Linux VPN

Implementation and Application

Acknowledgement

David F Gardiner

Vice President of Architecture and Technology, Unisys Corporation

Professor Doyle D. Knight

Mechanical and Aerospace Engineering

Dr. Alexei Kotelnikov

Engineering Computing Services

Overview

Motivation

Objective

VPN Technology

Implementation

Application

Conclusion

Future Work

Q & A

Motivation

Proposed Solution

The main problem:

Fragmentation of resources

Inefficiency of information management

Security problems

Unavailable direct access to private networks

Possible solutions:

Purchase leased lines

Set up a VPN (Virtual Private Network)

Our choice:

Build Linux VPN machines!

Objective

Research on VPN technology

Acquire VPN software package for Linux

Installation of VPN

Configuration of VPN

Testing Host to Host connection

Testing Host to Network connection

Testing Network to Network connection

Analysis

VPN Technology: IPsec

Predominant standard/ tech. to create VPN

Designed to protect Internet (IP) traffic

Protects with:

Authentication (AH: Authentication Header)

Key Exchange (IKE: Internet Key Exchange)

Encryption (ESP: Encapsulating Security Payload)

In another words:

Making sure you talk to who they say they really are

Making sure you have the key to open the message

Making sure you send your message in a way that only the recipient understands

VPN Technology: Tunnel

Tunnel: logical connection through which two devices appear to be directly connected

Tunnel works on a principal of packet encapsulation

Packet Encapsulation: process of placing a packet within another packet

Simple Analogy

You want to send a letter to your friend and make sure he’s the only one who reads it

You have signed up for “magical” postal services

Implementation

The Hardware: Custom-made AMD PC

AMD 1700+ XP processor

512MB RAM

40 Gigs HDD

Two Network Interface Cards (NIC)

The Software: Linux FreeSWAN

Open-source package that provides IPsec capabilities

Composed of two primary pieces: KLIPS and Pluto

KLIPS: low-level drivers of IPsec

Pluto: manages key exchange

FreeSWAN Installation

Obtain the latest Linux kernel source code

Obtain the latest FreeSWAN software source code

Compile and build a new kernel with FreeSWAN source code

Install the new Kernel

Load into the new Kernel

Check whether the IPsec functionality has been added to the new Kernel

FreeSWAN Configuration

Create new sets of Keys on both gateways

Modify ipsec.secrets

Modify ipsec.conf

Configure the system to have FreeSWAN start up at boot time

Initiate Connection between the gateways

Network Configuration

Two access points to the Internet

All the machines in the private subnet goes to Firewall machine by default

Firewall machine redirects all the VPN related traffic to VPN gateway

To implement, configure the routing table on the Firewall machine

Host to Host: Application

Scenario 1:

Two database machines remotely located needs to synchronize data securely

Scenario 2:

Two email servers synchronize the data

Host to Network

Scenario 1:

A businessman on a trip wants to download his documents that contain sensitive information from company server into his laptop

Scenario 2:

A professor wants to run his computational software on his desktop from home which needs to talk to the license server at Rutgers

Network to Network

Scenario 1:

Employees from two different regional offices want to synchronize sensitive data and work on the same project remotely

Scenario 2:

System Administrator at Rutgers needs to add more computers to the computational cluster but has no more space in the room

Scenario 3:

Financial consulting company needs to relay critical and market sensitive information to a private sector of a company and needs a secure way to do so

A Practical Example

Unisys lab: 16 cluster machines

ECS Machine Room: 20 cluster machines

Goal: Remotely combine 16 of Unisys cluster machines to the existing computational cluster through VPN

Expected Outcome:

The machines in the Unisys lab should be added transparently to the queuing system and participate in compiling submitted jobs over VPN tunnel

The Big Picture 1

Before VPN

The Big Picture 2

After VPN

Conclusion

The need for VPN

Information Consolidation

Security Concerns

Access to Private Network

Technology of VPN

IPsec and Tunneling

VPN Implementation

FreeSWAN and Networking

VPN Applications

Virtual Cluster

Future Possibilities

Academic Institutions:

Professors will be able to securely conduct research related work from home

Previously unrelated groups of machines can be merged seamlessly (Joint clusters from Physics, Chemistry, and Engineering)

Industry:

Effectively manage and regulate confidential information over the wire remotely

Consolidate various entities of the company by sharing resources and management over VPN

Build secure enterprise network with clients, partners, suppliers, etc

Future Plans

Documentation:

A complete guide on Linux VPN installation and configuration

Installation package (on CDROM):

Pre-complied kernel for different architectures

Custom-made RPM package for FreeSWAN

Automatic installation script

Original source codes

Documentation files

References

Building Linux Virtual Private Networks

Oleq Kolesnikov and Brian Hatch, 1^st Edition, Feb. 4, 2002

FreeSWAN Online Documentation

www.freeswan.org

Setting up a VPN Gateway

Linux Journal, January 2002, Issue 93

Administering Linux IPSec VPN

Sys Admin, March 2002, Volume 11, Number 3

Lesson 165: IP VPN Services

Network Magazine April 2002, Vol.17, No.4

Q & A

Linux and Commercial VPN

Advantages of Linux VPN (FreeSWAN)

Cost savings

Expandability (Hardware and Kernel Configuration- prototype)

Load Sharing capabilities (more than one VPN machines in parallel)

More support in open source community

Disadvantages of Linux VPN

Difficult to build and configure

Difficult to maintain

With one machine, might be slower than hardware accelerated encryption

Performance Degradation

Performance degrades due to encryption and encapsulation of original IP packets

Depends on types of ciphers for encryption and decryption

Average performance loss on VPN connection compared to connection with out VPN:

~15-20% loss in CPU performance

~10-15% loss in network performance


	David F Gardiner
	Vice President of Architecture and Technology, Unisys Corporation

	Professor Doyle D. Knight
	Mechanical and Aerospace Engineering

	Dr. Alexei Kotelnikov
	Engineering Computing Services


	Motivation
	Objective
	VPN Technology
	Implementation
	Application
	Conclusion
	Future Work
	Q & A


	The main problem:
		Fragmentation of resources
		Inefficiency of information management
		Security problems
		Unavailable direct access to private networks
	Possible solutions:
		Purchase leased lines
		Set up a VPN (Virtual Private Network)
	Our choice:
	Build Linux VPN machines!


	Research on VPN technology
	Acquire VPN software package for Linux
	Installation of VPN
	Configuration of VPN
	Testing Host to Host connection
	Testing Host to Network connection
	Testing Network to Network connection
	Analysis


	Predominant standard/ tech. to create VPN
	Designed to protect Internet (IP) traffic
	Protects with:
		Authentication (AH: Authentication Header)
		Key Exchange (IKE: Internet Key Exchange)
		Encryption (ESP: Encapsulating Security Payload)
	In another words:
		Making sure you talk to who they say they really are
		Making sure you have the key to open the message
		Making sure you send your message in a way that only the recipient understands


	Tunnel: logical connection through which two devices appear to be directly connected
	Tunnel works on a principal of packet encapsulation
	Packet Encapsulation: process of placing a packet within another packet


	You want to send a letter to your friend and make sure he’s the only one who reads it
	You have signed up for “magical” postal services


	The Hardware: Custom-made AMD PC
		AMD 1700+ XP processor
		512MB RAM
		40 Gigs HDD
		Two Network Interface Cards (NIC)
	The Software: Linux FreeSWAN
		Open-source package that provides IPsec capabilities
		Composed of two primary pieces: KLIPS and Pluto
		KLIPS: low-level drivers of IPsec
		Pluto: manages key exchange


	Obtain the latest Linux kernel source code
	Obtain the latest FreeSWAN software source code
	Compile and build a new kernel with FreeSWAN source code
	Install the new Kernel
	Load into the new Kernel
	Check whether the IPsec functionality has been added to the new Kernel


	Create new sets of Keys on both gateways
	Modify ipsec.secrets
	Modify ipsec.conf
	Configure the system to have FreeSWAN start up at boot time
	Initiate Connection between the gateways


	Two access points to the Internet
	All the machines in the private subnet goes to Firewall machine by default
	Firewall machine redirects all the VPN related traffic to VPN gateway
	To implement, configure the routing table on the Firewall machine


	Scenario 1:
	Two database machines remotely located needs to synchronize data securely
	Scenario 2:
	Two email servers synchronize the data


	Scenario 1:
	A businessman on a trip wants to download his documents that contain sensitive information from company server into his laptop
	Scenario 2:
	A professor wants to run his computational software on his desktop from home which needs to talk to the license server at Rutgers


	Scenario 1:
	Employees from two different regional offices want to synchronize sensitive data and work on the same project remotely
	Scenario 2:
	System Administrator at Rutgers needs to add more computers to the computational cluster but has no more space in the room
	Scenario 3:
	Financial consulting company needs to relay critical and market sensitive information to a private sector of a company and needs a secure way to do so


	Unisys lab: 16 cluster machines
	ECS Machine Room: 20 cluster machines
	Goal: Remotely combine 16 of Unisys cluster machines to the existing computational cluster through VPN
	Expected Outcome:
	The machines in the Unisys lab should be added transparently to the queuing system and participate in compiling submitted jobs over VPN tunnel


	The need for VPN
		Information Consolidation
		Security Concerns
		Access to Private Network
	Technology of VPN
		IPsec and Tunneling
	VPN Implementation
		FreeSWAN and Networking
	VPN Applications
		Virtual Cluster


	Academic Institutions:
		Professors will be able to securely conduct research related work from home
		Previously unrelated groups of machines can be merged seamlessly (Joint clusters from Physics, Chemistry, and Engineering)
	Industry:
		Effectively manage and regulate confidential information over the wire remotely
		Consolidate various entities of the company by sharing resources and management over VPN
		Build secure enterprise network with clients, partners, suppliers, etc


	Documentation:
		A complete guide on Linux VPN installation and configuration
	Installation package (on CDROM):
		Pre-complied kernel for different architectures
		Custom-made RPM package for FreeSWAN
		Automatic installation script
		Original source codes
		Documentation files


	Building Linux Virtual Private Networks
		Oleq Kolesnikov and Brian Hatch, 1^st Edition, Feb. 4, 2002
	FreeSWAN Online Documentation
		www.freeswan.org
	Setting up a VPN Gateway
		Linux Journal, January 2002, Issue 93
	Administering Linux IPSec VPN
		Sys Admin, March 2002, Volume 11, Number 3
	Lesson 165: IP VPN Services
		Network Magazine April 2002, Vol.17, No.4


	Advantages of Linux VPN (FreeSWAN)
		Cost savings
		Expandability (Hardware and Kernel Configuration- prototype)
		Load Sharing capabilities (more than one VPN machines in parallel)
		More support in open source community
	Disadvantages of Linux VPN
		Difficult to build and configure
		Difficult to maintain
		With one machine, might be slower than hardware accelerated encryption


	Performance degrades due to encryption and encapsulation of original IP packets
	Depends on types of ciphers for encryption and decryption
	Average performance loss on VPN connection compared to connection with out VPN:
		~15-20% loss in CPU performance
		~10-15% loss in network performance