know the ins and outs of a wide range of setups, and also know the caveats and pitfalls that can obstruct successful Openswan deployment.
What This Book Covers
Chapter 1 presents the historical context of IPsec and Openswan, and discusses the legal aspects involved with using and selling cryptography tools such as Openswan.
Chapter 2 explains in non-mathematical terms how the IPsec protocols work. It is written especially with the system administrator in mind, and will appeal to both cryptographic experts and beginners alike.
Chapter 3 contains all you need to know to install Openswan on any of the major Linux distributions. It covers installation from binary packages, as well as how to build Openswan from source. It also guides you through the features your kernel needs to support, and helps you choose between the two IPsec stacks currently available – KLIPS and NETKEY.
Preface
Chapter 4 is a step-by-step tutorial on how to configure the most common type of Openswan VPN connections. These include net-to-net, host-to-net, roaming users (roadwarriors), and head office to branch office connections. This chapter also investigates common scenarios, such as Cisco implementations using Aggressive Mode, and XAUTH with Openswan as the IPsec client.
Chapter 5 introduces IPsec authentication using X.509 Certificates. It explains how X.509 certificates work, how to generate them for Linux, Windows, and Mac OS X clients, and how to set up your own Certificate Authority.
Chapter 6 explains the Openswan feature known as Opportunistic Encryption (OE). This visionary technology allows automatic host-to-host encryption for machines without any specific configuration by the end user. Using OE, anyone can use IPsec protected connections to your servers without even realizing it.
Chapter 7 digs right down to the packet level and discusses common problems that you might face on your IPsec gateway. These include special firewalling rules, handling broken IPsec implementations, and various MTU-related issues that can occur.
Chapter 8 discusses IPsec from the perspective of the two most popular end-user operating systems: Microsoft Windows and Apple Mac OS X. This chapter will help you decide between X.509 Certificates and the less complex L2TP. It includes a detailed guide on how to set up L2TP on your Openswan VPN server, and explains how to configure X.509 or L2TP on your Microsoft Windows or Apple MacOSX clients. We also look at the pros and cons of some commonly used third-party software packages that work with Openswan.
Chapter 9 deals with getting Openswan to properly interoperate with third-party IPsec VPN servers such as Cisco, Check Point, NetScreen, WatchGuard, and various other common modem/router appliances.
Chapter 10 explores how to use IPsec to encrypt local traffic on an intranet. It specifically focuses on 802.11 wireless connections, but it applies in general to all types of LAN. It discusses Xelerance's IPsec WaveSEC software, as used to encrypt the wireless networks at IETF, BlackHat, and DefCon.
Chapter 11 discusses advanced Openswan techniques, such as how to set up a robust fail-over VPN Openswan server, and how to deal with the bottlenecks that large enterprise deployments can experience, as well as how to handle BGP and OSPF using IPsec and Openswan.
Chapter 12 is the distillation of two years of end-user support on the public mailing lists. The chapter shows the solutions to common problems that you can encounter in your IPsec setup. This is a chapter that you will come to rely on to help you through the hiccups of real-world deployment.
Appendix A discusses some bleeding-edge Linux kernel issues, known security vulnerabilities, and bugs, as well as upcoming features for end-users and developers.
Appendix B provides a tutorial in networking basics to provide a firm grounding in relevant TCP/IP concepts and principles that are essential for a good understanding of your network.
Appendix C lists helpful online resources for Openswan users, and Appendix D lists IPsec-related RFC documents.
2
Preface
What You Need for This Book
You only need a Linux box and a network to install and run Openswan. Testing some of the configurations discussed in the book would require other machines running different operating systems and/or other VPN appliances.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
There are three styles for code. Code words in text are shown as follows: "We can include other contexts through the use of the include directive."
A block of code will be set as follows:
version 2 config setup
#klipsdebug=none
#plutodebug="control parsing" nat_traversal=yes
When we wish to draw your attention to a particular part of a code block, the relevant lines or items will be made bold:
version 2 config setup
#klipsdebug=none
#plutodebug="control parsing" nat_traversal=yes
Any command-line input and output is written as follows:
# sudo "/Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access"
New terms and important words are introduced in a bold-type font. Words that you see on the screen, in menus or dialog boxes for example, appear in our text like this: "clicking the Next button moves you to the next screen".
Warnings or important notes appear in a box like this.
Tips and tricks appear like this.
Reader Feedback
Feedback from our readers is always welcome. Let us know what you think about this book, what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
3