Interoperating with Other Vendors
GUI Issues
Most often, the real problems for configuring appliances are the user interfaces. People who hate working from the command line might want to avoid certain models of Cisco routers, while others would avoid GUI tools. Most appliances these days come with a web interface, but the quality of these interfaces varies greatly. They are sometimes only tested with Microsoft Internet Explorer, and may fail with Mozilla/Firefox, Safari or other browsers. They might rely on Java or JavaScript in the browser, or worse, might not even work on the latest version of your browser. Sometimes they use pop-up windows that the modern browser blocks automatically. Too often, changing many fields at once will not actually update them all. We have also come across routers that offer combinations of options that are mutually exclusive, such as multiple IKE proposals when using Aggressive Mode. Other examples with a bad GUI include some types of Linksys devices, which auto-generate web SSL certificates, but the DN for these certificates is the same. As a result, if you try to configure two or more of these devices, your browser will detect "contradicting" certificates and refuse to let you configure the additional devices.
Keepalives
A lot of devices have ways of keeping the connection alive. This is almost never a properly implemented DPD or NAT-T keep-alive. Instead, vendors often use a simple ICMP ping packet. If you have an always on option, leave it disabled until you have a working configuration. Only then try to enable these features, since in some devices these keepalives actually cause more problems than they solve. Even if these features are properly implemented, if your bandwidth has peaks that reach the full utilization capacity, then these keepalives (whether pings or proper DPD packets) run the risk of getting dropped due to link congestion, which will cause the connection to get actively terminated by the end not receiving answers to the keepalives.
ISP Filtering
As with the Windows clients in the previous chapter, you might run into ISP filtering. Unfortunately some ISPs filter out UDP port 500 (IKE) to prevent people from starting VPN connections in an attempt to sell a 'business' subscription. If you think this might be the case for you, and you do not see any packet or log on the Openswan side, use the ikeping utility that ships with Openswan to test for these filters. Note that with ikeping you can only test for UDP port 500 filters, not ESP filters. For a full network test, see the ipsec livetest command.
Frequently used VPN Gateways
The remainder of this chapter will show and discuss a few commonly used appliances. Even if your appliance is not described here, it might be useful to read through for common problems that might apply to your appliance.
Webmin with Openswan
Webmin is a web-based administration program that supports many different operating systems and many software packages. It normally runs on http://localhost:10000/ and is supported on all major Linux distributions. Webmin contains a module for the configuration of VPNs, although
208
Chapter 9
this module is unfortunately still somewhat focused on FreeS/WAN, and is therefore lagging a little behind current Openswan developments. This will not be a problem for fairly straightforward connections, such as Linux site-to-site connections, but if you need to use new options such as DPD or forced encapsulation, then you might find those missing from the GUI.
The interface is fairly straightforward and simple enough to control. It contains sane default values. One error is that it does appear to support NAT-Traversal, but does not support setting the virtual_private= parameter needed on the server side to make NAT-Traversal work. It is also not aware of NETKEY, which may cause problems. It does, however, fully support Opportunistic Encryption and changing the policy group files.
The following screenshot shows Webmin's IPsec VPN Configuration page.
You should not need to edit any of these fields unless it has failed to detect the proper location of a file. This might happen on unsupported Linux distributions that use the /etc/ipsec/ directory to
store ipsec.conf and ipsec.secrets.
The IPsec options page contains information about the OE policy groups, and whether to start IPsec at bootup. You can Add a new IPsec VPN connection, and it even supports the import of connection definitions from files. You can manage the public and secret keys, and go to the Global VPN server settings page, where you will probably need to change the Network interfaces for IPsec setting to Default route interface.
209
Interoperating with Other Vendors
Most of the connection parameters for left and right are supported in Webmin. You can even choose to fetch the key from DNS.
210
Chapter 9
Cisco VPN 3000
The Cisco VPN 3000 is an old product that is still widely deployed. It required a special commercial license to support 3DES, and therefore many of the deployed units lack this. It was also decommissioned before AES made it as alternative algorithm. If you wish to use its 1-DES support, you will need to make sure Openswan is compiled with USE_WEAKSTUFF=true.
On Openswan versions before 2.4.0, you also need to manually edit programs/pluto/ Makefile.options and enable -DUSE_1DES. On Openswan 2.4.0 and higher, this requires setting the Makefile.inc variable USE_NOCRYPTO=true. You should be able to determine whether your CiscoVPN 3000 supports 3DES by using the show version command.
Usually, these deployments use the Cisco VPN client, and focus on using Aggressive Mode with ModeConfig and XAUTH. They do not support PFS. An example configuration that might work for you is the following:
conn cisco-3000 aggrmode=yes authby=secret left=%defaultroute leftmodecfgclient=yes leftxauthclient=yes leftid=@xelerance ike=3des-md5-modp1024 esp=3des-md5 right=ip-of-cisco-3000
rightsubnet=subnet-behind-cisco-3000 rightxauthserver=yes rightmodecfgserver=yes modecfgpull=yes
auto=add
pfs=no
You cannot use auto=start, because XAUTH needs to prompt you for a username and password. It needs a controlling TTY to talk to the user. Instead, you must use auto=add, and then use ipsec auto --up cisco-3000 to get the username and password prompt. For more information on XAUTH and ModeConfig, see Chapter 2 and the documentation in openswan-2/doc/README.xauth*.
Cisco PIX Concentrator
The following is an example configuration for connecting using PSK to a Cisco PIX. This example uses 3DES: make sure that you have either 3DES or AES. If you are using an old Cisco, you might be stuck with 1-DES, in which case you should really just upgrade.
conn pix left=%defaultroute leftsubnet=10.0.1.0/24
leftid=@openswan_to_pix right=CiscoIP rightid=CiscoIP rightsubnet=10.0.2.0/24 authby=secret esp=3des-sha1-96 compress=yes
auto=route
And in /etc/ipsec.secrets:
@openswan_to_pix CiscoIP: PSK "presharedkey"
211