Setting up a VPN Gateway
You may be surprised to discover that LRP uses DOS-formatted floppies. You may be even more surprised to discover that the DUCLING distribution installs itself as a 1,722KB bootable disk image. The 3.5" high-density floppy is technically a 2MB format medium, and you may see these diskettes rated as 2MB “raw” or “unformatted” capacity. The 1,440KB formatted capacity is merely the result of a conventional format that writes 80 tracks on the magnetic media with 18 sectors per track. With the appropriate tools, you can create diskettes that have 80 sectors and 24 tracks per sector, giving 1,920KB per floppy. Floppies having 1,680KB (80/21 sector/tracks per sector) are used regularly for LRP distributions and seem to have a reliable track record; 1,722KB (82/21), 1,743KB (83/21) and 1,760KB (80/22) also are reported to be in use. I have found the 1,722KB format floppy to be reliable enough for testing and have no problems to report so far.
I have created and used large-format floppies of up to 1,920KB. Extremely large-format floppies tend to be nonbootable, apparently as a result of a conflict between PC BIOSes and the nonstandard sector size on the diskette. It has been reported that large-format floppies larger than 1,680KB can suffer from floppy disk hardware dependability problems. Windows NT and Windows 2000 are reported to have reliability problems writing to large-format floppies larger than 1,680KB.
MS Windows 9x operating systems generally read standard as well as large-format floppy diskettes with no configuration changes. In Linux systems, it is often necessary to mount the floppy disk with the correct format specified, i.e., /dev/fd0u1722, where fd0u1722 specifies floppy disk device 0 (fd0) and the u1722 specifies a 1,722KB format. The standard floppy disk drive in Linux /dev/fd0 defaults to /dev/fd0u1440, the 1,440KB format.
For creating and manipulating large-format floppies, consult the LRP Boot Disk HOWTO by Paul Batozech. You'll find this, and other useful articles, in the resources listed at leaf.sourceforge.net/devel/thc. For MS Windows, I have found Gilles Vollant's WinImage (www.winimage.com) to be particularly useful and user friendly. However, it is in some ways more limited than the Linux tools, such as fdformat, mkdosfs and the more recent superformat application. The self-extracting 1,722KBps images for MS Windows discussed here were created using WinImage.
Before you begin to work with LRP it is useful to note how the distribution works. If you examine the bootable diskette, you will see a series of files, including ldlinux.sys, linux, syslinux.cfg, root.lrp, etc.lrp, modules.lrp and local.lrp.
The file ldlinux.sys is the bootstrap loader that loads the kernel (the file named linux) and initial root.lrp package into memory. The kernel starts and creates a RAM disk and extracts the root.lrp package. A RAM disk is a portion of memory that is allocated as a partition. In other words, the kernel creates a space in memory and treats it like a read/write disk. The kernel then mounts the boot device specified in syslinux.cfg. The remaining .lrp packages on the boot disk are extracted as specified in syslinux.cfg and loaded to the RAM disk. The .lrp packages are merely standard UNIX tarballs (tar-gzipped archives). Once the .lrp packages are installed in the directory tree on the RAM disk, the system begins a boot based on the standard Linux rc file boot hierarchy.
LRP is simply a stripped-down standard Linux kernel with loadable modules and other software contained in sets of .lrp packages. LRP is truly Linux; generally, anything that will run on a generic Linux distribution should run off the LRP diskette. Often the obstacle to extending LRP's applications and capabilities is the space constraint of a single diskette. If you require additional capabilities, for example, remote administration through ssh, a DNS server and so on, you will want to look at multidiskette, CD-ROM or even the full disk drive distributions of LRP that are available.
Once the bootable floppy disk is created, make sure the floppy is placed in the floppy disk drive of the machine on which you wish to run the firewall/VPN. Ensure that the BIOS is configured to boot from a floppy disk. Upon booting the firewall/VPN, you will see the LRP splash screen, messages from the Linux loader followed by a login prompt.
If you have made it this far, congratulations! You have installed an LRP distribution successfully. Now you can start to configure the firewall properties of the LRP as outlined in the bundled documentation.
Once any firewalling tweaks are completed, the VPN needs to be configured. The bundled DUCLING documentation discusses the details for configuring a subnet-to-subnet setup. This involves configuring IPSec's authentication mode (/etc/ipsec.secrets), the IPSec network configuration (/etc/ipsec.conf) as well as the firewalling rules to allow access to ports 500 (UDP), 50 and 51 (TCP).
Note that you need not necessarily require a static IP address in order to run VPN links. A “roadwarrior” configuration is described in the next section, in which the one VPN client has an undetermined static IP address. I have run VPNs between pairs of nodes with dynamically assigned IP addresses. The management of VPN nodes with DHCP-assigned IP addresses becomes tricky if both IP address assignments change frequently. The following section discusses a roadwarrior configuration using DUCLING and a Microsoft-based IPSec client.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- New Container Image Standard Promises More Portable Apps
- The Humble Hacker?
- The Death of RoboVM
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide