VPN (virtual private network) refers to a technology used to implement secure data connections via the insecure medium of the Internet. Communication is not with the Internet, but via the Internet. The data packages are encrypted here for authentication and confidentiality and are packed into a new package (tunneling). This is an economical way to produce a secure network between geographically far-flung computers. The standard for this kind of data traffic is IPSEC (Internet protocol security), which is implemented under Linux (among others) by means of the FreeS/WAN program.
The establishment of a VPN connection requires the availability of digital certificates from all participating parties, which are used to verify the validity of the connection. Such certificates can be created with YaST then used for VPN. Section 26.1. “X.509 Certification with YaST” contains a brief explanation of the background of digital certification and outlines how to create and manage certificates yourself. The next sections explain how to set up a VPN server and VPN clients under Linux and Windows using YaST.
A Road Warrior server is a VPN server configuration that accepts connections from any clients with valid and signed CA certificates. Three steps to set up a Road Warrior server and these are explained below.
Create a server certificate on the CA management computer
Import a certificate on the server computer
Set up a connection on the server.
Create the server certificate with the YaST CA Management module (see Section 220.127.116.11. “Creating or Revoking User Certificates”). Then save the certificate together with the key and all participating CAs in a PKCS12 file (see Section 18.104.22.168. “Exporting CA Objects as a File”).
If certificates should be created for IPsec applications with Windows XP, client certificates must be used. The “KeyUsage” extension there contains the values expected by Windows.
Start the 26.5. “YaST VPN Module — Overview”, click + then select your saved PKCS12 file. Enter the PKCS12 password for the import. After this, the certificate is displayed in the certificate list. Clicking returns to the overview.YaST module on the server in the YaST control center under . In the overview, shown in Figure
You should not use the general server certificate of the YaST CA Management module here because IPsec manages its own certificates.
Another connection must be set up to ensure that the certificate can be used for IPsec. In the overview (Figure 26.5. “YaST VPN Module — Overview”), click then select in the connection overview. After you have selected a configuration is created that accepts connections from any client if it has a valid certificate signed by the CA.
Select the connection settings in the next dialog (Figure 26.6. “YaST VPN Module — Connection Settings”). Enter your own IP address in . In the case of Internet dial-up access, this is not usually known prior to the dial-up. However, in the case of Internet access, there is usually a default route. The %defaultroute setting instructs the server to use the interface to which the default route points.
If the connection should be set up and cleared dynamically when a network interface without a default route is activated and deactivated, enter %dynamic instead. The IP addresses of the relevant interface are then used.
If the server should act as a gateway and permit access to a network,should be activated. Then enter this network in the input field, for example, 10.10.0.0/24. You can also select the required certificate here. The first certificate is preselected.
Either the first Subject Alternative Name (if any) or the Distinguished Name from the certificate is used in this simplified Road Warrior configuration workflow.
After you click prepared” or “ignored”. In the case of a prepared connection, the server waits for connection inquiries from clients., choose how the connection should be handled at system start-up in the next dialog. A connection can either be “
This is only possible if the local IP address is already known. This means, in the case of %defaultroute, that the default route must already be set and the computer must already have connected to the Internet. If the connection to the Internet is not already established when the system is started, you can also specify that the connection should be set up and cleared dynamically with a network interface, for example, with a DSL interface. If the interface selected here is not the interface of the default route, it makes no sense to enter %defaultroute as the local IP address either. When you clickonce, see the new connection in the connection overview list. Click again then to conclude the configuration.
Three key steps are required to set up a VPN Linux client.
Create a client certificate on the CA administration computer
Export a FreeS/WAN configuration file
Import files on the client computer
The client certificate is created with the YaST CA Management module (see Section 22.214.171.124. “Creating or Revoking User Certificates”). The finished certificate is then saved together with the key and all participating CAs in a PKCS12 file (see Section 126.96.36.199. “Exporting CA Objects as a File”).
On the server, start the 26.5. “YaST VPN Module — Overview”), click then select the required server connection in the connection overview. After you select + + , select the storage location for the freeswan_ipsec.conf file, which must be transferred to the Linux client. This file is a suggestion for a FreeS/WAN client and its details may need to be adapted. The file is tailored to FreeS/WAN Version 2. Older versions require additional parameters.YaST module in the YaST control center under . In the overview (Figure
Next, the certificates and the configuration file must be transferred to the client by means of a secure medium. The IPsec configuration file must be saved on the client as /etc/ipsec.conf.
To import the certificate, start the 26.5. “YaST VPN Module — Overview”), click + then select your saved client certificate. For import purposes, enter the password for the certificate. The certificate is then displayed in the certificate list and clicking returns to the overview.YaST module in the YaST control center under on the client. In the overview (Figure
The connection may need to be adapted to local circumstances (e.g., change certificate and ID).
If the client computer does not have a YaST VPN module, import the certificates manually:
Copy the client certificate to /etc/ipsec.d/certs.
Copy the CA certificate to /etc/ipsec.d/cacerts.
Copy the key to /etc/ipsec.d/private. Only the root user should have access to this file. Adjust the permissions accordingly.
Enter the password for the key in /etc/ipsec.secrets. This file should also only be accessible as root.
The openssl command line program can be used to extract the certificate from the PKCS12 file:
openssl pkcs12 -clcerts -nokeys -in DATEI.p12 -out \ /etc/ipsec.d/certs/cert_01.pem
The same applies to the CA certificate:
openssl pkcs12 -cacerts -nokeys -in DATEI.p12 -out \ /etc/ipsec.d/cacerts/cacert_01.pem
and also to the keys:
openssl pkcs12 -nocerts -nodes -in USER.p12 -out \ /etc/ipsec.d/private/key_01.pem chmod 600 /etc/ipsec.d/private/key_01.pem
The -nodes option ensures that the key is stored without a password. That is no harm in this case because the file can only be read by root in any case. Another entry is required in /etc/ipsec.secrets so FreeS/WAN recognizes the key. Add it with:
echo ': RSA /etc/ipsec.d/private/key_01.pem ""' \ >> /etc/ipsec.secrets chmod 600 /etc/ipsec.secrets
The configuration file can now be copied to /etc/ipsec.conf. Under certain circumstances, the file name at leftcert may need to be adapted. However, /etc/ipsec.d/certs/cert_01.pem is normally already entered. The value following right must be identical with the DNS host name or IP address of the server.
rcipsec start starts IPsec and establishes the connection (if auto=start has been configured). ipsec auto --status or setkey-D and an inspection of /var/log/messages enable you to check that everything has worked. rcipsec stop ends IPsec and all connections are cleared.
You can also set up IPsec connections to SUSE LINUX from Windows XP and Windows 2000 clients. The various steps are described below.
Create the client certificate on the CA management computer.
Export the Windows configuration file.
Configure the Windows snap-ins.
Import a client certificate.
Make a note of important certificate data.
Configure the IPsec connection.
Create desktop links.
Create the client certificate using the YaST CA Management module (see Section 188.8.131.52. “Creating or Revoking User Certificates”). The completed certificate should then be saved together with the key and all associated CAs in a PKCS12 file (see Section 184.108.40.206. “Exporting CA Objects as a File”).
On the server, start the 26.5. “YaST VPN Module — Overview”), click then select the required server connection in the connection overview. After you select + + , select the storage location for the windows_ipsec.conf file, which must be transferred to the Windows client. This file is a suggestion for a Windows client and its details may need to be adapted.YaST module in the YaST control center under the heading . In the overview (Figure
You can set up the IPsec connection manually, which requires ipseccmd.exe (Windows XP) or ipsecpol.exe (Windows 2000). These should be included in your Windows installation. In the case of Windows XP, execute support\tools\setup.exe on the installation CD (complete installation). However, these programs are command line–based, making them quite difficult to use. You can also configure the connection by means of MMC (Microsoft Management Console), however, this is not particularly intuitive. Instead, it is recommended to use the ipsec.exe tool, which does the main work of configuring the IPsec connection under Windows XP or Windows 2000 for you.
Download this tool onto your computer from http://vpn.ebootis.de/package.zip and decompress the contents, for example, under C:\Programs\IPsec\. At this point, our thanks go to the author, <email@example.com>.
If you use Windows 2000, first load at least ServicePack2, so Windows 2000 can also handle 3DES encryption. Otherwise, a connection to Windows 2000 cannot be made. ServicePack2 is available at http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp. In the case of Windows 2000, you also need ipsecpol.exe, which can be found in the resource kit at http://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp.
This program normally installs to C:/Programs/Resource Kit. However, it is not much use at this point because it is a command line–based program and therefore needs to be copied into a directory in which executable files are stored. We recommend copying ipsecpol.exe to C:/WINNT and the corresponding DLLs to C:/WINNT/System. ipsecpol must be executed as administrator.
Open MMC on the Windows client. In the start menu, go to+ . In MMC, click + . A dialog opens in which you may see active snap-ins. Click . A selection window opens to display all available snap-ins. + takes you to the configuration wizard. Here, select and click . Select + then + . A configuration wizard opens in which to select + . Click then .
The two snap-ins that have been added can be seen in the MMC. Open thedirectory. Right-click . In the drop-down menu, select + . The certificate wizard opens. Select + . Under , enter (*.pfx,*.p12). Select the exported PKCS12 file and click . Enter the password used in the YaST CA Management module to export the certificates. Click . Now select + then + . A dialog indicates if the import procedure has succeeded. Click .
The prepared IPsec sample configuration normally already contains the correct DN of the CA (). In MMC, click + . Save your configuration with the suggested name at the suggested location. To establish whether the certificate data is correct, open the directory in MMC again and open . Right-click the certificate and select from the drop-down menu then the tab.
When you click, see entries similar to those below, of which you should take note:
Efirstname.lastname@example.org CN=mainca OU=bu O=SuSE L=Nuremberg S=Franconia C=DE
Close the certificate view withand MMC with + + + .
Install the ipsec.exe tool by decompressing package.zip to C:\Programs\IPsec\. In the next step, replace the standard version of the ipsec.conf file contained there with the exported windows_ipsec.conf from the VPN server (rename). Then change to the C:\Programs\IPsec directory and open the file with an editor to check the configuration data. The following shows the standard values:
conn <Name of the connection> left=%any right=<IP of the SuSE Linux standard server> rightca=<the previously noted values in reverse order, separated by commas> network=auto auto=start pfs=yes
The first line must be left-justified. All other lines must be indented. Here is a specific example for ipsec.conf:
conn me_to_servername left=%any right=10.10.254.181 rightca="C=DE,S=Franconia,L=Nuremberg,O=SuSE,OU=bu, CN=mainca,Eemail@example.com" network=auto auto=start pfs=yes
Finally, create a link to the C:\Programs\IPsec\IPSEC.exe file on the desktop. Now establish the connection to the Internet and click the first link. A window opens and the IPsec filters are configured for your current connection. The best way to test the tunnel is with ping <client IP behind the tunnel>. The message “Negotiating IP Security” appears once or twice, after which you will see the normal ping responses. The tunnel is active. In the case of Windows 2000, this takes two ping commands, so start ping again.