NewPush » VPN

What is the difference between site to site and mobile VPN?

Balazs — Fri, 04 Nov 2011 01:40:47 +0000

For most businesses, there are two types of VPN that apply:

site to site VPN: this is used to link sites, such as your office and the data center,
mobile VPN: this is used to link mobile or home users to a corporate site, or a data center.

The mobile VPN to your office is typically free, you just need to pay a one time setup fee and sometimes an extra license fee depending on the vendor. If your firewall is based on pfSense, there are no extra license fees.

The site to site VPN is typically priced on a per channel basis, to cover our bandwidth and virtual port costs on the terminating firewall in the data center. This is optional, and you can decide to sign up for that service once there is a clear business case for it.

Directing all VPN traffic through the OpenVPN concentrator

Balazs — Sun, 29 Nov 2009 07:33:00 +0000

Problem

It is necessary for some users to have all their traffic directed through the OpenVPN concentrator. The number one reason for such a configuration is to protect the HTTP traffic over unsecured WiFi (a.k.a. hotspots).

Solution

Add to the bottom of the connecting client’s configuration file (typically under /etc/openvpn/clients.d the following line:push "redirect-gateway"

Fast and Secure VPN setup with OpenBSD 4.5

Balazs — Tue, 30 Jun 2009 20:04:58 +0000

Premise

Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.

Concept

Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate:
```
pass quick on $ext_if from $remote_vpn_gw_ip
```
Set up the public key for each firewall on it’s counterpart:
```
mkdir -p /etc/isakmpd/pubkeys/ipv4
cp remote_gateway_local.pub /etc/isakmpd/pubkeys/ipv4/xxx.xxx.xxx.xxx
```
where xxx.xxx.xxx.xxx is the IP address of the remote gateway. (See below how to generate the public / private keys.)

Create the ipsec.conf configuration file on the active VPN gateway:

GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $GW_REMOTE

Create the ipsec.conf configuration file on the passive VPN gateway:

GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $GW_REMOTE

Start the VPN on each VPN gateway:
```
isakmpd -K
ipsecctl -f /etc/ipsec.conf
```
Test the connections:
```
ipsecctl -sa
```
it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.

References

How to set up PPTP on Win2k

Balazs — Sun, 31 May 2009 15:10:34 +0000

Setting up a folder for PPTP access:

Right click and select properties
Select Sharing tab
Check “Share this folder” and give it a share name
Click the permissions button, and make sure that only the right user(s) have permission

Setting up user for PPTP:

Start->Settings->Network and Dial-up connections->Incoming connections
Click users tab
Check the check box next to user to authorize

How to set up "road warior" VPN with OpenBSD

Balazs — Fri, 29 May 2009 23:56:45 +0000

I found this solution in the summary of a related thread on misc@openbsd.org (mailing list).

Thanks for the various assists on this, I’m glad to say that the problem I was having is now solved. I am now successfully interworking dynamically addressed (DHCP) Win2K-pro and XP clients with OpenBSD isakmpd using X.509 certificate-based authentication. I believe this to be a lot more scalable and manageable than using pre-shared secrets.

For reference, the problem I was having was caused by incorrectly entering the X.509 certificates into the cert stores on the Windows machines using the MMC snap-in. So it wasn’t an OBSD issue at all

If anyone has the same problem, you need to make sure you are entering the CA and client certs into the cert stores for the LOCAL COMPUTER *not* the CURRENT USER (which is the default if you just double-click on the cert bundle on the desktop). Doh! Instead click start->run and enter “mmc” then add the snap-in for ‘Manage Certificates’ making sure you select ‘local computer’ in the dialogue. Obviously you will also need to add the snap-in for ‘manage IPsec policies’ too.

All-in-all not entirely a pain-free process, but a great learning experience (and now at last I am confident my wireless LAN is *properly* secure).

For ref, below are the isakmpd.conf and isakmp.policy files which I am using on the OPENBSD server.

Generating the X.509 certs correctly requires some care. I do it using the ‘ca’ command on openssl (this avoids the need to use certpatch, but make sure you read the relevant parts of the IPSEC/ISAKMPD/VPN manpages about what is needed here – because you are using DHCP clients, you need to put the FQDN in the subjectAltName part of the cert). I also use the ‘pkcs12′ command on openssl to produce a cert-bundle which is the easiest way to safely transport and import the certs and private key onto the windows boxes. I have some basic scripts for doing the openssl bits, which I guess I can email to anyone who’s interested.

By the way, if you are using PF don’t forget you will additionally need to create some relevant filtering rules to allow traffic on esp0…

Rgds to all
MC

===
# This is the isakmpd.conf file for the SERVER
#

[General]
Listen-on=              10.0.0.1

[Phase 1]
Default=                ISAKMP-peer-dhcp

[Phase 2]
Passive-connections=    IPsec-connection

[ISAKMP-peer-dhcp]
Phase=                  1
Local-address=          10.0.0.1
ID=                     server-fqdn-id
Configuration=          IKE-main-mode-config

[server-fqdn-id]
ID-type=                FQDN
Name=                   server

[IKE-main-mode-config]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA-RSA_SIG, 3DES-SHA-RSA_SIG

[IPsec-connection]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-dhcp
Configuration=          IKE-quick-mode-config
Local-ID=               server-ipv4-id
Remote-ID=              generic-ipv4-id

[IKE-quick-mode-config]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-TRP-AES-SHA-SUITE, QM-ESP-TRP-AES-MD5-SUITE, QM-ESP-TRP-3DES-SHA-SUITE, QM-ESP-TRP-3DES-MD5-SUITE

[server-ipv4-id]
ID-type=                IPV4_ADDR
Address=                10.0.0.1

[generic-ipv4-id]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[X509-certificates]
Ca-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

===
# this is the matching isakmpd.policy file for the SERVER
Authorizer: "POLICY"
Licensees: "DN:/C=My Country/O=My Org/OU=PKI Infrastructure/CN=My Root CA"
conditions:app_domain == "IPsec policy" &&
        doi == "ipsec" &&
        esp_present == "yes" &&
        esp_enc_alg != "null" -> "true";

How do I find out more about OpenBSD VPN?

Balazs — Fri, 29 May 2009 23:55:39 +0000

Here are some of the resources we found useful to learn more about VPNs in general and on OpenBSD specifically:

Debugging an OpenBSD 4.5 ISAKMP VPN problem

Balazs — Mon, 25 May 2009 05:24:06 +0000

There is some very good info here:http://www.allard.nu/openbsd/ specifically, I found the following hints helpful:

'isakmpd -d' Start isakmpd with 'isakmpd -d'. Isakmpd will output things like wrong file permissions and typos in the configuration file. On connect you might see things like "NO PROPOSAL CHOOSEN" which can either mean that your configuration parameters between the client and the server doesn't match, or that you have typed the wrong pre-shared key.

'isakmpd -L' and 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap' This one is really nice to check if your configurations between the client and the server match and also to learn howto create isakmpd.conf files for new clients. With 'isakmpd -L' isakmpd will dump, in tcpdump format, everything it sends and recieves to /var/run/isakmpd.pcap. You then check what happened with 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'. Look here for an example output of isakmpd -L and tcpdump. This output is typically what you want to send to the mailing list when you want help with something if the above doesn't help you.

Setting up a VPN between OpenBSD 4.5 and Cisco PIX

Balazs — Mon, 25 May 2009 05:22:31 +0000

The original of this HOWTO was here: OpenBSD – PIX ISAKMP VPN

Setting up an ISAKMP VPN tunnel between OpenBSD 4.5 and Cisco Pix

Configuration:

  Site A:

    OpenBSD 4.5
    Internal Network: 192.168.0.0/24
    External IP: 1.1.1.1

  Site B:

    Cisco Pix 6.1
    Internal Network: 10.0.0.0/8
    External IP: 2.2.2.2

  VPN parameters:

    Shared Secret: theSecret
    Encryption Algorith: 3DES
    Hash Algorith: SHA
    Diffie-Helman Group: 2 (1024bit)

========================================================================

Pix Configuration:

access-list to_siteA permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list no_nat   permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address to_siteA
crypto map newmap 10 set peer 1.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside

isakmp enable outside
isakmp key theSecret address 1.1.1.1 netmask 255.255.255.255
isakmp identity address

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

========================================================================

OpenBSD config:

/etc/ipf.rules

# Adjust for your particular packet filtering setup and NIC
pass   in  quick on ep0 proto esp from any to 1.1.1.1
pass   in  quick on ep0 proto udp from any to 1.1.1.1 port = 500

/etc/isakmpd/isakmpd.conf

[General]
Retransmits=			5
Exchange-max-time=		120
Listen-on=			1.1.1.1
Default-Phase2-Lifetime=        3600,80:86400

[Phase 1]
2.2.2.2=			SiteBPix

[Phase 2]
Connections=			SiteA-SiteB-10

[SiteBPix]
Phase=				1
Transport=			udp
Local-address=			1.1.1.1
Address=			2.2.2.2
Configuration=			Default-main-mode
Authentication=			theSecret

[SiteA-SiteB-10]
Phase=				2
ISAKMP-peer=			SiteBPix
Configuration=			Default-quick-mode
Local-ID=			Net-SiteA
Remote-ID=			Net-SiteB-10

[Net-SiteA]
ID-type=			IPV4_ADDR_SUBNET
Network=			192.168.0.0
Netmask=			255.255.255.0

[Net-SiteB-10]
ID-type=			IPV4_ADDR_SUBNET
Network=			10.0.0.0
Netmask=			255.0.0.0

[Default-main-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			ID_PROT
Transforms=			3DES-SHA

[Default-quick-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			QUICK_MODE
Suites=				QM-ESP-3DES-SHA-PFS-SUITE

[DES-SHA]
GROUP_DESCRIPTION=		MODP_1024

[QM-ESP-3DES-SHA-PFS-SUITE]
GROUP_DESCRIPTION=		MODP_1024

/etc/isakmpd/isakmpd.policy

KeyNote-Version: 2
Authorizer: "POLICY"