- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Interoperating with Microsoft Windows and Apple Mac OS X
From a technical point of view, these Mac OS X versions have the same capabilities, since they all use KAME's Racoon under the hood. However, the Tiger GUI offers functionality not found in the earlier versions, for instance allowing user-friendly configuration of support for X.509 Certificates, VPN dial on demand, and whether to send the default route through the VPN or not. The GUI is geared towards L2TP, but if you manually configure Racoon with your own configuration files, you can also create IPsec tunnels without L2TP. Some third-party software, such as Securitas, is indeed just a GUI for creating Racoon configuration files avoiding Apple's VPN system altogether. Cisco ships its own IPsec client software for Mac OS X.
Always check for the latest updates on third party clients. Tiger especially broke much thirdparty software due to a massive kernel API change. Releases of Mac OS X before Tiger (10.4) do not implement NAT-Traversal, but all versions of Tiger (at least up to 10.4.3) implement NAT-T incorrectly. Due to an error in their IKE daemon, the kernel sends ESP instead of ESP- in-UDP packets.
Mac OS X Tiger Server contains another GUI utility called s2svpnadmin to set up site-to-site tunnels using PSKor X.509-based L2TP/IPsec tunnels.
Layer 2 Tunneling Protocol (L2TP)
One of the limitations of IPsec that we have seen so far, from an end-user point of view, is the automatic configuration of an internal IP address. This is needed for two reasons. Mostly, LANs and WANs are secured against any unauthorized access from the Internet. Generally, firewalls ensure only LAN and WAN IP addresses may access the company's internal servers. The problem is that the IP address of the remote endpoint in an IPsec connection may be some ISP-determined address that would not be known beforehand.
When the firewall is not running on the VPN server, it is impossible to know whether such a connection is an authorized IPsec connection, or a rogue host on the Internet that has managed to get into the network somehow. The easiest solution is to have the VPN server give a connecting IPsec client another IP address, one from the company's IP address pool. Now the client can use that new IP for connections within the company network, and the company network can tell by the IP address that this is a teleworker connecting from home via the VPN server.
Another problem that makes IPsec connections with unknown ISP-assigned IP addresses difficult is NAT and NAT-Traversal. When NAT-Traversal is in use, an IPsec connection is actually established between the private IP address of the roadwarrior and the VPN gateway. The outer IP address of the roadwarrior is not used, except as the envelope around the inner packets. The problem arises when two teleworkers using the same internal IP addressing scheme try to connect to the VPN gateway. The chance of two teleworkers having the same internal IP address becomes pretty high since most ADSL and WiFi routers come with a default internal IP range (usually 192.168.0.0/24 or 10.0.0.0/24), and their DHCP services hand out IP addresses in that range (often 192.168.0.101 and 10.0.0101). The problem is aggravated when the same hardware is used by different teleworkers. Care needs to be taken to ensure everyone has a unique inner IP address.
Openswan 2.5 will support roadwarriors with identical IP addresses (it already does, but this code has not yet been released)
156
Chapter 8
However, the teleworker's computer remains more or less inaccessible by the corporate network, as no one knows its internal IP address. L2TP solves this by handing out an IP address to those teleworker connections. Apart from assigning an IP, it is also often necessary to assign a DNS or WINS server from within the company network, so teleworkers are able to resolve the names of internal servers not published in the public DNS servers. The IKE protocol did not have any capability to relay this information. An extension was needed.
Assigning an IP for VPN Access
Microsoft and SSH worked on the DHCP over IPsec proposal. Though this proposal became an IETF standard, Microsoft never deployed it itself, and only the SSH-Sentinel client supported it. The SSH-Sentinel client was discontinued when it was bought by competitor Safenet. Therefore, DHCP over IPsec is not deployed anywhere, and we will not discuss how to set it up for Openswan.
ModeConfig with XAUTH was mostly a Cisco-driven extension to IKE to solve the IP address assignment issue. Nortel also supported this feature, but added its own proprietary extensions ensuring its client and server products could only interoperate with each other.
Microsoft's Remote Access Service (RAS) provides some of the infrastructure necessary for these features. RAS basically implements a PPP connection, with the typical Microsoft extensions. Microsoft then deployed its own encryption/VPN protocol, which was proven to be insecure on a few occasions. Microsoft ended up using a hybrid of the IPsec protocol and its own protocol called Layer 2 Tunneling Protocol (L2TP). This hybrid is confusingly also called L2TP. We will not delve into the political details of ModeConfig and XAUTH versus L2TP; both schemes are currently deployed on a large scale. Only L2TP, however, does not require one to buy or install a separate VPN client for Microsoft Windows. The same applies to Apple's Mac OS X.
L2TP Properties
L2TP uses IPsec transport mode with ESP. If NAT-Traversal is needed, another layer of ESPinUDP is added on top of that. But L2TP can also use its own encryption method, the one that has been proven insecure, within those packets. Inside the L2TP packets, PPP is used. In some configurations, when the inner Microsoft encryption is not used but the L2TP packets are still encrypted within the IPsec packet, Windows will complain because it is not aware of the outer-layer IPsec encryption. Some system administrators therefore enable this inner encryption layer as well, just to save the end user a bogus warning pop-up window, but not all L2TP daemons support this encryption.
Unlike PPP, which is a point-to-point protocol, L2TP is a routable protocol using UDP port 1701. IPsec connections established for an L2TP connection will request a special IPsec tunnel that limits the protocols and ports that are allowed over the IPsec tunnel to just those needed to transport L2TP packets. The L2TP packets contain the actual PPP packets, which contain the real IP packets with their source and destination addresses and ports. Openswan supports these protocol and port number restrictions using the leftprotoport= and rightprotoport= parameters.
Just like PPP, L2TP can automatically assign various network attributes, such as IP address, netmask, DNS, or WINS servers, just like the traditional PPP-over-RAS protocol can. It also offers better integration with proprietary Microsoft features, making it easier to integrate with the Windows login procedure. For the end user, L2TP is therefore very easy to configure and deploy.
157
Interoperating with Microsoft Windows and Apple Mac OS X
When IPsec is used with L2TP, Microsoft currently only supports 3DES, not AES. PFS is also not supported by Windows clients in L2TP configuration. Openswan version 2.5 will support multiple L2TP clients behind the same NAT.
L2TP has another disadvantage: it adds even more encapsulations to a packet. This is likely to trigger more any PMTU or packet fragmentation issues.
Pure IPsec versus L2TP/IPsec
The question of what type of setup to use is difficult to answer. It depends on a few subjective choices. The easier you make it for VPN clients to connect, the harder your VPN server will be to set up. Ideally, you want to avoid the extra hassle of setting up and maintaining an L2TP infrastructure. And if possible, you want to avoid another layer of packet encapsulation, and even one layer of encryption, especially because these L2TP connections are userland processes on the Linux server. They do not run within the kernel, like IPsec does, and therefore require significantly more CPU power.
However, Windows and Mac OS X support L2TP out of the box. No separate VPN client needs to be installed. If you are installing a separate VPN client anyway, you might as well try to get a client that supports ModeConfig with XAUTH, and avoid the overhead of L2TP altogether. However, be aware that ModeConfig with XAUTH is a fairly recent addition to Openswan, which has not yet been widely tested with Windows clients.
If you are just connecting a handful of users to a single office subnet, then it is recommended that you skip L2TP and ModeConfig with XAUTH altogether. Instead, just ensure your users are set up to use unique LAN IP addresses at home to avoid collisions, and incorporate those ranges into your company firewall rules. Although you will then need to use a third-party VPN client for Windows or Mac OS X, such clients are freely available.
L2TP: PSK or X.509
L2TP's IPsec connection can use either PSK or X.509. We discussed the use of X.509 versus PSK in earlier chapters. In general, X.509 is much preferred over PSK because it is more secure. However, it is far easier to use PSK. Note that Windows 2000 only supports L2TP with X.509. It does not support L2TP with PSK. Mac OS X before Tiger did not support X.509, and with Tiger (10.4.4) it is still hard to configure properly.
In the following sections, we look at how to set up L2TP with either PSK or X.509, but we strongly advise everyone to switch to X.509 as soon as their platform supports it. Remember that PSK does not work too well when NAT-Traversal is involved. Finally, remember that anyone that gets hold of the PSK can pretend to be the VPN gateway and attempt to obtain user credentials. As the PSK needs to be identical for all clients, the larger the company, the larger this risk becomes.
158