Administering Linux IPSec Virtual Private Networks

    Date14 Nov 2002
    3289
    Posted ByAnthony Pell
    This article will discuss some of the more advanced features of FreeS/WAN that you can leverage to implement flexible and reliable IPSec VPNs. The ultimate source of information on FreeS/WAN is the official FreeS/WAN Web site (http://www.freeswan.org). The Web site has links to virtually all the tools and information that you will need to implement IPSec on Linux. . . This article will discuss some of the more advanced features of FreeS/WAN that you can leverage to implement flexible and reliable IPSec VPNs. The ultimate source of information on FreeS/WAN is the official FreeS/WAN Web site (http://www.freeswan.org). The Web site has links to virtually all the tools and information that you will need to implement IPSec on Linux.

    An Overview of IPSec

    IPSec is an extension to the Internet Protocol (IP) that provides not just encryption but also authentication at the transport layer (layer 3 of the OSI Reference Model). The next generation of IP, IP version 6 (IPv6), supports IPSec natively, since IPSec is a requirement of the IETF's specification for IPv6.

    IPSec is a collection of protocols. Three protocols are used to handle encapsulation, encryption, and authentication -- the AH (Authentication Header), the ESP (Encapsulating Security Payload), and the IKE (Internet Key Exchange). IPSec is typically transparent to end users. Applications do not need to be rewritten nor do users need to be retrained to use IPSec-based networks. End users need not even be aware that they are using IPSec to tunnel data through an insecure network.

    The AH and ESP handle encryption and authentication. The AH is added after the IP header but before the data (payload); see Figure 1. The AH carries authentication information, typically an MD5 (Message Digest Algorithm) or SHA (Secure Hash Algorithm) generated key. The AH is purely for authentication and used to verify that the senders are who they say they are. The AH does not perform encryption.

    ESP provides for one or both of encryption and authentication. It may be used with or without AH. While it is possible to set up tunnels with only one of authentication or encryption deployed, this method leaves communications open to numerous forms of attack. Encryption is carried out using a block cipher (a symmetric or shared-key cipher operating on fixed-size blocks of plaintext), with 3DES being commonly used. Figure 2 illustrates the encapsulation process. RFCs for the deployment of other encryption algorithms (e.g., IDEA, Blowfish, and RC4) have been published and are actively supported by vendors. Encryption keys are shared using IKE.

    IKE negotiates the connection parameters, including initialization, handling, and renewal of encryption keys. Authentication is carried out using privately shared secrets (e.g., a secret phrase) or RSA cryptographic keys that guarantee the identities of both parties. IKE is based on the Diffie-Hellman method for exchanging authentication tokens. Bulk encryption algorithms, such as triple DES or Data Encryption Standard, are used to encrypt data. Hash algorithms such as MD5 and SHA provide authentication of each packet. Connections are "re-keyed" (i.e., a new authentication key is negotiated) at frequent time intervals for added security.

    IPSec inserts header and encrypted payload data into an existing IP (often non-IPSec) packet. This allows IPSec data to traverse any IP network. A primary reason for the widespread adoption of IPSec (in contrast to IPv6) is that all IP networks (including IP version 4) can pass IPSec traffic with no modification to the underlying network. IPSec has been implemented both in hardware and software. All major vendors of network hardware and software applications support IPSec networking. Virtually all networked operating systems now support IPSec. IPSec also enjoys considerable support in the Open Source community. Although virtually all IPSec implementations are compliant with the existing RFCs, they may not necessarily interoperate. IPSec implementations from different vendors should be tested to ensure that they are fully compatible.

    FreeS/WAN -- An Open Source IPSec Implementation for Linux

    FreeS/WAN is composed of two distinct components. The first is KLIPS (KerneL IP Security), a collection of modifications to the standard Linux kernel. For information on compiling KLIPs into a standard Linux kernel, see my previous article or the FreeS/WAN documentation. The second component is the standalone Pluto daemon, which is also installed and configured in the FreeS/WAN install process. Pluto handles IKE protocol authentication requests and interacts with the KLIPS components of the kernel, which handle encapsulation and encryption.

    FreeS/WAN IPSec is configured through the ipsec.conf file. Once FreeS/WAN is installed on the system, virtually all configuration changes involve editing the ipsec.conf configuration file. Another file, ipsec.secrets, holds authenticators (i.e., cryptographic key sets, shared secrets).

    The ipsec application (not to be confused with the IPSec protocol -- see the manpage for ipsec) is a set of utilities that control and invoke the IPSec implementation. The ipsec application also contains, among other utilities, a troubleshooting aid, utilities to bring IPSec tunnels up and down, as well as querying the status of each IPSec tunnel. All we need to start building VPNs is to edit the ipsec.conf and ipsec.secrets files and then invoke IPSec through the ipsec application.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"4","type":"x","order":"1","pct":100,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.