Build a Linux-based VPN Network

Source: Internet
Author: User
Tags begin rsa private key gmp openssl version openssl x509 ftp protocol
Build a Linux-based VPN Network-Linux Enterprise Application-Linux server application information. The following is a detailed description. Building a VPN is almost one of the most advanced Linux applications. Learning this technology is enough to make you proud of the capital. The main purpose of VPN is to establish an encrypted communication mechanism, and then encrypt and transmit all your subnet information in a specific way to form a logical virtual network. Simply put, it is a Linux system's IP layer encryption solution. Many components are required here, which are described as follows.

1. Preparation and Installation

· Download the 2.4.X kernel from the http://www.kernel.org except for version 2.4.15 (which has a fatal error ). Then place the kernel in:/usr/src. (Here we use linux-2.4.18.tar.gz) and then release the: tar zxvf linux-2.4.18.tar.gz.

· Delete the original rm linux connection

· Ln? S linux-2.4.18.tar.gz linux

· Check the current Nic and SCSI model (see kernel upgrade chapter)

· Cd linux (go to The linux-2.4.18 directory)

· Make menugonfig

· Make dep

· Make bzImage

· Compilation is done here!

· Download the latest gmp library from the http://www.swox.com/gmp to/usr/local/src.

· Tar zxvf gmp-4.0.1.tar.gz

· Cd gmp-4.0.1

·./Configure

· Make

· Make install

· Download freeswan from http://www.freeswan.org ...? /Usr/local/src

· Tar zxvf freeswan-1.97.tar.gz

· Download x509patch-0.9.11-freeswan-1.97.tar.gz from the http://www.strongsec.com/freeswan/. This is the patch file. Release, go to the x509 patch directory, copy freeswan. diff to the external freeswan source directory, and return to the freeswan source directory to run: patch? P1 <freswan. diff

· Download http://www.openssl.org from openssl-0 ...? Head ox ?? Peptide ke?

·./Config (if openssl already exists in the system, you need to uninstall it before installing it. However, in general, uninstall may not be down to 8 -). If You Cannot uninstall them, find their path. Here, use the-prefix = parameter to specify the path to overwrite the old version of the file. Serious suggestion: If you are not sure about the path, you 'd better do this: go to the FTP site of the developer who uses the release package (if you use turbolinux, go to ftp.turbolinux.com and use redhat to go to ftp.redhat.com), and log in with the anonymous user and any email as the password, find the alive directory of the release package version you used, and then download the corresponding RPM package. Note: The package here should be at least 0.9.6b1 or above i386. After downloading, use rpm? Uvh update. This is very clean.

· Make (skip this step if you upgrade the rpm package)

· Make test (skip this step if you upgrade the rpm package)

· Make install (this step is not required if you upgrade the rpm package). Run the openssl command after installation. Enter the version to check whether the version you just installed is correct. If not, the old version installed earlier may not be overwritten. Come back from 1.20

· Return to the source directory of freeswan, run: make menugo, and select all iptables and ipsec related options in networking options. Ipsec is added to freeswan. It is best to replace M (module mode) in the brackets with * (compiled into the kernel ). The following kernel options should be selected:

Enter: Networking Options at least select:

 
  • Network packet filtering (replaces ipchains)
      
  • Network packet filtering debugging (NEW)
    Go to: IP: Netfilter Configuration --->
    <*> Connection tracking (required for masq/NAT) (NEW)
    FTP protocol support (NEW)
    IRC protocol support (NEW)



    Note: If you need to use the DHCP function, you need to add the Pachet Socket mmapped IO and Socket Filtering options. For more information, see the DHCP chapter.

    Wait ......

    Mark all the following options <*>
    After returning to the previous menu, select all IPSEC-related options at the bottom of the list options as <*>. In addition, if you plan to use a dial-up connection, select ppp support from the network device support menu (note that the ppp program you are using must be of version 2.4 or later)

    · Check whether the NIC and hard disk options are correct. If there is no problem, exit layer by layer and save the configuration.

    · The kernel will be automatically compiled after exiting, waiting ......

    · After compilation, go to the/usr/src/linux directory and run: make modules; make modules_install

    · Cp System .. map/boot/System. map-2.4.18-vpn

    · Cd arch/i386/boot

    · Cp bzImage/boot/vmlinuz-2.4.18-vpn

    · Cd/boot

    · Rm System. map

    · Ln? S System. map-2.4.18-vpn System. map

    · Vi/etc/lilo. conf

    Boot =/dev/sda
    Map =/boot/map
    Install =/boot. B
    Prompt
    Timeout = 50
    Lba32
    Default = linux-vpn
    Image =/boot/vmlinuz
    Label = linux
    Initrd =/boot/initrd
    Read-only
    Root =/dev/sda5
    Image =/boot/vmlinuz-2.4.18-vpn
    Label = linux-vpn
    Initrd =/boot/initrd
    Read-only
    Root =/dev/sda5



    · Run lilo to update data

    · Reboot

    · Run ipsec setup restart after it is started. The freeswan version is normal without any errors.

    Note: Some necessary Kernel Parameter configurations can be implemented in rc. local. They are:

    Echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter
    Echo 1>/proc/sys/net/ipv4/ip_forward



    If you compile the following two items into a module (the extension number is M instead *):

    FTP protocol support (NEW)
    IRC protocol support (NEW)



    Add the following in rc. local:

    Modprobe ip_nat_ftp



    After the installation is complete, we will introduce several VPN methods.

    2. Configure Frees/wan to support dual-Gateway communication. That is, two remote subnets use an ipsec VPN gateway for interactive access. The first method is network-to-Network VPN. Generally, an enterprise has an office in A and B (a long distance), and each office has a LAN. they connect to the internet through a leased line. A lan is an enterprise management center and runs an enterprise management system. Users on B lan also need to use this management system. Although B LAN can be connected over the internet (Public Network), the boss of the company cannot say it! Our data cannot be exposed on the Internet and must be encrypted! Well, our VPN network can be applied to this enterprise's needs. First, place one of our Linux servers at the egress of the Two LANs, A and B. They have installed ipsec (there are many installation steps mentioned above ), the data of the Two LANs enters the public network through their respective machines (ipsec gateway). All data passing through the gateway is encrypted. In terms of performance, two LAN users can ping each other's machines, even though one of them may be the 192.168.1.0/24 network segment and the other is the 192.168.10.0/24 network segment. They seem to work in the same LAN, and there is no limit. Public Network Encryption is transparent to them. The data exchanged between the two LANs on the public network is ciphertext. This is the Virtual Private Network VPN.
    I hope you have successfully installed the two machines according to the previous steps. I will tell you how to configure the network-to-network environment.

    · Configure the ipsec gateway of Network A (the gateway has two NICs, and their addresses are eth1: 192.168.1.231 and eth0: 21.9.22.22 ). After the installation is complete, the first thing we need to do is to generate a CA certificate. (Use the openssl just installed)

    · Find openssl. the cnf file is usually in/etc/ssl/, or in/var/ssl or/usr/ssl (you can find/-name "openssl. cnf "look for it !), If there are several, you need to find out which version you have installed. Change the value of the default_bits option from 1024 to 2048, and then change the value of default_days to 3650. Set the duration to 10 years! Save and exit.

    · Create a directory in/var/:/var/sslca and change the permission of this directory to 700 (chmod 700/var/sslca)

    · Find the CA. sh script in the openssl directory you have installed. Note: it should be the CA. sh of the openssl version you are currently running.

    · Cd/var/sslca go to the directory you just created

    · For example, if the CA. sh you just found is in/usr/lib/ssl/misc/, then enter/usr/lib/ssl/misc/CA. sh? Newca, you will be asked a series of questions. The question and answer are similar to the following. If you are sure about the changes, change them ,~ /Sslca #/usr/lib/ssl/misc/CA. sh-newca
    CA certificate filename (or enter to create)
    (Enter)
    Making CA certificate...
    Using configuration from/usr/lib/ssl/openssl. cnf
    Generating a 2048 bit RSA private key
    ........................................ ++
    ........................................ ++
    Writing new private key to './demoCA/private/./cakey. pem'
    Enter PEM pass phrase :( enter password)
    Verifying password-Enter PEM pass phrase :( enter same password again)
    -----
    You are about to be asked to enter
    Information that will be ininitialized ated
    Into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: US (enter)
    State or Province Name (full name) [Some-State]: State (enter)
    Locality Name (eg, city) []: City (enter)
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: 21 vianet (enter)
    Organizational Unit Name (eg, section) [] :( enter)
    Common Name (eg, YOUR name) []: CA (enter)
    Email Address []: ca@xxx.com (enter)
    ~ /Sslca #



    · The next step is to generate a certificate for the Gateway:

    The command and the question to be answered are as follows:

    ~ /Sslca #/usr/lib/ssl/misc/CA. sh-newreq
    Using configuration from/usr/lib/ssl/openssl. cnf
    Generating a 2048 bit RSA private key
    ................................
    ..........................++
    Writing new private key to 'newreq. pem'
    Enter PEM pass phrase :( enter password)
    Verifying password-Enter PEM pass phrase :( repeat password)
    -----
    You are about to be asked to enter information that will be ininitialized
    Into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: US (enter)
    State or Province Name (full name) [Some-State]: State (enter)
    Locality Name (eg, city) []: City (enter)
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: ExampleCo (enter)
    Organizational Unit Name (eg, section) [] :( enter)
    Common Name (eg, YOUR name) []: vpnserver.rd.xxx.com (enter)
    Email Address []: user@xxx.com (enter)
    Please enter the following 'extra 'attributes
    To be sent with your certificate request
    A challenge password [] :( enter)
    An optional company name [] :( enter)
    Request (and private key) is in newreq. pem
    Natecars @ buzzword :~ /Sslca $/usr/lib/ssl/misc/CA. sh-sign
    Using configuration from/usr/lib/ssl/openssl. cnf
    Enter PEM pass phrase :( password you entered for the ca certificate)
    Check that the request matches the signature
    Signature OK
    The Subjects Distinguished Name is as follows
    CountryName: PRINTABLE: 'us'
    StateOrProvinceName: PRINTABLE: 'state'
    LocalityName: PRINTABLE: 'city'
    OrganizationName: PRINTABLE: '21vianet'
    CommonName: PRINTABLE: 'vpnserver .rd.xxx.com'
    EmailAddress: IA5STRING: 'RD @ xxx.com'
    Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days)
    Sign the certificate? [Y/n]: y (enter)
    1 out of 1 certificate requests certified, commit? [Y/n] y (enter)
    Write out database with 1 new entries
    Data Base Updated
    (Certificate snipped)
    Signed certificate is in newcert. pem



    Remember the password you entered in the above steps. If you want to try again, remember to delete all the subdirectories under the/var/sslca directory.

    · Change the file name to what you need

    ~ /Sslca # mv newcert. pem vpnserver.rd.xxx.com. pem
    ~ /Sslca # mv newreq. pem vpnserver.rd.xxx.com. key



    · Edit. key File, delete all things after '----- begin certificate request -----', and then, this file should END with '----- begin rsa private key -----' to '----- end rsa private key.

    · If the x.509 patch is installed normally, you can see/etc/ipsec. d and the following directories. If you do not have one, create it yourself. Copy the appropriate file at the following location: (you are still in the/var/sslca directory)

    # Cp vpnserver.rd.xxx.com. key/etc/ipsec. d/private
    # Cp vpnserver.rd.xxx.com. pem/etc/ipsec. d
    # Openssl x509-in demoCA/cacert. pem-outform der-out rootca. der
    # Cp rootca. der/etc/ipsec. d/cacerts/RootCA. der
    # Openssl x509-in host.example.com. pem-outform der-out/etc/x509cert. der
    # Openssl ca-gencrl-out crl. pem
    # Cp crl. pem/etc/ipsec. d/crls



    · Add the following line to/etc/ipsec. secrets: RSA vpnserver.rd.xxx.com. key "password" and delete all other rows. The password is the password you entered to answer questions when generating a password.

    # Basic configuration
    Config setup
    Interfaces = % defaultroute
    Klipsdebug = none
    Plutodebug = none
    Plutoload = % search
    Plutostart = % search
    Uniqueids = yes
    Conn % default
    Keyingtries = 1
    Compress = yes
    Disablearrivalcheck = no
    Authby = rsasig
    Leftrsasigkey = % cert
    Rightrsasigkey = % cert
    Left = % defaultroute
    Leftcert = vpnserver.rd.xxx.com. pem
    Auto = add
    Pfs = yes
    Conn roadwarrior
    Right = % any
    Conn roadwarrior-net
    Leftsubnet = 192.168.1.0/255.255.255.0
    Right = % any
    Conn net-net
    Leftsubnet = 192.168.1.0/255.255.255.0
    Right = % any
    Rightsubnet = 192.168.10.0/255.255.255.0
    Conn world-net
    Leftsubnet = *
    Right = % any
    Rightsubnet = 192.168.10.0/255.255.255.0



    The section in the black text is changed according to your actual environment. The subnets at both ends are 192.168.1.0/24 and 192.168.10.0/24. In the file, vpnserver.rd.xxx.com. pem is a CA certificate. This configuration is generic, that is, two methods of LAN-LAN and remote clients can be applied.
    · Configure the branch gateway below. This machine must also install software such as freeswan in advance.

    Re-execute the steps 2.7-2.9 above to generate the certificate for the branch. Note: when answering the question, the input for the host name changes to the name of the gateway machine for the branch, for example, vpncliet.rd.xxx.com.

    · Copy the following files to the corresponding location of the branch Gateway (for example, copying through a floppy disk ):

    Cp vpnserver.rd.xxx.com. pem/etc/ipsec. d
    Cp vpnclient.rd.xxx.com. key/etc/ipsec. d/private
    Cp vpnclient.rd.xxx.com. pem/etc/ipsec. d
    Run the following command: openssl x509? In vpnclient.rd.xxx.com. pem?
    Outform der? Out/etc/x509cert.de
    Cp rootca. der/etc/ipsec. d/cacerts/RootCA. der
    Cp crl. pem/etc/ipsec. d/crls



    · Configure the branch/etc/ipsec. secrets and write a line:

    RSA vpnclient.rd.xxx.com. key "password ".



    Delete other rows. Password is the Password you entered when you answered the question.

    · Configure/etc/ipsec. conf

    # Basic configuration
    Config setup
    Interfaces = % defaultroute
    Klipsdebug = none
    Plutodebug = none
    Plutoload = % search
    Plutostart = % search
    Uniqueids = yes
    Conn % default
    Keyingtries = 0
    Compress = yes
    Disablearrivalcheck = no
    Authby = rsasig
    Rightrsasigkey = % cert
    Leftrsasigkey = % cert
    Right = % defaultroute
    Rightcert = vpnclient.rd.xxx.com. pem
    Auto = add
    Pfs = yes
    Conn roadwarrior
    Left = 21.9.22.22
    Leftcert = vpnserver.rd.xxx.com. pem

    Conn roadwarrior-net
    Left = 21.9.22.22
    Leftcert = vpnserver.rd.xxx.com. pem
    Leftsubnet = 192.168.1.0/255.255.255.0

    Conn net-net
    Left = 21.9.22.22
    Leftcert = vpnserver.rd.xxx.com. pem
    Leftsubnet = 192.168.1.0/255.255.255.0
    Rightsubnet = 192.168.10.0/255.255.255.0



    You can modify the simhei part according to the actual situation.

    · First start the ipsec: ipsec setup restart on the server, and then start the ipsec

    · Establish a channel: ipsec auto? Up net-net and then the Server can use the command ipsec whack status to see several new channels. In this case, you should be able to ping each other in two subnets.
    3. Configure Frees. wan to support remote client access. That is, a Windows client is allowed to communicate with the company's internal network through VPN.

    In fact, the 2nd VPN method is to replace the LAN of a branch with a separate machine with an unfixed address. This application is suitable for the situation where the general manager connects to the Headquarters network from a remote ISP when traveling. During this period, not only authentication is available, but all data through the ISP and Internet is encrypted. The configuration on the server side is exactly the same as above (remember? The configuration we provided on the line already takes into account two usage methods ). What needs to be done here is to assign the general manager's notebook to a VPN Client. His notebook should be windows and upgraded to sp2.

    · First, repeat steps 2.7-2.9 to generate a certificate. For the host name, enter the machine name of your general manager. Similar to win.rd.xxx.com. Of course, the general manager's machine should be of the same name.

    Openssl pkcs12-export
    -In win.rd.xxx.com. pem
    -Inkey win.rd.xxx.com. key
    -Certfile demoCA/cacert. pem
    -Out win.rd.xxx.com. p12



    · View the environment with commands: it is best to output the results to the file and remember them for later use.

    Openssl x509-in demoCA/cacert. pem-noout-subject



    · Transfer the p12 file generated above to the general manager's machine and place it in a formal place (this file is very important ).

    · Download ipsec.exe from the http://vpn.ebootis.de site on the general manager's machine

    · Run the following command on the general manager's machine: http://agent.microsoft.com/windows2..ipsecresource tool.

    · Install the two software and put them in the same directory.

    · Create an ipsec MMC: (hope you know what MMC is)

    Start/Run/MMC,
    File (or Console)-Add/Remove Snap-in
    Click 'add'
    Select 'certificate', and then select 'add'
    Select 'computer account' and click 'Next '.
    Select 'local computer 'and click 'finish '.
    Select 'IP Security Policy management' and click 'add '.
    Select 'local Computer 'and click 'finish'
    Select 'close' and Click 'OK'



    Expand 'cericicates (Local Computer) 'in the left-side window )'
    Right-click 'Personal', select 'all tasks', and click 'import'
    Click Next



    Which one to enter. path of the p12 file (that is, the path you copied from the Server Gateway just now. You can select the path for browsing), and click 'Next' to enter the export password (password ), click Next and select 'automatically select the certificate store based on the type of Certificate'. Then click Next to Finish. If there is any Prompt window, select yes to exit MMC, save the current configuration to the management tool. A certificate is added to the machine of the General Manager.

    · Set ipsec tools:

    Edit the ipsec. conf file on the General Manager machine and write the = of rightca as openssl x509-in demoCA/cacert. pem-noout? The result generated by the subject command. Similar to the following:

    Conn roadwarrior
    Left = % any
    Right = (ip_of_remote_system)
    Rightca = "C = US, S = State, L = City, O = 21 vianet,
    CN = CA, mail = ca@xxx.com"
    Network = auto
    Auto = start
    Pfs = yes
    Conn roadwarrior-net
    Left = % any
    Right = (ip_of_remote_system)
    Rightsubnet = 192.168.1.0/24
    Rightca = "C = US, S = State, L = City, O = 21 vianet,
    CN = CA, mail = ca@xxx.com"
    Network = auto
    Auto = start
    Pfs = yes



    Make sure that the configuration is correct.

    · Running ipsec.exe has the following output:

    C: ipsec> ipsec
    IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
    Getting running Config...
    Microsoft's Windows XP identified
    Host name is: (local_hostname)
    No RAS connections found.
    Lan ip address: (local_ip_address)
    Setting up IPSec...

    Deactivating old policy...
    Removing old policy...

    Connection roadwarrior:
    MyTunnel: (local_ip_address)
    MyNet: (local_ip_address)/255.255.255.255
    PartnerTunnel: (ip_of_remote_system)
    PartnerNet: (ip_of_remote_system)/255.255.255.255
    CA (ID): C = US, S = State, L = City, O = ExampleCo ,...
    PFS: y
    Auto: start
    Auth. Mode: MD5
    Rekeying: 3600 S/50000 K
    Activating policy...

    Connection roadwarrior-net:
    MyTunnel: (local_ip_address)
    MyNet: (local_ip_address)/255.255.255.255
    PartnerTunnel: (ip_of_remote_system)
    PartnerNet: (remote_subnet)/(remote_netmask)
    CA (ID): C = US, S = State, L = City, O = ExampleCo ,...
    PFS: y
    Auto: start
    Auth. Mode: MD5
    Rekeying: 3600 S/50000 K
    Activating policy...
    C: ipsec>

    In this case, you can ping several 'negotiating IP Security 'from the Intranet after the client ping the server. In this way, the general manager can take this notebook to a place with an interconnected network and connect it to the company like in the office.

    Note that due to security issues, we recommend that you disable all other services on the VPN gateway and configure the firewall carefully. Generally, if you want to send all traffic to the gateway of the master station, you do not need to add an iptables policy to the slave station. Otherwise, you need to add the following policy:

    Iptables? T nat? A postrouting? O eth0? J MASQUERADE



    The following policy needs to be added to the main site for routing reasons:

    Iptables? T nat? A postrouting? O ipsec0? S! 192.168.10.0/255.255.255.0?
    J SNAT? To 192,168.1 .231
    Iptables? T nat? A postrouting? O eth1? S! 192.168.10.0/255.255.255.0?
    J SNAT? To 192,168.1 .231

    The front of each line is a subnet segment, followed by the inner egress of the gateway.
  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.