Setting up a VPN Gateway

How to install and run an IPSec-based VPN gateway with a firewall using a single bootable Linux diskettedistribution.

A virtual private network (VPN) is a tool that enables the secure transmission of data over untrusted networks such as the Internet. VPNs commonly are used to connect local area networks (LANs) into wide area networks (WANs) using the Internet. Perhaps you need to build a VPN between two offices but are not sure if the large infrastructure costs associated with an enterprise-level VPN solution are justifiable. The performance of applications that are intended for use over LANs (for example those that use network file sharing) seriously can be degraded over WAN connections. Likewise, lower bandwidth and longer latency in WAN connections can affect adversely the reliability and performance of groupware and thin-client applications. Perhaps you have a home office and would like to use your high-speed internet access to connect seamlessly and securely to your office LAN through an IPSec-capable router. Or perhaps you are just curious about VPNs and IPSec in general and want to experiment.

The VPN firewall discussed in this article will run on just about any 486-or-better PC that has 16MB or more main memory and two Linux-compatible Ethernet network cards. The idea is to provide a starting point from a single, self-contained package that will allow you to create robust, secure, scalable and highly configurable VPNs that also are interoperable with many common commercial VPN implementations. If you wish to experiment on a low-maintenance firewall-VPN gateway, then the package discussed here might be ideal for you.

This article shows you how to set up, at minimal expense, a working VPN gateway that uses the IETF's (Internet Engineering Task Force) IPSec (internet protocol security) specification. IPSec is an open standard and is supported by virtually all major firewall software and hardware vendors, such as Lucent, Cisco, Nortel and Check Point. This package will give you a widely interoperable IPSec that uses the de facto standard 3DES encrypted, MD5-authenticated site-to-site or point-to-site VPN. You should be able to do this without resorting to a full Linux distribution or recompiling a standard Linux kernel with a kernel IPSec module.

The VPN system we examine here is based on FreeS/WAN (www.freeswan.org), a portable, open-source implementation of the IPSec specification. FreeS/WAN has been demonstrated to interoperate, to various degrees, with Cisco IOS 12.0 and later routers, Nortel Contivity Switches, OpenBSD, Raptor Firewall, Check Point FW-1, SSH Sentinel VPN 1.1, F-Secure VPN, Xedia Access Point, PGP 6.5/PGPnet and later, IRE SafeNet/SoftPK, Freegate 1.3, Borderware 6.0, TimeStep PERMIT/Gate 2520, Intel Shiva LanRover, Sun Solaris and Windows 2000. The official FreeS/WAN web site has a regularly updated compatibility list with the latest version of its on-line documentation. FreeS/WAN version 1.5 is included in this package.

I have created a single-diskette distribution that installs the base configuration of a VPN firewall based on the Linux Router Project (LRP, www.linuxrouter.org), a compact Linux distribution that can fit on a single, bootable floppy diskette. The distribution here is essentially Charles Steinkuehler's Eiger disk image with Steinkuehler's IPSec-enabled kernel and LRP IPSec package. Firewalling is carried out through Linux ipchains. This particular version is based on the 2.2.16 kernel of Linux. This distribution is called DUCLING (Diskette-based Ultra Compact Linux IPSec Network Gateway). Compact Linux distributions have a twisted history. LRP technically refers to Dave Cinege's compact distribution. There are many variants around, including Charles Steinkuehler's distribution (EigerStein) of Matthew Grant's defunct Eiger version (lrp1.steinkuehler.net). Another such distribution is David Douthitt's Oxygen (leaf.sourceforge.net/content.php?menu=900&page_id=1). Also, there is LEAF (Linux Embedded Appliance Firewall), a developer's umbrella that tries to coordinate releases and documentation, sort of like a one-stop shop for compact Linux distributions (leaf.sourceforge.net). I use the term LRP to refer to the compact Linux distribution presented here, even though some may consider this terminology incorrect.

If you are running MS Windows 9x, the distribution self-extracts and installs itself onto a standard 3.5", high-density floppy diskette. You also can write the image to a boot floppy if you have a system running Linux. Once the extraction is done, you will need to boot off the floppy disk you have created, copy the network drivers for your network cards over and edit the appropriate configuration files. That's it—no creating and formatting disk partitions or messing with boot managers on your hard drive. If you are not happy with the distribution, just pop the diskette out, throw it away (or reformat it) and reboot your PC. Check the links on leaf.sourceforge.net/devel/thc for more information on these options.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

setting up our vpn

Chris Delcambre's picture

ok we are using a star network topology. we are connecting with ADSL using 2 24 port hubs w/ a 2wire router, which is a firewall, vpn, and router. I would like to know how i need to setup a vpn server and if i can use the vpn on our router to access the network from a remote location. I would like to be able to access our network from home so i can do alot of my work from my house. Im not sure if this is possible or feasable. Please give me details if you can, like whether i need a static ip, dynamic ip, csyco routers, etc.
Thanks,
Chris Delcambre

Re: Setting up a VPN Gateway

Guran's picture

I found the article intresting but I'm a bit confused: None of the suggested LRP Distributions had any drivers for 3Com 90x cards (3c90x.o). I did try to add the driver but it didn

Re: Setting up a VPN Gateway

Anonymous's picture

Will this work over NAT? I have two firewalls and would like to position my Linux VPN gateway behind one of my firewalls..
for example. (PIX FIREWALL) -- (LINUX VPN) -- (INTERNAL Clients)
will this work ?

Re: Setting up a VPN Gateway

Anonymous's picture

I almost have this working - I can make an SA to the DUCLING VPN Gateway, and can ping the eth1 (internal DUCLING LAN interface), but cannot ping any of the internal LAN IPs. The SSH Sentinel Diagnostics indicate that I can make an "IPSec protected connection to the remote host". Here's what I had to do to get this far:

-------------------------

In the network.conf file, to allow port 500 from any external IP address (roadwarrior), I added the line:

EXTERN_UDP_PORTS="0/0_500"

-------------------------

In the ipfilter.conf file, to allow ports 50 and 51 from any IP address that had made an SA, I uncommented and modified lines:

$IPCH -A input -j ACCEPT -i eth0 -p 50 -s 0/0 -d 0/0

$IPCH -A input -j ACCEPT -i eth0 -p 51 -s 0/0 -d 0/0

------------------------

Where do I go from here? There must be something I'm missing since Duncan was able to use the exact same disto w/o problems?

Thanks for any help.

David W.

Re: Setting up a VPN Gateway - SOLUTION

Anonymous's picture

I encountered the exact same problem, and found a quick-and-dirty solution.

SOLUTION

------------------------------------------------

Log into your LRP machine, exit lrcfg, and edit the file

/usr/local/lib/ipsec/_updown

You can use the edit command here. Scroll down a little bit and you will see the uproute and downroute functions. Remember where these are because you will need to add some stuff here.

Scroll down further and find up-client:ipfwadm) and down-client:ipfwadm) case blocks. Copy the lines:

ipchains -I forward -j ACCEPT -b

-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK

-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK

ipchains -D forward -j ACCEPT -b ...

and insert those into uproute and downroute functions respectively. They can go before the "route add" and "route del" or after, it doesn't matter.

Save the file. You will need to save it to a different filename such as updown, and then rename it _updown after you get out of the editor. You can rename the old file first to keep a backup.

Get back to lrcfg and backup the disk. Reboot, and everything should work now.

THOUGHTS

-------------------------------------------------

The cause of the problem is that IPSec can't automatically insert the necessary forwarding rules after a connection is established, even though it can add and delete the new routes without problem. That's why when you set up subnet-to-subnet VPN, you had to manually insert the forwarding rules into ipfilter.conf:

ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 192.168.1.0/24

...

Of course with a Roadwarrior, you don't know its IP beforehand so you can't add these rules. By inserting these rules into uproute and downroute, IPSec will do it for you, automatically. If you also run subnet-to-subnet VPN with the same gateway, you can now take the manual forwarding rules out.

Apparently this problem doesn't come up with a full install of FreeS/WAN and a complete distro. With LRP, the case block up-client:ipfwadm) never gets called for some reason.

Re: Setting up a VPN Gateway

Anonymous's picture

Okay, here's my setup:

I have the DUCLING software installed on my 486 firewall and all I want to do is connect up to my company's VPN adapter to access my workstation files from home through the DUCLING interface. I have Microsoft's VPN software installed for Windows ME and Windows NT (two individual workstations) so they aren't Linux or UNIX workstations. If I remove the DUCLING firewall, I can connect each workstation to the company's VPN fine so I'm having trouble configuring DUCLING to pass through the VPN traffic when it is 'in circuit' (Microsoft's VPN adapter doesn't have any pluto configuration files that I can identify so this step doesn't seem to apply)

Can anyone help this clueless newbie? (I'm not *too* clueless because other than VPN traffic, I can connect to other Internet resources fine :-)

Thanks,

Fred van West

fredvw@hotmail.com

Pinging internal LANs ...

Anonymous's picture

Hi,

The only LAN that you can ping from an IPSec gateway is the immediate LAN (the one hanging off eth1 in your case). The gateways simply pass IPSec traffic, they are not part of the LAN/s. This is a security feature too. Someone who has access to your gateways still does not have access to your complete WAN (other than the local eth1 LAN)s.

The true test is to make sure that all your LANs can see each other (from within the LANs).

Unable to find the ducling tarballs

Anonymous's picture

The ftp site for downloading the ducling files is not servicing connections. Does anyone have the required files available so that I can obtain a copy?

Ta

steve.rodgers@ts-associates.com

DUCLING Files now available at LEAF site

Anonymous's picture

The distributions are now available at

http://sourceforge.net/project/showfiles.php?group_id=13751

under DUCLING.

Re: Unable to find the ducling tarballs

Anonymous's picture

I'm having the same trouble as Mr. Rodgers. If anybody has a .zip copy for dynamic routing,

I'd appreciate a copy, too.

Another thing, has anybody a solution to configuring

a PC with an ISDN card or external ISDN modem and one NIC as router?

So long,

baard@bergersen.nu

Re: Unable to find the ducling tarballs

Anonymous's picture

isdn.lrp packages are now available for LEAF

Install the appropriate isdn.lrp package just like any other lrp package.

Koon Wong's site seemed to have the packages a while ago before other sites, but his site doesn't seem to exist any more. Now the sourcforge site has plenty of information for all available packages from a variety of developers. Nilo has the most current 2.4.x packages

ISDN for linux homepage:

http://www.isdn4linux.de/

ISDN for LEAF:

http://leaf.sourceforge.net/devel/ericw/

Re: Setting up a VPN Gateway

Anonymous's picture

An alternate tool that could be suitable for use in the client side, would be the PGP freeware, which includes the PGPNet component, a VPN client (among other things). I have not tried this one personally, but it could be an alternative to the SSH sentinel tool. The actual PGP freeware could be downloaded from http://www.pgpi.org

Just my $0.02

PGPNet is crippleware outside of the US ...

Anonymous's picture

at least the last time I looked. The free client only supports transport mode (not the more useful tunnel mode), and I don't think you can buy 3DES the encryption version unless you are in the US. FreeS/WAN doesn't support the DES standard (which nobody uses anyway).

tracks? sectors?

Anonymous's picture

"you can create diskettes that have 80 sectors and 24 tracks per sector, giving 1,920KB per floppy. Floppies having 1,680KB (80/21 sector/tracks per sector) are used regularly for LRP distributions and seem to have a reliable track record"

Hmmm?

Re: tracks? sectors?

Anonymous's picture

I use 1680 kb floppies in production LRP environments. The odd floppy drive chokes on them, but the overwhelming majority that don't have been runing floppies of this format flawlessly.

Re: tracks? sectors?

Anonymous's picture

I am not sure about the numbers given here, but I know this is regularly the case with floppies using the LEAF versions of Linux (http://leaf.sourceforge.net). I have personally used bootable floppies formatted up to 1722KB with no mayor issues. Not every floppy drive can format or recognize the higher up formats ( e.g. 1920KB ) and I have not succeeded in creating bootable floppies greater than 1722KB.

Re: Setting up a VPN Gateway

Anonymous's picture

If you would like assistance with your configuration, please post a message to the leaf-user mailing list at: leaf-user@lists.sourceforge.net

--

Mike Noyes

FAQs sec00: LEAF SourceForge Site Answers "How do I request help?"

http://sourceforge.net/docman/display_doc.php?docid=1891&group_id=13751

Re: Setting up a VPN Gateway

goettsd's picture

I can't get the command

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

to work in my configuration. Windows 2000 gives me an error about the gateway not being on the same network as the interface. Any ideas? I am of course changing the subnet and the gateway to match my configuration...

Thanks,

sg

Re: Setting up a VPN Gateway

Anonymous's picture

I've figured this out.

It does work if your gateway is on the same network

as your sentinel box - I tried it and it works fine.

But on completey different networks on the internet,

the route fails and hence the tunnel never connects.

Haven't found a workaround for this yet.

Re: Setting up a VPN Gateway

Anonymous's picture

I get exactly the same error.

Has anyone managed to get this working?

Steve Rodgers

Re: Problems with Listing 1, also road warrior

Anonymous's picture

I found that the bundled instructions referred to in the piece were appropriate for setting up a tunnelled connection to another server with a known IP address but did not cover at all how to set up IPsec and IPchains for a road warrior configuration.

I also found that the "right=0.0.0.0" line in Listing 1 produced an error message when I issued the command: "/usr/local/sbin/ipsec manual --up test_connection"

The error message read:

"test_connection: tunnel destination address invalid or not specified for SA:tun0x200@0.0.0.0.

test_connection: warning -- del option 'dst' is 0.0.0.0. If the was not intentional, then a name lookup failed."

I presume that you may not specify "right=0.0.0.0" when building a road warrior configuration but I have not idea what you should specify.

If anyone can help I sure would appreciate it!

This is a great article for beginners like me. Unfortunately issues like the above are complete showstopper for beginners like me!

Thanks

Lee

Re: Problems with Listing 1, also road warrior

Anonymous's picture

If you are using roadwarrior config, you cannot initiate the connection from freeswan, as freeswan needs to know the ip of the other side if it has to initiate the connection.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

The roadwarrior configuration is best handled with RSA keys. However, with FreeS/WAN 1.5, there are some bugs in the implementation (eg if the IPSec server goes down, the roadwarrior client needs to be restarted). Also, look at FreeS/WAN 1.91 for the new Dachstein LEP distribution at

http://lrp.steinkuehler.net

http://lrp.steinkuehler.net/DiskImages/Dachstein.htm

http://lrp.steinkuehler.net/Packages/ipsec1.91.htm

It is much more stable for roadwarrior configs.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

Hi,

Thanks for that. I'm a big fan of LRP, having had good results with EigersteinBeta2.

I do find that there is a gap in the documentation covering building IPsec stuff on LRP. There's lots on LRP and lots on IPsec but relatively little covering how to troubleshoot the combination of IPchains, /etc/network.conf settings and package operations involved with running IPsec on LRP.

You do seem to need to be a bit more knowledgeable about Linux than I am to stride across that gap ;-)

But I'll keep trying!

Lee

Re: Setting up a VPN Gateway

Anonymous's picture

Remeber that there is no need to add routes every time. Try replace command:

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

with:

route -p ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

Route goes up automaticaly when you dial-up. Persistent routes are stored in registers.

NOTE: Don't work on W95, they not support persistent routes. Adding persistent route is possible only if connection is up.

Re: Setting up a VPN Gateway

Anonymous's picture

not

Re: Setting up a VPN Gateway

rank's picture

Thanks for your counsel, i will try it out.

I found a problem from this article :)

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah).

F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

With ipchains:

ipchains -A input -p 50 -j ACCEPT

ipchains -A input -p 51 -j ACCEPT

Re: I found a problem from this article :)

Anonymous's picture

Actually, if everything is working properly, the __updown script should punch these holes through the firewall to suit the connection IP's - no need to do this manually!

Re: Setting up a VPN Gateway

rank's picture

Now i can boot up with eth0 and eth1,but i can not ping the others ip addresses in the subnet.why?

when i boot up, it said that:"no resource on eth0"

what is this mean?

thx.

Re: Setting up a VPN Gateway

Anonymous's picture

You need to copy over the drivers for your network cards over. See the section "RUNNING LRP" in the readme.

Re: Setting up a VPN Gateway

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah). F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

Help

Anonymous's picture

I can´t get ducling,when i get inside of the ftp to download
it, them ask mi to write a name and a password and i don´t know
how to do
tanks

I NEED THE DUCLING TOO..

Anonymous's picture

i am also looking for the ducling, if you find it let me know.

thanks,

i will keep on checking. if you found out please post the link

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState