Section 1 Introduction and classification of VPN
1 PPTP-Based VPN
PPTP (Point to Piont Tunneling Protocol) is a Protocol initiated by Microsoft that can work on multiple Microsoft operating systems, including Windows 95. although it has been used for a long time, it still has many security vulnerabilities. it is mainly based on GRE (Generic Routing Encapsulation) to transmit a ppp connection through a tunnel to the PPTP implementation on the Linux system, which is mainly represented by PoPToP. if PPTP is required, we recommend that you use IPSEC-based L2TP instead of PPTP because it is more secure and provides the same functions as PPTP.
2 SSL-Based VPN (Openvpn)
Encrypted Socket Layer (SSL) Virtual Private Network (VPN) is becoming increasingly popular. The biggest benefit of this VPN is that, you only need a single TCP or UDP port to easily transfer data through most firewalls. openVPN is the easiest way to implement ssl vpn in Linux.
3. IPSec (IP Security) is an old and widely used VPN technology. it is a set of authentication and data encryption protocols developed by IETF. It provides private, integrity, authenticity, anti-replay, and other security services. It can be used for data confidentiality and integrity check in IP networks, authentication and key management
The implementation of IPSec in Linux is divided into two types:
The first type is the Frees/wan project. The development of this project has been terminated in 2004, and Free/wan has been split into two projects: Openswan and stringswan. they provide their own connotation stack (Kernel stack), and can also be based on the Code provided in the latest Kernel
The second type is the KAME above BSD, which can use the connotation stack.
Most IPsec specifications do not provide a virtual IP address for remote hosts in the local network. However, many extensions can solve such problems. you can run Microsoft's L2TP products on IPsec.
IPSec is a connection-oriented protocol used by many commercial routers. OpenSwan is based on its XAUTH extension and can also be used as clients for Cisco, Nortel, and other VPN integration products.
Without changing the firewall rules, IPSec can easily handle what can be passed through the tunnel or what cannot be safely at the kernel level, it also shows great flexibility in implementing the NET-TO-NET and host-to-Net configurations. however, flexibility means that it is difficult to implement and the Successful Configuration of all IPSec instances is quite difficult to run. In addition, although many improvements have been made to NAT-Travle support, but it still cannot work well after some NAT gateways
OpenSWan supports 2.0, 2.2, 2.4, and 2.6 kernels and can run on different platforms. OpenSWan is a successor branch project after the open-source project FreeS/Wan stops development, openSWan consists of three main components:
1 Configuration tool (ipsec Command Script)
2 Key management tool (Pluto)
3 kernel components (KLIPS/26sec)
26sec uses the 2.6 kernel built-in module Netkey, which is used to replace the KLIPS module developed by OpenSwan. The 2.4 and earlier kernel versions have no Netkey module and can only use KLIPS.
If you are using a kernel later than 2.6.9, the recommended version of 26sec and 2.6.9 has a BUG in kernel NETKEY. KLIPS is recommended.
Part 2 download and install openswan and Its Configuration
1 # wget http://www.openswan.org/download/openswan-2.6.34.tar.gz
# Tar xvf openswan-2.6.34.tar.gz
# Make programs
# Make install
2. Verify that the installation is correct.
# Depmod-
# Mkdprobe ipsec
# Ipsec-version
If the following information is displayed, the IPSEC stack has been loaded.
Linux Openswan U2.6.34/K2.6.18-164. el5 (netkey)
See 'ipsec -- copyright' for copyright information.
3. Modify Linux Kernel Parameters
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 0
Net. ipv4.conf. default. rp_filer = 1
Change
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. default. rp_filer = 0
4. Execute the following command to make the settings take effect.
# Sysctl-p
5 Disable icmp
# Vim disable_send_accept_redirects.sh
#! /Bin/bash
# Disable send redirects
Echo 0>/proc/sys/net/ipv4/conf/all/send_redirects
Echo 0>/proc/sys/net/ipv4/conf/default/send_redirects
Echo 0>/proc/sys/net/ipv4/conf/eth0/send_redirects
Echo 0>/proc/sys/net/ipv4/conf/eth1/send_redirects
Echo 0>/proc/sys/net/ipv4/conf/lo/send_redirects
# Disable accept redirects
Echo 0>/proc/sys/net/ipv4/conf/all/accept_redirects
Echo 0>/proc/sys/net/ipv4/conf/default/accept_redirects
Echo 0>/proc/sys/net/ipv4/conf/eth0/accept_redirects
Echo 0>/proc/sys/net/ipv4/conf/eth1/accept_redirects
Echo 0>/proc/sys/net/ipv4/conf/lo/accept_redirects
Echo "1">/proc/sys/net/core/xfrm_larval_drop
# Chmod + x disable_send_accept_redirects.sh
# Bash disable_send_accept_redirects.sh
6 generate key
# Mv/dev/random. bak
# Ln-s/dev/urandom/dev/random
# Ipsec newhostkey -- output/etc/ipsec. secrets
Note: The objective of mv and ln-s is to save time for the IPSec operation in step 3.
Part 3: Configure OpenSwan
I. openswan connection method
1) NET-TO-NET connection method
Using this connection method, you can change the connection of networks in different locations to a virtual private network in the future. After the connection is established, the hosts at both ends can access each other with the same name. however. no transparent mutual access is allowed between two gateways and between the gateway and the host in the other party's internal network. this is part of the reason why the second method Road Warrior exists.
To use this method, the following conditions must be met:
I. Both networks have their own Linux gateways, and each gateway is installed with OpenSwan;
Ii ip segments of each subnet cannot be overlapped
2) Road Warrior
This method is used to implement secure dial-in from remote hosts to local networks. It is mainly used to remotely and securely access internal resources of an enterprise when employees are on a business trip.
This method must meet the following conditions:
I a Linux gateway with a static IP address, install Openswan
II. A Latop with OpenSwan installed, which can be a dynamic IP Address
It is best to install tcpdump on the local gateway to test the connection.
OpenSwan supports multiple authentication methods, such as RSA, RSK, XAUTH, And x.509. The most common methods are RSA and x.509.
This article is from the "Gone with the wind" blog