GnuCash!

Linux VPN Solutions and Tools

Definitions, Overview of Terminology

VPN

Virtual Private Network. VPN's are usually needed when one has corporate offices in multiple locations (in the same city, or in different cities or even countries), and one wants to hook up the local office LAN's into one big, private corporate LAN. An office can be as small as a 'home office': in this case, the VPN allows a work-at-home employee to access corporate servers, printers, databases and the like. Traditionally, 'private networks' were built by installing a bank of modems in the main office, and having employees or field offices call in on plain-old telephone lines, or on 'leased lines'. Unfortunately, modems are slow, and the phone bills (especially for long-distance leased lines) can be killer-sized. These days, it is far more economical to layer a virtual private network over the public Internet, while providing security (authentication and encryption) to keep crackers, snoops and spies out and the information protected.

Tunnel, Encapsulation

Private networks are layered over the public Internet by 'encapsulating' the private data inside of ordinary TCP/IP packets. This flow of packets between two endpoints looks like a 'tunnel' connecting the two endpoints: this is because once the encapsulation has been stripped off, it looks like the two endpoints are right next to each other, without any intervening, bothersome Internet in the middle. Anything that's networkable can be tunneled: One can tunnel NetBIOS (the Microsoft file/printer-sharing protocol), Novel Netware, IPv6, SCSI, or even plain-old IPv4 over IPv4. A 'tunnel' does not imply that the data is encrypted, although you usually want it to be.

IPSec

The defacto IP Security standard. It uses strong cryptography to both authenticate and encrypt IP packets. Authentication guarentees that packets are really from the sender that they claim to be from, and haven't been tampered with, while encryption prevents the unauthorized viewing of the packet contents. Essentially all vendors, including Microsoft and Cisco, are moving current and future products onto IPsec.

IPsec is a manditory part of IPv6 (the next generation of the Internet Protocol) and is widely deployed in IPv4 (what people currently run on the Internet). IPsec consists of three protocols: AH 'Authentication Header', which provides packet-level authentication, ESP, 'Encapsulation Security Payload', which provide encryption and authentication, and IKE, 'Internet Key Exchange', which negoatiates connection keys and parameters. In conjunction with IPsec, one must also deploy DNSSEC enabled DNS servers to publish public keys (the current version of BIND supports DNSSEC).

• The IETF IPSEC working group home page.

PPTP

Point-to-Point Tunneling Protocol. A VPN protocol originally created by Microsoft, for enabling Windows-based VPN's. PPTP is perceived to have a variety of security flaws that leave it vulnerable (see conterpane, BUGTRAQ for 1999, others) Like most Microsoft products, PPTP is easy to configure. A large variety of 3rd party products exist for PPTP. PPTP encapsulates it's packets with GRE, Generic Routing Encapsulation.

L2TP

Layer Two Tunneling Protocol. A protocol that merges the best of PPTP and Cisco's L2F. Not widely deployed. Fails to define an encryption standard.

SKIP

SKIP was one of the closely-contested but ultimately rejected proposals for the IPsec standard; it is a strong technology that does provide some reliability and multi-user features that IPsec lacks, and is particularly useful when many simple clients (i.e. home users) are contacting a set of several servers.

NAT, Masquerading, Port Forwarding

A popular form of fire-walling goes under the technical name of 'NAT', Network Address Translation, also commonly referred to by its two sub-components, Masquerading and Port-Forwarding. A masquerading firewall allows internal, behind-the-firewall users to get onto the public net while hiding their true network addresses. It does this by 'masquerading' or re-writing each private-network packet with a public header; the header allows it to be routed on the Internet. Insiders can thus 'see' the outside world, but outsiders cannot 'see' in. Thus, internal machines can be more loosely secured; and the firewall is more easily guarded as the single point of entry.

Port-forwarding does, in a certain sense, the 'inverse' of masquerading: it allows outsiders to see one specific service (port) on an internal machine, without 'seeing' any other internal machines (or ports on that machine). Again, the service machine can be somewhat more lightly protected, as the firewall offers the first line of defense.

What is the relevance to VPN's? Simple: The VPN server (or client) can be placed behind the firewall, offering the traditional controls that a firewall offers, while adding VPN functionality to the network. Unfortunately, this cannot be done with all VPN technologies, due to the fact that some encryption systems encrypt the parts of the packet that a firewall needs to be able to modify.

NAT is built into all modern Linux kernels by default, and is configured by the 'ipchains' or 'iptables' utilities. There are also other, alternate NAT technologies, reviewed on the Port Forwarding page.

Free IPSEC Implementations for Linux and *BSD

Free S/WAN

Free S/WAN is the leading IPSEC implementation for Linux. Highly recommended.

NIST Cerberus

NIST Cerberus is a reference implementation of IPSEC for Linux. The web page provides a good amount of technical info about IPSEC. Co-sponsored by the NSA. Export-controlled. Last update May 2000.

KAME

KAME is am implementation of IPSEC and IPv6 for the BSD kernels. The project is active, and is staffed by full-time employees from several large Japanse corporations.

OpenBSD

OpenBSD includes an implementation of IPsec in the default distribution.

DOD ISAKMP

DOD ISAKMP is a reference implementation of the ISAKMP IETF spec (now IPSEC) from the US Department of Defense (actually from the US Naval Research Labs) that is being distributed by MIT. For BSD, under the BSD license. Last updated December 1998. Export controlled.

pipsec

pipsec is a simple SSL-based implementation of IPSEC-compliant IP tunneling. Simple and portable, does not require kernel patching. Last updated June 1999.

ipnsec

ipnsec is a Linux port of the OpenBSD IPsec code. Last updated March 1998.

IPsec for FreeBSD

IPsec for FreeBSD is no longer actively maintained; the web page directs BSD users to the KAME page.

Linux x-kernel

The Linux x-kernel project from the University of Arizona implements IPSEC in the linux kernel. The code is US-Export controlled. This project is defunct.

Free Tools and Solutions

Masqueraded VPN's

The VPN-Masquerade HOWTO explains how to set up an IPsec or PPTP-based VPN that operates through a Linux masquerading (NAT) firewall. The advantage of running a VPN through a firewall is that one gains all of the traditional advantages of firewalling: an internal net protected from outsiders, IP addresses that do not have to be registered, etc. By keeping the VPN server or client hidden from the public Internet, the VPN machine does not have to be as tightly controlled or secured.

Pro's and Con's:

• To run multiple PPTP clients through a firewall, the firewall must support PPTP Call ID masquerading. Linux firewalls do this.
• There are theoretical problems that make running IPsec through a masquerading firewall difficult. In particular, different data streams can be confused of multiple clients try to open connections to the same server at the same time. This could result in network congestion when misdirected packets are discarded. This shouldn't be a practical problem for small to mid-size installations.
• Maquerading PPTP and IPsec requires a firewall that can handle the ESP and GRE protocols and track the ISAKMP key exhcange protocol cookies. Many firewalls might not be able to do this. Linux firewalls can do this.

See also:

• Linux VPN Masquerade
• NAT'ed IPsec Gateways discusses several means of setting up IPsec gateways. (mirror here).
• RFC 2709 Security Model with Tunnel-mode IPsec for NAT Domains, an informational RFC.

PPP over SSH

How to build a VPN using PPP using SSH as a tunnel is described in the VPN HOWTO. PPP, the 'Point-to-Point Protocol', is a way of carrying IP traffic over serial lines; typically modems connected to an Internet provider. But in fact PPP is more powerful and general than that, and it can carry IP traffic over any connection. SSH, the 'Secure Shell', is a secure, encrypted means for logging into a remote computer. In fact, SSH is more general than that, and can encrypt any traffic between two endpoints. Put them together, and voila! a VPN.

Using PPP over SSH is a low-tech, simple, reliable solution, but a bit crufty. On the plus side, its easy to understand and relatively easy to deploy. On the downside, it can have severe lag/performance problems on slow links, and can cause heartache on dead links: this is because the underlying transport protocol is not aware of the traffic above it, and can't effectively manage it. For example, ICMP (ping) packets are not dropped, but are rather stored indefinitely, waiting for the link to come back up. When the link comes back up, your (day old?) ping packets come flooding across it.

SKIP

Build a Linux VPN (Virtual Private Network) with SKIP, and the Linux implementation of SKIP, ENSKIP. The ENSKIP kernel module and encryption daemon build on top of the Linux firewall/masquerade technology to provide a WAN bridge between LAN segments. EnSKIP patches that allow EnSKIP to build with Linux 2.2.xx kernels. An EnSKIP patch for the 2.0.33 kernel. See also here. SKIP was one of the closely-contested but ultimately rejected proposals for the IPsec standard; it is a strong technology that does provide some reliability and multi-user features that IPsec lacks, and is particularly useful when many simple clients (i.e. home users) are contacting a set of several servers.

X-Bone

X-Bone is a system for automated overlay network (VPN) deployment. The term 'overlay network' is the modern way of saying VPN. Since VPN's require considerable work to construct and deploy, automating this process is of considerable utility. Caution: X-Bone at this point is still a highly technical development.

PoPToP

PoPToP is a PPTP Server for Linux, BSD and Solaris. Allows Linux servers to be added to existing Microsoft PPTP VPN's. GPL'ed.

PPTP Client

A Microsoft PPTP client for Linux. See also the Linux VPN Masquerade page for additional PPTP info.

CIPE

CIPE - Crypto IP Encapsulation is meant to be a simpler, smaller and faster means of passing IP tunnel traffic between routers. It does not offer the flexibility and features that IPsec of SKIP offer, but may be just the thing for two routers that need to push a lot of heavy traffic through a big, fat, insecure pipe between them.

Commercial Products

Aventail

Aventail offers their commercial MobileVPN and Aventail PartnerVPN secure, encrypted VPN products for Linux.

SecureEdge, SnapGear

SecureEdge provides reference and custom hardware networking boards, useful as the starting point for designing custom network gear. SnapGear provides similar hardware, this time in nice-looking, consumer-ready boxes.

RedCreek

RedCreek provide a Linux driver for thier PCI bus VPN card. The card implements hardware encryption, but the operating system sees it as an ordinary ethernet network card.

History