VPN(Virtual Private Networking)

From Phobos Wiki
Revision as of 06:37, 27 May 2013 by Roland (talk | contribs)
Jump to navigation Jump to search

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in Basic Security.

VPN Setups

We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept. 629px|thumb|center|Figure 1: General Model for VPN Deploiments

Site to Site With OpenVPN

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used. 342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured. 342px|thumb|center|Figure 3: Configuration for interface tun0

Site to Site With IPsec

In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing. 395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog 396px|thumb|center|Figure 5: IPSec Minimum Configuration

In order to view if tunnel is up issue “setkey -D”. Here is an example output, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:

root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
        esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
        E: blowfish-cbc  72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
        A: hmac-sha1  bc848381 1b957927 615d9700 689dc79e a17ca699
        seq=0x00000000 replay=4 flags=0x00000000 state=dying
        created: Apr 25 10:16:40 2013   current: Apr 25 11:14:45 2013
        diff: 3485(s)   hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
        esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
        E: blowfish-cbc  c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
        A: hmac-sha1  2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
        seq=0x00000000 replay=4 flags=0x00000000 state=dying
        created: Apr 25 10:16:40 2013   current: Apr 25 11:14:45 2013
        diff: 3485(s)   hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $

Here is the syslog output showing racoon setting this tunnel up:

root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)

For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:

root@telem-gwm /home/martem $ tail -f  /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)

Remote Access with L2TP/IPSec

In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box. 497px|thumb|center|Figure 6: L2TP/IPSec Default Settings 494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.