Virtual Private Networks

1
Virtual Private Networks

• Using Crypto IP Encapsulation
• Mark Kamichoff ltprox_at_prolixium.comgt

These slides are available from
http//prolixium.com/files/siglinux.pdf/ppt
2
What is a VPN?

• (from whatis.com)
• A VPN (virtual private network) is a way to use a
  public telecommunication infrastructure, such as
  the Internet, to provide remote offices or
  individual users with secure access to their
  organization's network.

3
Why do we need a VPN?

• Useful for accessing machines behind firewalls
  from other networks
• Provides a secure way of extending a network
  without buying leased lines or connecting via
  other physical medium
• its cool!

4
Some Other VPN Implementations

• IPIP
• For Linux, real old (no IPv6 support, etc)
• GRE
• Made by Cisco, modern
• IPSec
• PPTP/L2TP
• PPTP Developed by Microsoft
• L2TP now an IETF standard, extending/fixing
  features in PPTP

5
Example VPN
Firewall/NAT
Office 2
Internet
Office 1
Firewall/NAT
6
Why CIPE?

• Free!
• Distributed under the GNU General Public License
• Encrypted, provides worry-free encapsulation
• Uses UDP, rather than TCP
• Useful for passing through some firewalls
• No TCP-in-TCP retransmit issues
• http//sites.inka.de/sites/bigred/devel/tcp-tcp.ht
  ml

7
Getting started

• Download CIPE
• http//sites.inka.de/sites/bigred/devel/cipe.html
• Configure and Install
• Needs OpenSSL libraries/headers and Linux kernel
  source, among other things
• Will build cipcb.o module
• Might complain about a tex error during make
  install (ignore you just wont get docs)

8
Configuring CIPE

• Install CIPE on hosts that will route packets on
  the VPN
• Configure options files
• Back to our diagram!

9
Example VPN (continued)
(Network 192.168.2.0/24)
Firewall/NAT
Office 2
24.26.13.37
Internet
192.168.254.2
(Network 192.168.1.0/24)
192.34.56.78
Encrypted UDP Virtual Connection
Office 1
Firewall/NAT
Point-to-Point
192.168.254.1
10
Example VPN (continued)
(Network 192.168.2.0/24)
Office 2
device cipcb0 me 192.34.56.783232 ipaddr
192.168.254.1 ptpaddr 192.168.254.2 peer
24.26.13.373232 key thiselitekey maxerr -1 cttl
64
Firewall/NAT
192.168.254.2
24.26.13.37
device cipcb0 me 24.26.13.373232 ipaddr
192.168.254.2 ptpaddr 192.168.254.1 peer
192.34.56.783232 key thiselitekey maxerr -1 cttl
64
Internet
(Network 192.168.1.0/24)
192.34.56.78
Office 1
Firewall/NAT
192.168.254.1
11
Example VPN Completed
Office 1 Router
cipcb0 Link encapIPIP Tunnel HWaddr
inet addr192.168.254.1 P-t-P192.168.254.2
Mask255.255.255.255 UP POINTOPOINT
RUNNING NOARP MTU1442 Metric1 RX
packets144138 errors0 dropped0 overruns0
frame0 TX packets100655 errors0
dropped0 overruns0 carrier0
collisions0 txqueuelen100 RX
bytes175897216 (167.7 MiB) TX bytes11367036
(10.8 MiB)
Kernel IP routing table Destination Gateway
Genmask Flags MSS Window irtt
Iface 192.168.254.2 0.0.0.0
255.255.255.255 UH 40 0 0
cipcb0 192.168.2.0 192.168.254.2
255.255.255.0 UG 40 0 0
cipcb0 192.168.1.0 0.0.0.0
255.255.255.0 U 40 0 0
eth0 192.34.56.0 0.0.0.0
255.255.255.0 U 40 0 0
eth1 0.0.0.0 192.34.56.254 0.0.0.0
UG 40 0 0 eth1
12
Example VPN Completed (cont)
Office 2 Router
cipcb0 Link encapIPIP Tunnel HWaddr
inet addr192.168.254.2 P-t-P192.168.254.1
Mask255.255.255.255 UP POINTOPOINT
RUNNING NOARP MTU1442 Metric1 RX
packets144138 errors0 dropped0 overruns0
frame0 TX packets100655 errors0
dropped0 overruns0 carrier0
collisions0 txqueuelen100 RX
bytes175897216 (167.7 MiB) TX bytes11367036
(10.8 MiB)
Kernel IP routing table Destination Gateway
Genmask Flags MSS Window irtt
Iface 192.168.254.1 0.0.0.0
255.255.255.255 UH 40 0 0
cipcb0 192.168.1.0 192.168.254.1
255.255.255.0 UG 40 0 0
cipcb0 192.168.2.0 0.0.0.0
255.255.255.0 U 40 0 0
eth0 24.26.13.0 0.0.0.0
255.255.255.0 U 40 0 0
eth1 0.0.0.0 24.26.13.254 0.0.0.0
UG 40 0 0 eth1
13
Misc. Links

• http//www.tldp.org/HOWTO/Adv-Routing-HOWTO/
• Linux Advanced Routing Traffic Control HOWTO
• http//www.seattlewireless.net/index.cgi/IpTunnel
• Generic IP Tunnel HOWTO