26.2. VPN with SUSE LINUX

VPN (virtual private network) refers to a technology used to implement secure data connections via the insecure medium of the Internet. Communication is not with the Internet, but via the Internet. The data packages are encrypted here for authentication and confidentiality and are packed into a new package (tunneling). This is an economical way to produce a secure network between geographically far-flung computers. The standard for this kind of data traffic is IPSEC (Internet protocol security), which is implemented under Linux (among others) by means of the FreeS/WAN program.

The establishment of a VPN connection requires the availability of digital certificates from all participating parties, which are used to verify the validity of the connection. Such certificates can be created with YaST then used for VPN. Section 26.1. “X.509 Certification with YaST” contains a brief explanation of the background of digital certification and outlines how to create and manage certificates yourself. The next sections explain how to set up a VPN server and VPN clients under Linux and Windows using YaST.

26.2.1. Setting up Road Warrior Servers

A Road Warrior server is a VPN server configuration that accepts connections from any clients with valid and signed CA certificates. Three steps to set up a Road Warrior server and these are explained below.

  1. Create a server certificate on the CA management computer

  2. Import a certificate on the server computer

  3. Set up a connection on the server.

26.2.1.1. Creating Server Certificates

Create the server certificate with the YaST CA Management module (see Section 26.1.2.3. “Creating or Revoking User Certificates”). Then save the certificate together with the key and all participating CAs in a PKCS12 file (see Section 26.1.2.7. “Exporting CA Objects as a File”).

[Tip]Tip

If certificates should be created for IPsec applications with Windows XP, client certificates must be used. The “KeyUsage” extension there contains the values expected by Windows.

26.2.1.2. Importing a Server Certificate on the Server

Start the VPN YaST module on the server in the YaST control center under Security and Users. In the overview, shown in Figure 26.5. “YaST VPN Module — Overview”, click Certificates+Import then select your saved PKCS12 file. Enter the PKCS12 password for the import. After this, the certificate is displayed in the certificate list. Clicking Next returns to the overview.

Figure 26.5. YaST VPN Module — Overview

YaST VPN Module — Overview
[Important]Important

You should not use the general server certificate of the YaST CA Management module here because IPsec manages its own certificates.

26.2.1.3. Setting up a VPN Connection

Another connection must be set up to ensure that the certificate can be used for IPsec. In the overview (Figure 26.5. “YaST VPN Module — Overview”), click Connections then select Add in the connection overview. After you have selected Road Warrior Server a configuration is created that accepts connections from any client if it has a valid certificate signed by the CA.

Select the connection settings in the next dialog (Figure 26.6. “YaST VPN Module — Connection Settings”). Enter your own IP address in Local IP Address. In the case of Internet dial-up access, this is not usually known prior to the dial-up. However, in the case of Internet access, there is usually a default route. The %defaultroute setting instructs the server to use the interface to which the default route points.

If the connection should be set up and cleared dynamically when a network interface without a default route is activated and deactivated, enter %dynamic instead. The IP addresses of the relevant interface are then used.

Figure 26.6. YaST VPN Module — Connection Settings

YaST VPN Module — Connection Settings

If the server should act as a gateway and permit access to a network, Function as Gateway should be activated. Then enter this network in the input field, for example, 10.10.0.0/24. You can also select the required certificate here. The first certificate is preselected.

[Tip]Tip

Either the first Subject Alternative Name (if any) or the Distinguished Name from the certificate is used in this simplified Road Warrior configuration workflow.

After you click Next, choose how the connection should be handled at system start-up in the next dialog. A connection can either be “prepared” or “ignored”. In the case of a prepared connection, the server waits for connection inquiries from clients.

This is only possible if the local IP address is already known. This means, in the case of %defaultroute, that the default route must already be set and the computer must already have connected to the Internet. If the connection to the Internet is not already established when the system is started, you can also specify that the connection should be set up and cleared dynamically with a network interface, for example, with a DSL interface. If the interface selected here is not the interface of the default route, it makes no sense to enter %defaultroute as the local IP address either. When you click OK once, see the new connection in the connection overview list. Click OK again then Exit to conclude the configuration.

26.2.2. Setting up a VPN Linux Client with FreeS/WAN

Three key steps are required to set up a VPN Linux client.

  1. Create a client certificate on the CA administration computer

  2. Export a FreeS/WAN configuration file

  3. Import files on the client computer

26.2.2.1. Creating a Client Certificate

The client certificate is created with the YaST CA Management module (see Section 26.1.2.3. “Creating or Revoking User Certificates”). The finished certificate is then saved together with the key and all participating CAs in a PKCS12 file (see Section 26.1.2.7. “Exporting CA Objects as a File”).

26.2.2.2. Exporting a FreeS/WAN Configuration File

On the server, start the VPN YaST module in the YaST control center under Security and Users. In the overview (Figure 26.5. “YaST VPN Module — Overview”), click Connections then select the required server connection in the connection overview. After you select Experts...+Export+FreeS/WAN, select the storage location for the freeswan_ipsec.conf file, which must be transferred to the Linux client. This file is a suggestion for a FreeS/WAN client and its details may need to be adapted. The file is tailored to FreeS/WAN Version 2. Older versions require additional parameters.

26.2.2.3. Importing Files on the Client

Next, the certificates and the configuration file must be transferred to the client by means of a secure medium. The IPsec configuration file must be saved on the client as /etc/ipsec.conf.

To import the certificate, start the VPN YaST module in the YaST control center under Security and Users on the client. In the overview (Figure 26.5. “YaST VPN Module — Overview”), click Certificates+Import then select your saved client certificate. For import purposes, enter the password for the certificate. The certificate is then displayed in the certificate list and clicking Next returns to the overview.

[Tip]Tip

The connection may need to be adapted to local circumstances (e.g., change certificate and ID).

26.2.2.4. Manual Client Configuration

If the client computer does not have a YaST VPN module, import the certificates manually:

  1. Copy the client certificate to /etc/ipsec.d/certs.

  2. Copy the CA certificate to /etc/ipsec.d/cacerts.

  3. Copy the key to /etc/ipsec.d/private. Only the root user should have access to this file. Adjust the permissions accordingly.

  4. Enter the password for the key in /etc/ipsec.secrets. This file should also only be accessible as root.

The openssl command line program can be used to extract the certificate from the PKCS12 file:

openssl pkcs12 -clcerts -nokeys -in DATEI.p12 -out \
          /etc/ipsec.d/certs/cert_01.pem

The same applies to the CA certificate:

openssl pkcs12 -cacerts -nokeys -in DATEI.p12 -out \
          /etc/ipsec.d/cacerts/cacert_01.pem

and also to the keys:

openssl pkcs12 -nocerts -nodes -in USER.p12 -out \
          /etc/ipsec.d/private/key_01.pem

chmod 600 /etc/ipsec.d/private/key_01.pem

The -nodes option ensures that the key is stored without a password. That is no harm in this case because the file can only be read by root in any case. Another entry is required in /etc/ipsec.secrets so FreeS/WAN recognizes the key. Add it with:

echo ': RSA /etc/ipsec.d/private/key_01.pem ""' \
         >> /etc/ipsec.secrets

chmod 600 /etc/ipsec.secrets

The configuration file can now be copied to /etc/ipsec.conf. Under certain circumstances, the file name at leftcert may need to be adapted. However, /etc/ipsec.d/certs/cert_01.pem is normally already entered. The value following right must be identical with the DNS host name or IP address of the server.

rcipsec start starts IPsec and establishes the connection (if auto=start has been configured). ipsec auto --status or setkey-D and an inspection of /var/log/messages enable you to check that everything has worked. rcipsec stop ends IPsec and all connections are cleared.

26.2.3. IPsec Clients on Windows XP and Windows 2000

You can also set up IPsec connections to SUSE LINUX from Windows XP and Windows 2000 clients. The various steps are described below.

  1. Create the client certificate on the CA management computer.

  2. Export the Windows configuration file.

  3. Prepare Windows.

  4. Configure the Windows snap-ins.

  5. Import a client certificate.

  6. Make a note of important certificate data.

  7. Configure the IPsec connection.

  8. Create desktop links.

26.2.3.1. Creating a Client Certificate

Create the client certificate using the YaST CA Management module (see Section 26.1.2.3. “Creating or Revoking User Certificates”). The completed certificate should then be saved together with the key and all associated CAs in a PKCS12 file (see Section 26.1.2.7. “Exporting CA Objects as a File”).

26.2.3.2. Exporting a Windows Configuration File

On the server, start the VPN YaST module in the YaST control center under the heading Security and Users. In the overview (Figure 26.5. “YaST VPN Module — Overview”), click Connections then select the required server connection in the connection overview. After you select Experts...+Export+Windows, select the storage location for the windows_ipsec.conf file, which must be transferred to the Windows client. This file is a suggestion for a Windows client and its details may need to be adapted.

26.2.3.3. Preparing Windows

You can set up the IPsec connection manually, which requires ipseccmd.exe (Windows XP) or ipsecpol.exe (Windows 2000). These should be included in your Windows installation. In the case of Windows XP, execute support\tools\setup.exe on the installation CD (complete installation). However, these programs are command line–based, making them quite difficult to use. You can also configure the connection by means of MMC (Microsoft Management Console), however, this is not particularly intuitive. Instead, it is recommended to use the ipsec.exe tool, which does the main work of configuring the IPsec connection under Windows XP or Windows 2000 for you.

Download this tool onto your computer from http://vpn.ebootis.de/package.zip and decompress the contents, for example, under C:\Programs\IPsec\. At this point, our thanks go to the author, .

If you use Windows 2000, first load at least ServicePack2, so Windows 2000 can also handle 3DES encryption. Otherwise, a connection to Windows 2000 cannot be made. ServicePack2 is available at http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp. In the case of Windows 2000, you also need ipsecpol.exe, which can be found in the resource kit at http://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp.

[Important]Important

This program normally installs to C:/Programs/Resource Kit. However, it is not much use at this point because it is a command line–based program and therefore needs to be copied into a directory in which executable files are stored. We recommend copying ipsecpol.exe to C:/WINNT and the corresponding DLLs to C:/WINNT/System. ipsecpol must be executed as administrator.

26.2.3.4. Configuring the Required Snap-Ins

Open MMC on the Windows client. In the start menu, go to Run+MMC. In MMC, click File+Add/Remove Snap-In. A dialog opens in which you may see active snap-ins. Click Add. A selection window opens to display all available snap-ins. Certificates+Add takes you to the configuration wizard. Here, select Computer Account and click Next. Select Local Computer+Finish then IP Security Guidelines Management+Add. A configuration wizard opens in which to select Local Computer+Finish. Click Close then OK.

26.2.3.5. Importing a Client Certificate

The two snap-ins that have been added can be seen in the MMC. Open the Certificates directory. Right-click Own Certificates. In the drop-down menu, select All Tasks+Import. The certificate wizard opens. Select Next+Search. Under File Type, enter Private Information Exchange (*.pfx,*.p12). Select the exported PKCS12 file and click Next. Enter the password used in the YaST CA Management module to export the certificates. Click Next. Now select Save All Certificates in Following Storage+auto then Next+Finish. A dialog indicates if the import procedure has succeeded. Click OK.

26.2.3.6. Noting Important Certificate Data

The prepared IPsec sample configuration normally already contains the correct DN of the CA (Issuer). In MMC, click File+Save. Save your configuration with the suggested name at the suggested location. To establish whether the certificate data is correct, open the Own Certificates directory in MMC again and open Certificates. Right-click the certificate and select Open from the drop-down menu then the Details tab.

When you click Issuer, see entries similar to those below, of which you should take note:

        E=bsupport@suse.de
        CN=mainca
        OU=bu
        O=SuSE
        L=Nuremberg
        S=Franconia
        C=DE

Close the certificate view with OK and MMC with File+Exit+Save+Yes.

26.2.3.7. Configuring an IPsec Connection

Install the ipsec.exe tool by decompressing package.zip to C:\Programs\IPsec\. In the next step, replace the standard version of the ipsec.conf file contained there with the exported windows_ipsec.conf from the VPN server (rename). Then change to the C:\Programs\IPsec directory and open the file with an editor to check the configuration data. The following shows the standard values:

conn <Name of the connection>
        left=%any
        right=<IP of the SuSE Linux standard server>
        rightca=<the previously noted values in reverse order,
        separated by commas>
        network=auto
        auto=start
        pfs=yes

The first line must be left-justified. All other lines must be indented. Here is a specific example for ipsec.conf:

conn me_to_servername
        left=%any
        right=10.10.254.181
        rightca="C=DE,S=Franconia,L=Nuremberg,O=SuSE,OU=bu,
                 CN=mainca,E=bsupport@suse.de" 
        network=auto
        auto=start
        pfs=yes

26.2.3.8. Creating Desktop Links

Finally, create a link to the C:\Programs\IPsec\IPSEC.exe file on the desktop. Now establish the connection to the Internet and click the first link. A window opens and the IPsec filters are configured for your current connection. The best way to test the tunnel is with ping <client IP behind the tunnel>. The message “Negotiating IP Security” appears once or twice, after which you will see the normal ping responses. The tunnel is active. In the case of Windows 2000, this takes two ping commands, so start ping again.

26.2.3.9. Closing a Connection

To deactivate the IPsec filter and the tunnel, first call IPSEC.exe -off then IPSEC.exe -delete. It is best to create a desktop link for this too.