PacktLib: Openswan: Building and Integrating Virtual Private Networks

Building and Integrating Virtual Private Networks with Openswan

Credits

About the Authors

Acknowledgements

About the Reviewers

Preface

Introduction

The Need for Cryptography

A History of the Internet

History of Internet Engineering

The War on Crypto

Free Software

The History of Openswan

Using Openswan

Summary

Practical Overview of the IPsec Protocol

A Very Brief Overview of Cryptography

IPsec: A Suite of Protocols

Kernel Mode: Packet Handling

Usermode: Handling the Trust Relationships

Summary

Building and Installing Openswan

Linux Distributions

Deciding on the Userland

Choosing the Kernel IPsec Stack

Binary Installation of the Openswan Userland

Building from Source

Building the Openswan Userland from Source

Binary Installation of KLIPS

Building KLIPS from Source

Building KLIPS into the Linux Kernel Source Tree

Verifying the Installation

Summary

Configuring IPsec

Manual versus Automatic

PSK versus RSA

Pitfalls of Debugging IPsec

Pre-Flight Check

The ipsec livetest Command

Configuration of Openswan

Host-to-Host Tunnel

Connecting Subnets Through an IPsec Connection

Avoiding Duplication

KLIPS and the ipsecX Interfaces

Pre-Shared Keys (PSKs)

Dynamic IP Addresses

Connection Management

Subnet Extrusion

NAT Traversal

Dead Peer Detection

Ciphers and Algorithms

Aggressive Mode

XAUTH

Fine Tuning

Summary

X.509 Certificates

X.509 Certificates Explained

Generating Certificates with OpenSSL

Creating X.509-based Connections

Using a Certificate Authority

Summary

Opportunistic Encryption

History of Opportunistic Encryption

Trusting Third Parties

OE in a Nutshell

DNS Key Records

Policy Groups

Internal States

Configuring OE

Testing Your OE Setup

Manipulating OE Connections Manually

Advanced OE Setups

Caveats

Summary

Dealing with Firewalls

Where to Firewall?

Allowing IPsec Traffic

Configuring the Firewall on the Openswan Host

Summary

Interoperating with Microsoft Windows and Apple Mac OS X

Layer 2 Tunneling Protocol (L2TP)

Client and Server Configurations for L2TP/IPsec

Microsoft Windows XP L2TP Configuration

Microsoft Windows 2000 L2TP Configuration

Apple Mac OS X L2TP Configuration

Server Configuration for X.509 IPsec without L2TP

Client Configuration for X.509 IPsec without L2TP

Importing X.509 Certificates into Windows

Importing X.509 Certificates on Mac OS X (Tiger)

Summary

Interoperating with Other Vendors

Openswan as a Client to an Appliance

Preparing the Interop

Frequently used VPN Gateways

Frequently used VPN Client Appliances

Aftercare

Summary

Encrypting the Local Network

Methods of Encryption

Designing a Solution for Encrypting the LAN

WaveSEC

WaveSEC for Windows

Summary

Enterprise Implementation

Cipher Performance

Handling Thousands of Tunnels

Managing Large Configuration Files

Openswan Startup Time

Limitations of the Random Device

Other Performance-Enhancing Factors

Using Anycast

Summary

Debugging and Troubleshooting

Do Not Lock Yourself Out!

Narrowing Down the Problem

Configuration Problems

Openswan Error Messages

Network Issues

Debugging IPsec on Apple Mac OS X

Debugging IPsec on Microsoft Windows

Software Bugs

Common IKE Error Messages

Using tcpdump to Debug IPsec

User Mode Linux Testing

Asking the Openswan Community for Help

Summary

Unresolved and Upcoming Issues

Unresolved and Upcoming Issues

Networking 101

Networking 101

Openswan Resources on the Internet

Openswan Resources on the Internet

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)

IPsec-Related Requests For Comments (RFCs)