Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Monday, June 18, 2012

OpenVPN with Vyatta [Site Behind NAT | Firewall]

Yesterday I was at my cousin's place and suddenly I remembered that I forgot to bring some documents from my desktop at home, going back home wasn't an option. I knew I've Static IP provisioned at home and at cousin's place its Dynamic IP modem.

It was a good thing that Vyatta controls my home internet traffic so I quickly accessed my vyata-router and from there fetching documents was a piece of cake.
Later I decided to create a VPN between me and my cousin's home so we could always access our "Shared Documents" without involving any hi-fi router/linux commands.

So here is the scenario:
Main Site/My Home: It listen for incoming OpenVPN requests and then listen for RIP messages.
Site-B/Cousin's Home: This initiates a VPN to main-site and shares the network routing table via RIP protocol.

Note that only Main Site haS static IP and other site has dynamic IP which changes on every reset maybe. So after this setup I will be able to access their home network without caring for their Public IPs.

Here is a network diagram for better understanding.
Site-to-Site OpenVPN tunnel topology

Main-Site Router:
Here's the break down of the commands you're about to see. Assign the Public IP, set the gateway address, set the public DNS server, start the SSH service (This is optional - don't do this to risk your router by making it's SSH accessible over the internet)

Then the LAN interface was configured, I verified that router's internet connectivity is good by resolving www.msn.com and then later I pinged it as well. All perfect at this point.

Main-Vyatta:~$configure
Main-Vyatta#set interfaces ethernet eth0 address 123.111.222.2/30
Main-Vyatta#set system gateway-address 123.111.222.1
Main-Vyatta#set system name-server 8.8.8.8
Main-Vyatta#set service ssh
Main-Vyatta#set interfaces ethernet eth1 address 10.10.1.1/24
Main-Vyatta#commit
Main-Vyatta#sudo nslookup www.msn.com
 



Then I created NAT rules for my LAN stations to reach out internet by NAT'd to Public IP. 

Main-Vyatta#set nat source rule 5 outbound-interface eth0
Main-Vyatta#set nat source rule 5 source address 10.10.1.1/24
Main-Vyatta#set nat source rule 5 translation address masquerade
Main-Vyatta#commit
Main-Vyatta#exit
Uptil here, my Home network is all set. Now Starting the OpenVPN Setup.
Create openvpn key , copy it it temporary directory, change its user ownership.

Main-Vyatta:~$generate openvpn key /etc/openvpn/key.psk
Main-Vyatta:~$sudo cp /etc/openvpn/key.psk /tmp/
Main-Vyatta:~$sudo chown vyatta /tmp/key.psk
Main-Vyatta:~$ls -l /etc/openvpn/key.psk
Main-Vyatta:~$configure
Create openVPN interface vtun0 with a Local-IP to assign and a remote IP.

Main-Vyatta#set interfaces openvpn vtun0 mode site-to-site
Main-Vyatta#set interfaces openvpn vtun0 local-address 172.16.1.1
Main-Vyatta#set interfaces openvpn vtun0 remote-address  172.16.1.2
Main-Vyatta#set interfaces openvpn vtun0 shared-secret-key-file /etc/openvpn/key.psk
Main-Vyatta#commit
In last five lines above I've created a "vtun0" interface of type openvpn. Its mode is set to site-to-site. Main site is addressed as 172.16.1.1, other site have this as its remote site address, and very important step to use the key file.

Start RIP interface on Main router's vtun0 interface to accept other side routes.

Main-Vyatta#set protocols rip interface vtun0
Main-Vyatta#set protocols rip neighbor 172.16.1.2


Now, Site-B Router.


Site1-Vyatta$configure
Site1-Vyatta#set interfaces ethernet eth0 address 192.168.1.2/24
Site1-Vyatta#set interfaces ethernet eth1 10.1.3.1/24
Site1-Vyatta#set system gateway-address 192.168.1.1
Site1-Vyatta#set service ssh
Site1-Vyatta#commit

Configure the Site1 router's IP address, gateway is the DSL modem 192.168.2.1, name server, and NAT rules and interface for this LAN should be set as well, Im skipping those.

Fetch the OpenVPN Key for this site to use.

Site1-Vyatta#sudo scp vyatta@123.111.222.2:/tmp/key.psk /etc/openvpn/key.psk
Site1-Vyatta#sudo chown root:root /etc/openvpn/key.psk
Now, time to configure the "vtun0" interface. Once we commit this this router will try connecting to the Main-Site router.

Site1-Vyatta#set interfaces openvpn vtun0 mode site-to-site
Site1-Vyatta#set interfaces openvpn vtun0 local-address 172.16.1.2
Site1-Vyatta#set interfaces openvpn vtun0 remote-address 172.16.1.1
Site1-Vyatta#set interfaces openvpn vtun0 remote-host 123.111.222.2
Site1-Vyatta#set interfaces openvpn vtun0 shared-secret-key-file /etc/openvpn/key.psk
Site1-Vyatta#commit
Site1-Vyatta#save
Site1-Vyatta#exit
Site1-Vyatta$show interfaces
Executing the show interfaces will show the new interface.

Now, Time to advertise my local network to the Main-Site, this way the Main-Site router will get to know which next-hop to take for reaching to 10.1.3.0/24 network.

Site1-Vyatta$configure
Site1-Vyatta#set protocols rip interface eth0
Site1-Vyatta#set protocols rip network 10.1.3.0/24
Site1-Vyatta#set protocols rip neighbor 172.16.1.1
Site1-Vyatta#set protocols rip interface vtun0
Site1-Vyatta#commit
Site1-Vyatta#save
Site1-Vyatta#exit

Thats all, everything is set and should be working fine. Ping from Main-Site to Site-B is flowing smoothly.

I'm thinking of exploring different ways and types of creating VPN between two or more Vyatta routers. Hope to publish those soon too.

Posted by at 3 comments:
Labels: , ,

Sunday, February 26, 2012

Linux IPSec VPN SETUP


Linux IPSec VPN SETUP(CentOS)

Once I was required to deploy a VoIP infrastructure where we were required to have a VPN connectivity between its two offices located at London and Berlin. One of the office had CISCO PIX and the other office had nothing but our VoIP server for VPN. So, I had to setup an IPsec tunnel between Linux and CISCO. Here is a how-to for public reading and for future references.


UPDATE: A new scenario for Amazon based Linux VPN Server is published on this link.

NETWORK DESIGN

VPN network overview

IPsec SETUP ON CENTOS
On our CentOS server we require to install openswan application. This application will do the job.

Install OpenSWAN:
[root@localhost ~]#yum upgrade
[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on

At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p

 Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.


[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures







IPsec CONFIGURATIONS







Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.





[root@localhost ~]#nano /etc/ipsec.conf





Insert the following lines in that file accordingly.





config setup

        interfaces=%defaultroute

        klipsdebug=all                 #enable debugging

        plutodebug=all

        protostack=netkey



conn BER-LON-VoIP

        type=tunnel          #tunnel mode ipsec

        left=
213.YX.XY.213     #the IP address of your OpenSWAN endpoint

        leftnexthop=%defaultroute      #default gateway

        leftsubnet=10.100.100.0/24     # network behind your endpoint

        right= 
123.XX.YY.123            # Your IP, or %any for a road-warrior setup

        rightnexthop=%defaultroute     #defaultroute for road warrior unknown

        rightsubnet=192.168.150.0/24   #network behind the CISCO

        auth=esp

        esp=3des-sha1           #esp: 3des, hmac: sha1

        keyexchange=ike         #use regular ike

        authby=secret           #pre-shared secret, you can also use rsa nounces

        pfs=no                  #use perfect forward secrecy

        auto=start     #don't initiate tunnel, but allow incoming





CONFIGURE  Pre Shared Key



Syntax of ipsec.secrets

<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK  "<PreShared Key>"



[root@localhost ~]#nano /etc/ipsec.secrets

213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"





Enabling MASQUERADE NAT on VPN Server(Optional)

This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.



[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT

[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE













USEFUL IPsec COMMANDS

Check Status of Tunnels :

[root@localhost ~]# ipsec auto –-status


This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP





000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA

established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute

owner; isakmp#1; idle; import:admin initiate

000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213

esp.140f56a9@10.100.100.6 tun.0@
213.YX.XY.213 tun.0@10.100.100.6

ref=0 refhim=4294901761

000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);

EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0

out:0); idle; import:admin initiate



NOTE: There are no state lines for the disconnected tunnels.



Start-up a tunnel:

[root@localhost ~]# ipsec auto –up <Connection Name>

This command will start an Ipsec tunnel defined by the name in ipsec.conf

[root@localhost ~]#  ipsec auto --up  BER-LON-VoIP

117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate

003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}

last line (STATE QI2) is important for successful VPN establishment.





Shut-down a specific tunnel:

Similarly to disconnect a tunnel use the following.

[root@localhost ~]# ipsec auto –down <Connection Name>




Restart a specific tunnel


[root@localhost ~]# ipsec auto --down  BER-LON-VoIP



[root@localhost ~]# ipsec auto --up  BER-LON-VoIP



117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate

003 "
BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004 "
BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}





Restart All Tunnels:

[root@localhost ~]# service ipsec restart











CISCO IPsec VPN SETUP





These commands were issued on the CISCO equipment to setup a tunnel.



#ip access-list extended VPN-LON-BER

#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255

#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255

#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address  213.YX.XY.213 no-xauth

#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac

#crypto map lonbermap 13 ipsec-isakmp

#set peer 213.YX.XY.213

#set transform-set VPN- LON-BER -set

#match address VPN- LON-BER -set







REFERENCES

http://linux.die.net/man/8/ipsec_spi

http://www.daemon.be/maarten/openswanpix.html

http://www.wlug.org.nz/FreeSwanToCiscoPix

http://www.diverdown.cc/vpn/freeswanciscorouter.html

http://www.wlug.org.nz/FreeSwanToCiscoPix

http://howtoforums.net/viewtopic.php?t=92

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs


















Posted by



at





15 comments:
  


















Labels:
,
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)