When setting up the VPN, there are a few things that must be in place before the VPN can operate correctly. Those things are:
Good connectivity between the two IPCop boxes (low packet loss).
All VPN connected networks are in separate, non-overlapping IP address spaces.
Routing must be properly set up to accommodate the VPN.
Information has been collected accurately about each end of the VPN.
Good connectivity is extremely important because if there is high packet loss or latency, it will be reflected in the VPN's performance. The VPN is extremely persistent in trying to maintain a connection and re-establish any connections that may get broken but it can't work miracles when the network over which it travels is broken. One can test the connectivity by a combination of ping and traceroute. Ping should show low packet loss and traceroute should show reliable routing.
It's essential that every network joined by the VPN has independent, non-overlapping IP address spaces. For example, if one network is 192.168.0.0/24 and the other network is 192.168.0.128/25, the VPN connection will not work. However, if the other network was 192.1 68.1.0/25, the VPN would work because the address ranges do not overlap.
Routing is another source of errors when setting up a VPN. It's important for all hosts that must communicate across the VPN to be configured so that the VPN specific routes are known and handled properly. A common way to deal with this is to use a router as the default gateway and reroute traffic as appropriate from that router. The primary advantage of this technique is that routes are controlled in one place. The disadvantage is that in a non-switched network, there can be some additional network congestion and that the router is a single point of failure. If there is no internal router pre-existing, the IPCop machine will usually be the network's default route and can be used as a general router.
In order to turn on the VPN on an IPCop firewall, there are three essential bits of information that must be collected from each side of the VPN (shown below).
The three bits of information are the: firewall's RED interface IP address, the default route for the firewall, and the network and net mask of the VPN connected network (usually GREEN network). This information can be extracted from a running firewall using two commands. One can extract the network and net mask information using the ifconfig. For example, on the Internet Guide Service firewall, eth1 is the RED interface:
[email protected]:~ # ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:48:54:8F:3C:66 inet addr:18.104.22.168 Bcast:22.214.171.124 Mask:255.255.252.0 UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 RX packets:4715621 errors:0 dropped:0 overruns:0 frame:0 TX packets:397580 errors:0 dropped:0 overruns:0 carrier:0 collisions:34857 txqueuelen:100 RX bytes:814964446 (777.2 Mb) TX bytes:59306224 (56.5 Mb) Interrupt:11 Base address:0xc000 [email protected]:~ #
To get the rest of the information, we use the netstat -rn command as shown in the box below.
[email protected]:~ # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 126.96.36.199 0.0.0.0 255.255.252.0 U 0 0 0 eth1 0.0.0.0 188.8.131.52 0.0.0.0 UG 0 0 0 eth1 [email protected]:~ #
Unfortunately, the net mask, above, is in the wrong form. Instead of dotted notation, the netmask must be in “slash notation”. In this case, slash notation would be “/24”. The table below provides a conversion between slash notation and dotted notation netmask.
Table 2.1. Network Masks
|/32||255.255.255.255||0 (single-host netmask)|
Once this information has been gathered for both sides of the VPN, then one can configure the firewall and activate the VPN. A VPN data worksheet is provided as part of this document to help organize the information collection process.
The IPCop VPN is a manually keyed system. This means that you must use a single shared secret for all VPN nodes, which becomes the key for encrypting all traffic. Keys must be changed regularly and hidden from view so that it would be difficult if not impossible for someone to tap the VPN. Future versions will replace manual keying with automatic keying and RSA based authentication.
Manually keyed systems should use relatively long random bit strings. A simple technique for generating keys would be to take the output of ps -aux passed through md5sum. This is still a very weak method of generating a manual key but it's far stronger than usual human generated passwords. Generate the key, record it somewhere safe and don't lose it until you've replaced it.