Setting up a VPN Gateway

How to install and run an IPSec-based VPN gateway with a firewall using a single bootable Linux diskettedistribution.
The LRP Boot Floppies—The Surprising Truth

You may be surprised to discover that LRP uses DOS-formatted floppies. You may be even more surprised to discover that the DUCLING distribution installs itself as a 1,722KB bootable disk image. The 3.5" high-density floppy is technically a 2MB format medium, and you may see these diskettes rated as 2MB “raw” or “unformatted” capacity. The 1,440KB formatted capacity is merely the result of a conventional format that writes 80 tracks on the magnetic media with 18 sectors per track. With the appropriate tools, you can create diskettes that have 80 sectors and 24 tracks per sector, giving 1,920KB per floppy. Floppies having 1,680KB (80/21 sector/tracks per sector) are used regularly for LRP distributions and seem to have a reliable track record; 1,722KB (82/21), 1,743KB (83/21) and 1,760KB (80/22) also are reported to be in use. I have found the 1,722KB format floppy to be reliable enough for testing and have no problems to report so far.

I have created and used large-format floppies of up to 1,920KB. Extremely large-format floppies tend to be nonbootable, apparently as a result of a conflict between PC BIOSes and the nonstandard sector size on the diskette. It has been reported that large-format floppies larger than 1,680KB can suffer from floppy disk hardware dependability problems. Windows NT and Windows 2000 are reported to have reliability problems writing to large-format floppies larger than 1,680KB.

MS Windows 9x operating systems generally read standard as well as large-format floppy diskettes with no configuration changes. In Linux systems, it is often necessary to mount the floppy disk with the correct format specified, i.e., /dev/fd0u1722, where fd0u1722 specifies floppy disk device 0 (fd0) and the u1722 specifies a 1,722KB format. The standard floppy disk drive in Linux /dev/fd0 defaults to /dev/fd0u1440, the 1,440KB format.

For creating and manipulating large-format floppies, consult the LRP Boot Disk HOWTO by Paul Batozech. You'll find this, and other useful articles, in the resources listed at leaf.sourceforge.net/devel/thc. For MS Windows, I have found Gilles Vollant's WinImage (www.winimage.com) to be particularly useful and user friendly. However, it is in some ways more limited than the Linux tools, such as fdformat, mkdosfs and the more recent superformat application. The self-extracting 1,722KBps images for MS Windows discussed here were created using WinImage.

How the LRP Distribution Loads

Before you begin to work with LRP it is useful to note how the distribution works. If you examine the bootable diskette, you will see a series of files, including ldlinux.sys, linux, syslinux.cfg, root.lrp, etc.lrp, modules.lrp and local.lrp.

The file ldlinux.sys is the bootstrap loader that loads the kernel (the file named linux) and initial root.lrp package into memory. The kernel starts and creates a RAM disk and extracts the root.lrp package. A RAM disk is a portion of memory that is allocated as a partition. In other words, the kernel creates a space in memory and treats it like a read/write disk. The kernel then mounts the boot device specified in syslinux.cfg. The remaining .lrp packages on the boot disk are extracted as specified in syslinux.cfg and loaded to the RAM disk. The .lrp packages are merely standard UNIX tarballs (tar-gzipped archives). Once the .lrp packages are installed in the directory tree on the RAM disk, the system begins a boot based on the standard Linux rc file boot hierarchy.

LRP is simply a stripped-down standard Linux kernel with loadable modules and other software contained in sets of .lrp packages. LRP is truly Linux; generally, anything that will run on a generic Linux distribution should run off the LRP diskette. Often the obstacle to extending LRP's applications and capabilities is the space constraint of a single diskette. If you require additional capabilities, for example, remote administration through ssh, a DNS server and so on, you will want to look at multidiskette, CD-ROM or even the full disk drive distributions of LRP that are available.

Start up and Configuration of Router/Firewalling VPN

Once the bootable floppy disk is created, make sure the floppy is placed in the floppy disk drive of the machine on which you wish to run the firewall/VPN. Ensure that the BIOS is configured to boot from a floppy disk. Upon booting the firewall/VPN, you will see the LRP splash screen, messages from the Linux loader followed by a login prompt.

If you have made it this far, congratulations! You have installed an LRP distribution successfully. Now you can start to configure the firewall properties of the LRP as outlined in the bundled documentation.

Once any firewalling tweaks are completed, the VPN needs to be configured. The bundled DUCLING documentation discusses the details for configuring a subnet-to-subnet setup. This involves configuring IPSec's authentication mode (/etc/ipsec.secrets), the IPSec network configuration (/etc/ipsec.conf) as well as the firewalling rules to allow access to ports 500 (UDP), 50 and 51 (TCP).

Note that you need not necessarily require a static IP address in order to run VPN links. A “roadwarrior” configuration is described in the next section, in which the one VPN client has an undetermined static IP address. I have run VPNs between pairs of nodes with dynamically assigned IP addresses. The management of VPN nodes with DHCP-assigned IP addresses becomes tricky if both IP address assignments change frequently. The following section discusses a roadwarrior configuration using DUCLING and a Microsoft-based IPSec client.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

setting up our vpn

Chris Delcambre's picture

ok we are using a star network topology. we are connecting with ADSL using 2 24 port hubs w/ a 2wire router, which is a firewall, vpn, and router. I would like to know how i need to setup a vpn server and if i can use the vpn on our router to access the network from a remote location. I would like to be able to access our network from home so i can do alot of my work from my house. Im not sure if this is possible or feasable. Please give me details if you can, like whether i need a static ip, dynamic ip, csyco routers, etc.
Thanks,
Chris Delcambre

Re: Setting up a VPN Gateway

Guran's picture

I found the article intresting but I'm a bit confused: None of the suggested LRP Distributions had any drivers for 3Com 90x cards (3c90x.o). I did try to add the driver but it didn

Re: Setting up a VPN Gateway

Anonymous's picture

Will this work over NAT? I have two firewalls and would like to position my Linux VPN gateway behind one of my firewalls..
for example. (PIX FIREWALL) -- (LINUX VPN) -- (INTERNAL Clients)
will this work ?

Re: Setting up a VPN Gateway

Anonymous's picture

I almost have this working - I can make an SA to the DUCLING VPN Gateway, and can ping the eth1 (internal DUCLING LAN interface), but cannot ping any of the internal LAN IPs. The SSH Sentinel Diagnostics indicate that I can make an "IPSec protected connection to the remote host". Here's what I had to do to get this far:

-------------------------

In the network.conf file, to allow port 500 from any external IP address (roadwarrior), I added the line:

EXTERN_UDP_PORTS="0/0_500"

-------------------------

In the ipfilter.conf file, to allow ports 50 and 51 from any IP address that had made an SA, I uncommented and modified lines:

$IPCH -A input -j ACCEPT -i eth0 -p 50 -s 0/0 -d 0/0

$IPCH -A input -j ACCEPT -i eth0 -p 51 -s 0/0 -d 0/0

------------------------

Where do I go from here? There must be something I'm missing since Duncan was able to use the exact same disto w/o problems?

Thanks for any help.

David W.

Re: Setting up a VPN Gateway - SOLUTION

Anonymous's picture

I encountered the exact same problem, and found a quick-and-dirty solution.

SOLUTION

------------------------------------------------

Log into your LRP machine, exit lrcfg, and edit the file

/usr/local/lib/ipsec/_updown

You can use the edit command here. Scroll down a little bit and you will see the uproute and downroute functions. Remember where these are because you will need to add some stuff here.

Scroll down further and find up-client:ipfwadm) and down-client:ipfwadm) case blocks. Copy the lines:

ipchains -I forward -j ACCEPT -b

-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK

-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK

ipchains -D forward -j ACCEPT -b ...

and insert those into uproute and downroute functions respectively. They can go before the "route add" and "route del" or after, it doesn't matter.

Save the file. You will need to save it to a different filename such as updown, and then rename it _updown after you get out of the editor. You can rename the old file first to keep a backup.

Get back to lrcfg and backup the disk. Reboot, and everything should work now.

THOUGHTS

-------------------------------------------------

The cause of the problem is that IPSec can't automatically insert the necessary forwarding rules after a connection is established, even though it can add and delete the new routes without problem. That's why when you set up subnet-to-subnet VPN, you had to manually insert the forwarding rules into ipfilter.conf:

ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 192.168.1.0/24

...

Of course with a Roadwarrior, you don't know its IP beforehand so you can't add these rules. By inserting these rules into uproute and downroute, IPSec will do it for you, automatically. If you also run subnet-to-subnet VPN with the same gateway, you can now take the manual forwarding rules out.

Apparently this problem doesn't come up with a full install of FreeS/WAN and a complete distro. With LRP, the case block up-client:ipfwadm) never gets called for some reason.

Re: Setting up a VPN Gateway

Anonymous's picture

Okay, here's my setup:

I have the DUCLING software installed on my 486 firewall and all I want to do is connect up to my company's VPN adapter to access my workstation files from home through the DUCLING interface. I have Microsoft's VPN software installed for Windows ME and Windows NT (two individual workstations) so they aren't Linux or UNIX workstations. If I remove the DUCLING firewall, I can connect each workstation to the company's VPN fine so I'm having trouble configuring DUCLING to pass through the VPN traffic when it is 'in circuit' (Microsoft's VPN adapter doesn't have any pluto configuration files that I can identify so this step doesn't seem to apply)

Can anyone help this clueless newbie? (I'm not *too* clueless because other than VPN traffic, I can connect to other Internet resources fine :-)

Thanks,

Fred van West

fredvw@hotmail.com

Pinging internal LANs ...

Anonymous's picture

Hi,

The only LAN that you can ping from an IPSec gateway is the immediate LAN (the one hanging off eth1 in your case). The gateways simply pass IPSec traffic, they are not part of the LAN/s. This is a security feature too. Someone who has access to your gateways still does not have access to your complete WAN (other than the local eth1 LAN)s.

The true test is to make sure that all your LANs can see each other (from within the LANs).

Unable to find the ducling tarballs

Anonymous's picture

The ftp site for downloading the ducling files is not servicing connections. Does anyone have the required files available so that I can obtain a copy?

Ta

steve.rodgers@ts-associates.com

DUCLING Files now available at LEAF site

Anonymous's picture

The distributions are now available at

http://sourceforge.net/project/showfiles.php?group_id=13751

under DUCLING.

Re: Unable to find the ducling tarballs

Anonymous's picture

I'm having the same trouble as Mr. Rodgers. If anybody has a .zip copy for dynamic routing,

I'd appreciate a copy, too.

Another thing, has anybody a solution to configuring

a PC with an ISDN card or external ISDN modem and one NIC as router?

So long,

baard@bergersen.nu

Re: Unable to find the ducling tarballs

Anonymous's picture

isdn.lrp packages are now available for LEAF

Install the appropriate isdn.lrp package just like any other lrp package.

Koon Wong's site seemed to have the packages a while ago before other sites, but his site doesn't seem to exist any more. Now the sourcforge site has plenty of information for all available packages from a variety of developers. Nilo has the most current 2.4.x packages

ISDN for linux homepage:

http://www.isdn4linux.de/

ISDN for LEAF:

http://leaf.sourceforge.net/devel/ericw/

Re: Setting up a VPN Gateway

Anonymous's picture

An alternate tool that could be suitable for use in the client side, would be the PGP freeware, which includes the PGPNet component, a VPN client (among other things). I have not tried this one personally, but it could be an alternative to the SSH sentinel tool. The actual PGP freeware could be downloaded from http://www.pgpi.org

Just my $0.02

PGPNet is crippleware outside of the US ...

Anonymous's picture

at least the last time I looked. The free client only supports transport mode (not the more useful tunnel mode), and I don't think you can buy 3DES the encryption version unless you are in the US. FreeS/WAN doesn't support the DES standard (which nobody uses anyway).

tracks? sectors?

Anonymous's picture

"you can create diskettes that have 80 sectors and 24 tracks per sector, giving 1,920KB per floppy. Floppies having 1,680KB (80/21 sector/tracks per sector) are used regularly for LRP distributions and seem to have a reliable track record"

Hmmm?

Re: tracks? sectors?

Anonymous's picture

I use 1680 kb floppies in production LRP environments. The odd floppy drive chokes on them, but the overwhelming majority that don't have been runing floppies of this format flawlessly.

Re: tracks? sectors?

Anonymous's picture

I am not sure about the numbers given here, but I know this is regularly the case with floppies using the LEAF versions of Linux (http://leaf.sourceforge.net). I have personally used bootable floppies formatted up to 1722KB with no mayor issues. Not every floppy drive can format or recognize the higher up formats ( e.g. 1920KB ) and I have not succeeded in creating bootable floppies greater than 1722KB.

Re: Setting up a VPN Gateway

Anonymous's picture

If you would like assistance with your configuration, please post a message to the leaf-user mailing list at: leaf-user@lists.sourceforge.net

--

Mike Noyes

FAQs sec00: LEAF SourceForge Site Answers "How do I request help?"

http://sourceforge.net/docman/display_doc.php?docid=1891&group_id=13751

Re: Setting up a VPN Gateway

goettsd's picture

I can't get the command

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

to work in my configuration. Windows 2000 gives me an error about the gateway not being on the same network as the interface. Any ideas? I am of course changing the subnet and the gateway to match my configuration...

Thanks,

sg

Re: Setting up a VPN Gateway

Anonymous's picture

I've figured this out.

It does work if your gateway is on the same network

as your sentinel box - I tried it and it works fine.

But on completey different networks on the internet,

the route fails and hence the tunnel never connects.

Haven't found a workaround for this yet.

Re: Setting up a VPN Gateway

Anonymous's picture

I get exactly the same error.

Has anyone managed to get this working?

Steve Rodgers

Re: Problems with Listing 1, also road warrior

Anonymous's picture

I found that the bundled instructions referred to in the piece were appropriate for setting up a tunnelled connection to another server with a known IP address but did not cover at all how to set up IPsec and IPchains for a road warrior configuration.

I also found that the "right=0.0.0.0" line in Listing 1 produced an error message when I issued the command: "/usr/local/sbin/ipsec manual --up test_connection"

The error message read:

"test_connection: tunnel destination address invalid or not specified for SA:tun0x200@0.0.0.0.

test_connection: warning -- del option 'dst' is 0.0.0.0. If the was not intentional, then a name lookup failed."

I presume that you may not specify "right=0.0.0.0" when building a road warrior configuration but I have not idea what you should specify.

If anyone can help I sure would appreciate it!

This is a great article for beginners like me. Unfortunately issues like the above are complete showstopper for beginners like me!

Thanks

Lee

Re: Problems with Listing 1, also road warrior

Anonymous's picture

If you are using roadwarrior config, you cannot initiate the connection from freeswan, as freeswan needs to know the ip of the other side if it has to initiate the connection.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

The roadwarrior configuration is best handled with RSA keys. However, with FreeS/WAN 1.5, there are some bugs in the implementation (eg if the IPSec server goes down, the roadwarrior client needs to be restarted). Also, look at FreeS/WAN 1.91 for the new Dachstein LEP distribution at

http://lrp.steinkuehler.net

http://lrp.steinkuehler.net/DiskImages/Dachstein.htm

http://lrp.steinkuehler.net/Packages/ipsec1.91.htm

It is much more stable for roadwarrior configs.

Re: Problems with Listing 1, also road warrior

Anonymous's picture

Hi,

Thanks for that. I'm a big fan of LRP, having had good results with EigersteinBeta2.

I do find that there is a gap in the documentation covering building IPsec stuff on LRP. There's lots on LRP and lots on IPsec but relatively little covering how to troubleshoot the combination of IPchains, /etc/network.conf settings and package operations involved with running IPsec on LRP.

You do seem to need to be a bit more knowledgeable about Linux than I am to stride across that gap ;-)

But I'll keep trying!

Lee

Re: Setting up a VPN Gateway

Anonymous's picture

Remeber that there is no need to add routes every time. Try replace command:

route ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

with:

route -p ADD 192.168.0.0 MASK 255.255.255.0 1.2.3.4

Route goes up automaticaly when you dial-up. Persistent routes are stored in registers.

NOTE: Don't work on W95, they not support persistent routes. Adding persistent route is possible only if connection is up.

Re: Setting up a VPN Gateway

Anonymous's picture

not

Re: Setting up a VPN Gateway

rank's picture

Thanks for your counsel, i will try it out.

I found a problem from this article :)

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah).

F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

With ipchains:

ipchains -A input -p 50 -j ACCEPT

ipchains -A input -p 51 -j ACCEPT

Re: I found a problem from this article :)

Anonymous's picture

Actually, if everything is working properly, the __updown script should punch these holes through the firewall to suit the connection IP's - no need to do this manually!

Re: Setting up a VPN Gateway

rank's picture

Now i can boot up with eth0 and eth1,but i can not ping the others ip addresses in the subnet.why?

when i boot up, it said that:"no resource on eth0"

what is this mean?

thx.

Re: Setting up a VPN Gateway

Anonymous's picture

You need to copy over the drivers for your network cards over. See the section "RUNNING LRP" in the readme.

Re: Setting up a VPN Gateway

Anonymous's picture

Actually, there's no need to open TCP ports 50 & 51 - you have to open the firewall for protocols 50 & 51 (esp & ah). F.ex.

iptables -A INPUT -p 50 -j ACCEPT

iptables -A INPUT -p 51 -j ACCEPT

That's it.

Help

Anonymous's picture

I can´t get ducling,when i get inside of the ftp to download
it, them ask mi to write a name and a password and i don´t know
how to do
tanks

I NEED THE DUCLING TOO..

Anonymous's picture

i am also looking for the ducling, if you find it let me know.

thanks,

i will keep on checking. if you found out please post the link

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix