Openswan is a Linux ipsec vpn Server (1)

Source: Internet
Author: User

 

Section 1 Introduction and classification of VPN

1 PPTP-Based VPN

PPTP (Point to Piont Tunneling Protocol) is a Protocol initiated by Microsoft that can work on multiple Microsoft operating systems, including Windows 95. although it has been used for a long time, it still has many security vulnerabilities. it is mainly based on GRE (Generic Routing Encapsulation) to transmit a ppp connection through a tunnel to the PPTP implementation on the Linux system, which is mainly represented by PoPToP. if PPTP is required, we recommend that you use IPSEC-based L2TP instead of PPTP because it is more secure and provides the same functions as PPTP.

2 SSL-Based VPN (Openvpn)

Encrypted Socket Layer (SSL) Virtual Private Network (VPN) is becoming increasingly popular. The biggest benefit of this VPN is that, you only need a single TCP or UDP port to easily transfer data through most firewalls. openVPN is the easiest way to implement ssl vpn in Linux.

3. IPSec (IP Security) is an old and widely used VPN technology. it is a set of authentication and data encryption protocols developed by IETF. It provides private, integrity, authenticity, anti-replay, and other security services. It can be used for data confidentiality and integrity check in IP networks, authentication and key management

The implementation of IPSec in Linux is divided into two types:

The first type is the Frees/wan project. The development of this project has been terminated in 2004, and Free/wan has been split into two projects: Openswan and stringswan. they provide their own connotation stack (Kernel stack), and can also be based on the Code provided in the latest Kernel

The second type is the KAME above BSD, which can use the connotation stack.

Most IPsec specifications do not provide a virtual IP address for remote hosts in the local network. However, many extensions can solve such problems. you can run Microsoft's L2TP products on IPsec.

IPSec is a connection-oriented protocol used by many commercial routers. OpenSwan is based on its XAUTH extension and can also be used as clients for Cisco, Nortel, and other VPN integration products.

Without changing the firewall rules, IPSec can easily handle what can be passed through the tunnel or what cannot be safely at the kernel level, it also shows great flexibility in implementing the NET-TO-NET and host-to-Net configurations. however, flexibility means that it is difficult to implement and the Successful Configuration of all IPSec instances is quite difficult to run. In addition, although many improvements have been made to NAT-Travle support, but it still cannot work well after some NAT gateways

OpenSWan supports 2.0, 2.2, 2.4, and 2.6 kernels and can run on different platforms. OpenSWan is a successor branch project after the open-source project FreeS/Wan stops development, openSWan consists of three main components:

1 Configuration tool (ipsec Command Script)

2 Key management tool (Pluto)

3 kernel components (KLIPS/26sec)

26sec uses the 2.6 kernel built-in module Netkey, which is used to replace the KLIPS module developed by OpenSwan. The 2.4 and earlier kernel versions have no Netkey module and can only use KLIPS.

If you are using a kernel later than 2.6.9, the recommended version of 26sec and 2.6.9 has a BUG in kernel NETKEY. KLIPS is recommended.

Part 2 download and install openswan and Its Configuration

1 # wget http://www.openswan.org/download/openswan-2.6.34.tar.gz

# Tar xvf openswan-2.6.34.tar.gz

# Make programs

# Make install

2. Verify that the installation is correct.

# Depmod-

# Mkdprobe ipsec

# Ipsec-version

If the following information is displayed, the IPSEC stack has been loaded.

Linux Openswan U2.6.34/K2.6.18-164. el5 (netkey)

See 'ipsec -- copyright' for copyright information.

3. Modify Linux Kernel Parameters

# Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 0

Net. ipv4.conf. default. rp_filer = 1

Change

Net. ipv4.ip _ forward = 1

Net. ipv4.conf. default. rp_filer = 0

4. Execute the following command to make the settings take effect.

# Sysctl-p

5 Disable icmp

# Vim disable_send_accept_redirects.sh

#! /Bin/bash

# Disable send redirects

Echo 0>/proc/sys/net/ipv4/conf/all/send_redirects

Echo 0>/proc/sys/net/ipv4/conf/default/send_redirects

Echo 0>/proc/sys/net/ipv4/conf/eth0/send_redirects

Echo 0>/proc/sys/net/ipv4/conf/eth1/send_redirects

Echo 0>/proc/sys/net/ipv4/conf/lo/send_redirects

# Disable accept redirects

Echo 0>/proc/sys/net/ipv4/conf/all/accept_redirects

Echo 0>/proc/sys/net/ipv4/conf/default/accept_redirects

Echo 0>/proc/sys/net/ipv4/conf/eth0/accept_redirects

Echo 0>/proc/sys/net/ipv4/conf/eth1/accept_redirects

Echo 0>/proc/sys/net/ipv4/conf/lo/accept_redirects

Echo "1">/proc/sys/net/core/xfrm_larval_drop

# Chmod + x disable_send_accept_redirects.sh

# Bash disable_send_accept_redirects.sh

6 generate key

# Mv/dev/random. bak

# Ln-s/dev/urandom/dev/random

# Ipsec newhostkey -- output/etc/ipsec. secrets

Note: The objective of mv and ln-s is to save time for the IPSec operation in step 3.

Part 3: Configure OpenSwan

I. openswan connection method

1) NET-TO-NET connection method

Using this connection method, you can change the connection of networks in different locations to a virtual private network in the future. After the connection is established, the hosts at both ends can access each other with the same name. however. no transparent mutual access is allowed between two gateways and between the gateway and the host in the other party's internal network. this is part of the reason why the second method Road Warrior exists.

To use this method, the following conditions must be met:

I. Both networks have their own Linux gateways, and each gateway is installed with OpenSwan;

Ii ip segments of each subnet cannot be overlapped

2) Road Warrior

This method is used to implement secure dial-in from remote hosts to local networks. It is mainly used to remotely and securely access internal resources of an enterprise when employees are on a business trip.

This method must meet the following conditions:

I a Linux gateway with a static IP address, install Openswan

II. A Latop with OpenSwan installed, which can be a dynamic IP Address

It is best to install tcpdump on the local gateway to test the connection.

OpenSwan supports multiple authentication methods, such as RSA, RSK, XAUTH, And x.509. The most common methods are RSA and x.509.

 

This article is from the "Gone with the wind" blog

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.