Red Hat Fedora Linux 3 Bible

Sometimes the people and offices that have to work closely together are not physically close together. For example, you may have:

• Two branch offices that need to constantly share sales databases, or

• An employee who needs to access office computers, printers, and files from home.

Rather than purchase expensive leased lines from a phone company, you want to use an inexpensive network medium, like the Internet, to let the two sides communicate. The problem is that you don’t want to open up access to file sharing, print sharing, and other private services to the Internet. You also don’t want communication between these sites to be exposed to anyone who is watching Internet traffic. One solution is to set up a virtual private network.

A virtual private network (VPN) provides a way to set up secure communications over an otherwise insecure network. With a VPN connection in place, the two sides of a connection can communicate as safely as they do on the same corporate LAN. To do this, a VPN usually offers the following features:

• Authentication — Using passwords or other techniques, two ends of a communication can prove that they are who they say they are before accepting a connection. After the connection is in place, communications can flow in both directions across it.

• Encryption — By encrypting all data being sent between the two points on the public network, you can be assured that even if someone could see the packets you send, they couldn’t read them. Creating a connection between two public network addresses to use for exchanging encrypted data is known as tunneling.

There are several ways of going about setting up VPN connections in Linux:

• Internet Protocol SECurity (IPsec) — IPsec is a standard developed by the Internet Engineering Task Force (IETF) as the required method of encryption when the IP version 6 becomes the standard Internet protocol (right now IPv4 is the standard in North America and Europe). There are several implementations of IPsec over IPv4 in Linux these days. Fedora includes IPsec support by including the Linux 2.6 kernel and offering an administrative interface for configuring it (via the ipsec-tools package).

• PPP over OpenSSH — With this method, using software that is already in Fedora, you can configure a PPP interface (as you would a regular dial-up connection) to use SSH to encrypt all data that goes across the PPP interface. While this method is not too difficult to configure, it can provide poor performance. To see how to create a PPP over OpenSSH VPN, refer to the VPN PPP-SSH HOW-TO (search www.tldp.org).

• Crypto IP Encapsulation (CIPE) — Using this method, IP packets are routed across selected IP interfaces as encrypted UDP packets. CIPE is easy to set up and carries less overhead than PPP over OpenSSH, so you should get better performance. One drawback is that, because it is not a standard VPN, CIPE is not available on all platforms and was dropped from Fedora Core 3.

In this chapter, I provide an overview of the features and tools in IPsec in Fedora Core 3.

Understanding IPsec

To provide more secure transmission of TCP/IP data in the new Internet Protocol version 6 (IPv6) standard, developers of that standard created the Internet Protocol Security (IP) architecture. With IPsec, encrypted communication is possible right at the Internet Protocol (IP) level and methods for providing access control, data integrity, authentication and traffic flow confidentiality are standardized as well.

In practical terms, organizations that have computers that need to communicate on public networks in ways that are secure and private can create virtual private networks (VPNs) with IPsec. Unlike other VPN implementations (such as CIPE), which require a manual exchange of keys to work, IPsec offers an automated way of creating security associations between communications endpoints and managing keys.

With slow adoption of IPv6 in the United States and other places, IPsec has been included (backported) into the IPv4 protocol, which is still the most common IP version used on the Internet. That backport was added into the IP protocol included with the Linux 2.6 kernel that comes with Fedora Core 2. The Internet standard RFC2401 document describes the IPsec architecture.

Using IPsec protocols

IPsec consists of two primary protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). Look in the /etc/protocols file and you'll see that AH is assigned to protocol number 50 and ESP is assigned to protocol number 51.

To authenticate peer computers and exchange symmetric keys, IPsec uses the Internet Key Exchange (IKE) protocol. At the beginning of communication between two host computers using IPsec, IKE does the following:

• Authenticates that the peer computers are who they say they are.

• Negotiates security associations.

• Chooses secret symmetric keys (using Diffie-Hellmann key exchange).

The security associations established by IKE are stored in a security association database (SAD). A security association holds information about the communications endpoints (possibly public Internet IP addresses), whether Authentication Header (AH) or Encapsulating Security Payload (ESP) protocols are being used with IPsec, and the secret key/algorithm being used.

IPsec itself has two possible modes of operation: tunnel mode and transport mode.

• Tunnel mode — The entire IP datagram is encapsulated into the new IP datagram by IPsec. This protects both the data and the control information from being seen by anyone except the communications endpoint that is allowed to decrypt the communication.

• Transport mode — Only the data (the payload intended for the client receiving the data) is encrypted. To do this, IPsec inserts its own header between the Internet Protocol header and the protocol header for the upper layer.

Included in the protocol header of each packet transmitted is information referred to as Hash Message Authentication Codes (HMAC). Including these codes with transmitted data in IPsec offers the following advantages:

• Data integrity — By using a hash algorithm to create a hash from a secret key and the data in the IP datagram, the resulting HMAC is added to the IPsec protocol header. The receiver can then check that the HMAC is correct using its own copy of that secret key. Supported authentication algorithms include MD5, SHA1, and SHA2 (256, 384, and 512).

• Data privacy — By using symmetric encryption algorithms (such as DES, NULL, AES, 3DES, and Blowfish), datagrams are encrypted so their contents cannot be seen by outsiders.

By recording a sequence of packets during data communications, an intruder can attempt denial-of-service attacks by replaying that sequence of packets. IPsec combats that type of attack by accepting packets that are within a “sliding window” of sequence numbers or higher. Packets using older sequence numbers are dropped.

Using IPsec in Fedora

Using IPsec in Fedora Core 3, you can configure virtual private networks (VPN) between Fedora and other systems that support IPsec. It is important that hosts at both ends of the IPsec VPN are configured in the same way. In fact, you may have the best results by using the same operating system version and IPsec software (in the case of Fedora, ipsec-tools package and IP protocol drivers that come with the 2.6 kernel).

By default, the necessary modules to use IPsec are already available in Fedora 3. The tools you use to configure IPsec are contained in the ipsec-tools packages. You set up IPsec in the kernel in much the same way that you set up firewalls with iptables: you run commands that load settings into the kernel, either from command line options (standard input) or from a file containing your preconfigured options.

The commands you use to set up a VPN with IPsec include the following:

• setkey — Use this command to load the data about your VPN connections into the kernel. It can add, change, flush or dump information in the Security Association Database (SAD) and the Security Policy Database (SPD) for your IPsec VPN. Typically, you would create a configuration file in the format described on the setkey man page, then run setkey -f filename to load that data into the kernel.

• racoon — Use this command to create IKE security associations between host computers communicating together over an IPsec VPN. Security data are loaded into racoon from the /etc/racoon.conf file (unless that file is overridden from the racoon command line using the -f option).

Sample configuration files to use with setkey are available from the IPsec-HOWTO (www.ipsec-howto.org). A sample racoon.conf file is included with the ipsec-tools package (in the /usr/share/doc/ipsec-tools-* directory). For an in-depth description of the tools used with IPsec, refer to the Kame Project Web site (www.kame.net).