A
P P L I C A T I O N
N
O T E
C r e a t i n g a G a t e w a y t o
G a t e w a y V P N b e t w e e n
S i d e w i n d e r G 2
®
a n d
L i n u x
Creating a Gateway to Gateway VPN between Sidewinder G2® and Linux Overview
Overview
Sidewinder G2 Security Appliance's VPN implementation is based on the well-defined IPSec and ISAKMP protocols, giving it the ability to establish VPN connections with a wide variety of clients, operating systems, and devices. This application note describes how to set up an IPsec VPN connection between a Linux host and a Sidewinder G2 Security Appliance.Beginning with the 2.6 series of kernels, Linux offers built-in, kernelspace IPsec encryption/decryption. This built-in IPSec capability, with the help of userspace programs from the KAME project ported from NetBSD, makes it possible to set up IPsec VPN connections to and from a Linux host with minimal configuration changes.
This application note describes how to set up a gateway to gateway, fixed IP VPN connection between a Linux server and a Sidewinder G2. The
configuration presented here is a basic configuration; the example uses shared-password authentication and IP addresses as identities. Also, this configuration assumes that the Linux machine has a static IP address. Figure 1 shows a network diagram of this scenario.
Preparing your gateways
Preparing your
gateways
Before setting up the VPN between your Sidewinder G2 and a Linux host, each system must meet the requirements described in the respective sections.
Preparing the Linux gateway
The first step in setting up a Linux to Sidewinder G2 VPN is to make sure the Linux gateway’s kernel and software are configured properly. Check that you have the following enabled, configured, and/or installed on your Linux gateway:
• Kernel
On a Linux host running a 2.6 series kernel, enable the following options: – PF_KEY sockets (NET_KEY)
– IP: AH transformation (INET_AH) – IP: ESP transformation (INET_ESP)
– IP: IPsec user conf. interface (XFRM_USER) – HMAC support (CRYPTO_HMAC)
– Null algorithm (CRPT_NULL)
– MD5 digest algorithm (CRYPTO_MD5) – SHA1 digest algorithm (CRYPTO_SHA1) – DES/3DES cipher algorithm (CRYPTO_DES)
Note: This document uses SHA1 and 3DES encryption algorithms, but you can choose to use or include other encryption algorithms.
– Enable and configure the kernel's packet forwarding features.
• Software
Install the setkey and racoon programs from the KAME project. Most Linux distributions make these programs available in a package called ipsec-tools.
Preparing the Sidewinder G2
Before creating the necessary Security Associations, do the following:
•
Configure IKE for the appropriate burbs (VPN -> ISAKMP Server).•
Enable the ISAKMP server (Services Configuration > Servers > isakmp).•
Create a proxy rule allowing inbound ISAKMP traffic to the ISAKMP server(Policy Configuration > Rules).
You should also plan out this VPN’s security policy. See the VPN chapter of the Sidewinder G2 Administration Guide and the “Configuring a VPN when using Proxy and IP Filter Rules” application note for more information. They can be found at www.securecomputing.com/goto/manuals and
Creating a Gateway to Gateway VPN between Sidewinder G2® and Linux Configuring your gateways
Configuring your
gateways
This section covers what parameters need to be set on each end of the gateway to gateway VPN.
Configuring your Sidewinder G2
At this point, your ISAKMP server is enabled and its associated proxy rule is set up. The next step is to create a new Security Association for this VPN by doing the following:
1 Log into the Admin Console.
2 Select VPN Configuration > Security Associations.
3 Click New. A window similar to the following appears: Figure 2: Security
Association General tab for the example VPN
4 On the General tab, enter the following information: Field name Value
Name site specific
Enabled Yes
Encapsulation Tunnel
Burb site specific - select burb associated with this VPN’s local network
Mode Fixed IP
Client Address Pool <disabled> Local IP localhost Local Network/IP 10.10.1.0/24
Configuring your gateways
Note: The 172.27.10.20/32 address is listed in the remote network section so that the Linux gateway (as opposed to its internal network) can send traffic to Sidewinder G2’s private network. If it does not need to, this additional Remote Network/IP entry is not necessary.
5 On the Authentication tab, set the Authentication Method to Password. The following window appears.
Figure 3: Authentication
tab’s General sub-tab for the example VPN
6 On the General sub-tab, enter and confirm a password. This password is to
be shared with the administrator of the Linux gateway.
7 Select the Identities sub-tab. A window similar to the following appears: Figure 4: Authentication
tab’s Identities sub-tab for the example
8 On the Identities sub-tab, you should not need to change anything. Verify
that the identity values are correct.
In the example, these would be Type = IP Address, Value = localhost for the Firewall Identity, and Gateway IP Address (172.27.10.20) for the Remote Identity.
Remote IP 172.27.10.20
Remote Network/IP 172.17.1 0/24; 172.27.10.20/32
Creating a Gateway to Gateway VPN between Sidewinder G2® and Linux Configuring your gateways
9 On the Crypto and Advanced tabs, you may leave the default values. If you
plan to use algorithms other than 3DES and SHA1 (the defaults), configure the new values on the Crypto tab. The values on the Advanced tab rarely need modification.
10 Click Add.
11 Click the Save icon to save the new Security Association. The Sidewinder G2 side of the VPN is now configured.
Configuring your Linux gateway
Configuring the Linux gateway takes place in three parts:
1 Configuring the security policy, which the setkey program uses to enforce
encryption requirements.
2 Configuring the ISAKMP key exchange, which the racoon program uses to
establish communication and verify identities with Sidewinder G2.
3 Configuring the pre-shared key to use for the connection. Security policy
Define the security policy by creating a script using setkey -f as an
interpreter. Make sure the file is executable. File contents are as follows (script continues on next page):
Note: Most distributions put this script in /etc/ipsec.conf. Your Linux system may already have a file named /etc/ipsec.conf. In this case, either overwrite the current file with the following script or save the script to another file and verify the Linux server uses the new file.
#!/usr/sbin/setkey -f
# Change the above line to point to your setkey program
# Flush any existing security policy flush;
spdflush;
# Add policy entries:
# Require ESP for outbound packets:
spdadd localnetwork remotenetwork any -P out ipsec esp/tunnel/localIP-remoteIP/require;
# Require ESP for inbound packets:
Configuring your gateways
# The following entries are necessary if you want the Linux # host itself to be able to use the VPN to the remote private # network:
# Require ESP for outbound packets:
spdadd localIP remotenetwork any -P out ipsec esp/tunnel/localIP-remoteIP/require;
# Require ESP for inbound packets:
spdadd remotenetwork localIP any -P in ipsec esp/tunnel/remoteIP-localIP/require;
In this script, the variables represent the following:
•
localIP is the external IP address of the Linux server. In Figure 1 on page3, this is 172.27.10.20.
•
localnetwork is the IP address and network mask of the Linux server’sinternal network. In Figure 1, this is 172.17.1.0/24.
•
remoteIP is the external IP address of Sidewinder G2. In Figure 1, this is192.168.1.2.
•
remotenetwork is Sidewinder G2’s internal network. In Figure 1, this is10.10.1.0/24.
ISAKMP key exchange
The racoon program handles the key exchange and authentication. Most distributions put racoon's configuration files in the /etc/racoon directory. You will be altering, and therefore need to locate, the files racoon.conf and psk.txt. psk.txt contains the pre-shared keys, which will be explained in the next section.
The racoon program has many configuration options, but the defaults work in this scenario. For this reason the example configuration below will probably be much smaller than the default file included in your distribution. It should be safe to leave the default contents and simply add the remote and sainfo sections given below.
File contents are as follows (script continues on next page):
path include "/etc/racoon";
# Above line should point to the directory where racoon.conf # lives
path pre_shared_key "/etc/racoon/psk.txt"; # Above line should point to your psk.txt file
Creating a Gateway to Gateway VPN between Sidewinder G2® and Linux Configuring your gateways
# Modify the hash_algorithm setting if you want, but make # sure the Sidewinder G2 supports it.
remote remoteIP { exchange_mode aggressive; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } }
# Define encryption info for the SA # Modify the encryption_algorithm and
# authentication_algorithm if you want, but make sure # Sidewinder G2 supports it.
sainfo address localnetwork any address remotenetwork any { encryption_algorithm 3des;
authentication_algorithm hmac_md5; compression_algorithm deflate; }
where
•
localnetwork is the IP address and network mask of the Linux server’sinternal network. In Figure 1, this is 172.17.1.0/24.
•
remoteIP is the external IP address of Sidewinder G2. In Figure 1, this is192.168.1.2.
•
remotenetwork is Sidewinder G2’s internal network. In Figure 1, this is10.10.1.0/24.
Pre-shared key
Since this scenario uses a pre-shared key (Sidewinder G2 calls it a password) to authenticate this connection, make sure the Linux server knows the key. The racoon configuration file contains the path to the pre-shared key file, which most distributions store as /etc/racoon/psk.txt. Save the file in any location, but be sure to edit racoon.conf to point to that location. Also ensure that the file has permissions of 600.
The file contents are as follows:
remoteIP <enter password set in the Sidewinder G2 SA>
where remoteIP is Sidewinder G2’s external IP address.
In this file, the left-hand side is an ID, and the right-hand side is the password. This scenario uses IP addresses for IDs, so the ID field is simply
Activating your VPN
Activating your
VPN
Once the IPSec information, ISAKMP key exchange, and the pre-shared key are configured, activate your VPN by doing the following:
1 On the Linux host, load the security policy with setkey by executing the newly created ipsec.conf script.
2 Verify that the policy applied by running
setkey -DP
3 Start racoon. It starts in daemon mode by default; for testing, it may be helpful to run it in the foreground with racoon -F.
Once the policy is loaded and racoon is running, you are ready to test the VPN.
4 From a workstation on the Linux host’s local network, ping an IP address in
the remote network (10.10.1.0/24). racoon’s output will show the kickoff of the Linux server and Sidewinder G2 key exchange.
The ping command will probably return
connect: Resource temporarily unavailable
until the tunnel is fully established.
