| |
Table of ContentsPreface
Chapter 1: Introduction
Chapter 2: Practical Overview of the IPsec Protocol
Chapter 3: Building and Installing Openswan
Chapter 4: Configuring IPsec
Chapter 5: X.509 Certificates
Chapter 6: Opportunistic Encryption
Chapter 7: Dealing with Firewalls
Chapter 8: Interoperating with Microsoft Windows and �Apple Mac OS X
Chapter 9: Interoperating with Other Vendors
Chapter 10: Encrypting the Local Network
Chapter 11: Enterprise Implementation
Chapter 12: Debugging and Troubleshooting
Appendix A: Unresolved and Upcoming Issues
Appendix B: Networking 101
Appendix C: Openswan Resources on the Internet
Appendix D: IPsec-Related Requests For Comments (RFCs)
Index
- Chapter 1: Introduction
- The Need for Cryptography
- A History of the Internet
- Holding the Internet Together
- The Creation of ICANN
- ICANN Bypassed
- The Root Name Servers
- Running the Top-Level Domains
- History of Internet Engineering
- The Internet Engineering Task Force (IETF)
- RFCs—Requests For Comments
- IETF and Crypto
- The War on Crypto
- Dual Use
- Public Cryptography
- The Escrowed Encryption Standard
- Export Laws
- The Summer of '97
- The EFF DES Cracker
- Echelon
- The End of the Export Restrictions
- Free Software
- The GPL
- Free as in Verifiable
- The Open Source Movement
- The History of Openswan
- IETF Troubles over DNS
- Super FreeS/WAN
- The Arrival of Openswan
- NETKEY
- Further Reading
- Using Openswan
- Copyright and License Conditions
- Writing and Contributing Code
- Legality of Using Openswan
- International Agreements
- International Law and Hosting Openswan
- Unrecognized International Claims
- Patent Law
- Expired and Bogus Patents
- Chapter 2: Practical Overview of the IPsec Protocol
- A Very Brief Overview of Cryptography
- Valid Packet Rewriting
- Ciphers
- Algorithms
- Uniqueness
- Public-Key Algorithms
- Exchanging Public Keys
- Digital Signatures
- Diffie-Hellman Key Exchange
- Avoiding the Man in the Middle
- Session Keys
- Crypto Requirements for IPsec
- IPsec: A Suite of Protocols
- Kernel Mode: Packet Handling
- Authentication Header (AH)
- Encapsulated Security Payload (ESP)
- Transport and Tunnel Mode
- Choosing the IPsec Mode and Type
- The Kernel State
- Encryption Details
- Manual Keying
- Final Note on Protocols and Ports
- Usermode: Handling the Trust Relationships
- The IKE Protocol
- Phase 1: Creating the ISAKMP SA
- Phase 2: Quick Mode
- The NAT Problem
- Chapter 3: Building and Installing Openswan
- Linux Distributions
- Red Hat
- Debian
- SuSE
- Slackware
- Gentoo
- Linux 'Router' Distributions
- Deciding on the Userland
- Pluto
- Racoon
- Isakmpd
- More Reasons to Pick Pluto
- Choosing the Kernel IPsec Stack
- KLIPS, the Openswan Stack
- ipsecX Interfaces
- First Packet Caching
- Path MTU Discovery
- KLIPS' Downside
- NETKEY, the 2.6 IPsec Stack
- The USAGI / SuSE IPsec Stack
- Making the Choice
- GPL Compliance and KLIPS
- Binary Installation of the Openswan Userland
- Checking for Old Versions
- Installing the Binary Package for Openswan
- Building from Source
- Using RPM-based Distributions
- Rebuilding the Openswan Userland
- Building src.rpm from Scratch
- Openswan Options
- Building the Openswan Userland from Source
- Downloading the Source Code
- Configuring the Userland Tools
- Optional Features
- Compile Flags
- File Path Options
- Obscure Pluto Options
- Binary Installation of KLIPS
- Building KLIPS from Source
- Kernel Prerequisites
- Identifying your Kernel's Abilities
- Using Both KLIPS and NETKEY
- The Kernel Build Options
- Required Kernel Options
- Desired Options
- NETKEY Stack Options
- KLIPS Stack Options
- L2TP Options
- Patching the Kernel
- NAT-Traversal Patch
- KLIPS Compile Shortcut
- Activating KLIPS
- Determining the Stack in Use
- Building KLIPS into the Linux Kernel Source Tree
- Building a Standard Kernel
- NAT Traversal
- Patching KLIPS into the Linux Kernel
- Verifying the Installation
- Summary
- Chapter 4: Configuring IPsec
- Manual versus Automatic
- PSK versus RSA
- Pitfalls of Debugging IPsec
- Pre-Flight Check
- The ipsec verify Command
- NAT and Masquerading
- Checking External Commands
- Opportunistic Encryption
- The ipsec livetest Command
- Configuration of Openswan
- Host-to-Host Tunnel
- Left and Right
- The type Options
- The auto Option
- The rsasigkey Options
- Bringing Up the IPsec Tunnels
- Listing IPsec Connections
- Testing the IPsec Tunnel
- Connecting Subnets Through an IPsec Connection
- Testing Subnet Connections
- Testing Properly
- Encrypting the Host and the Network Behind It
- Employing Advanced Routing
- Creating More Tunnels
- KLIPS and the ipsecX Interfaces
- Pre-Shared Keys (PSKs)
- Dynamic IP Addresses
- Hostnames
- Roadwarriors
- Multiple Roadwarrior Connections
- Dynamic IP and PSKs
- PSK and NAT
- Mixing PSK and RSA
- Connection Management
- Subnet Extrusion
- NAT Traversal
- Deprecated Syntax
- Confirming a Functional NAT-T
- Dead Peer Detection
- DPD Works Both Ways
- Configuring DPD
- Buggy Cisco Routers
- Ciphers and Algorithms
- Using ike= to Specify Phase 1 Parameters
- Using esp= to Specify Phase 2 Parameters
- Defaults and Strictness
- Unsupported Ciphers and Algorithms
- Aggressive Mode
- XAUTH
- XAUTH Gateway (Server Side)
- XAUTH Client (Supplicant Side)
- Fine Tuning
- Perfect Forward Secrecy
- Rekeying
- Key Rollover
- Chapter 5: X.509 Certificates
- X.509 Certificates Explained
- X.509 Objects
- X.509 Packing
- Types of Certificates
- Passphrases, PIN Codes, and Interactivity
- IKE and Certificates
- Using the Certificate DN as ID for Openswan
- Generating Certificates with OpenSSL
- Setting the Time
- Configuring OpenSSL
- Be Consistent with All Certificates
- OpenSSL Commands for Common Certificate Actions
- Configuring Apache for IPsec X.509 Files
- Creating X.509-based Connections
- Using a Certificate Authority
- Using Multiple CAs
- Sending and Receiving Certificate Information
- Creating your own CA using OpenSSL
- Creating Host Certificates with Your Own CA
- Host Certificates for Microsoft Windows (PKCS#12)
- Certificate Revocation
- Dynamic CRL Fetching
- Configuring CRL
- Online Certificate Status Protocol (OCSP)
- Chapter 6: Opportunistic Encryption
- History of Opportunistic Encryption
- Trusting Third Parties
- DNS Key Records
- Forward and Reverse Zones
- The OE DNS Records
- Different Types of OE
- Policy Groups
- Internal States
- Configuring OE
- Configuring Policies
- Full OE or Initiate-Only
- Generating Correct DNS Records
- Name Server Updates
- Verifying Your OE Setup
- Testing Your OE Setup
- The trap eroute
- The pass eroute
- The hold eroute
- Manipulating OE Connections Manually
- Advanced OE Setups
- Caveats
- Summary
- Chapter 7: Dealing with Firewalls
- Where to Firewall?
- Allowing IPsec Traffic
- NAT and IPsec Passthrough
- Configuring the Firewall on the Openswan Host
- Firewalling and KLIPS
- Firewalling and NETKEY
- Packet Size
- Layer 2 Tunneling Protocol (L2TP)
- Assigning an IP for VPN Access
- L2TP Properties
- Pure IPsec versus L2TP/IPsec
- L2TP: PSK or X.509
- Client and Server Configurations for L2TP/IPsec
- The L2TP Openswan Server
- Configuring Openswan for L2TP/IPsec
- Linux Kernel Runtime Parameters for L2TP/IPsec
- Protecting the L2TP Daemon with IPsec using iptables
- Choosing an L2TP Daemon
- Configuring L2TPD
- Configuring User Authentication for pppd
- Microsoft Windows XP L2TP Configuration
- Microsoft Windows 2000 L2TP Configuration
- Apple Mac OS X L2TP Configuration
- Server Configuration for X.509 IPsec without L2TP
- Openswan Configuration for X.509 without L2TP
- Client Configuration for X.509 IPsec without L2TP
- Microsoft's IKE Daemon
- Microsoft's Certificate Store
- Clients using Microsoft Native IPsec Implementation
- The ipsec.exe Wrapper
- The Linsys IPsec Tool (lsipsectool)
- Securepoint IPsec Client
- TauVPN (iVPN)
- The WaveSEC Client
- Third-Party Replacement Clients for Windows
- The GreenBow VPN Client
- Astaro Secure Client
- Mac OS X IPSecuritas
- VPNtracker
- Manual Racoon Configuration
- Importing X.509 Certificates into Windows
- Importing X.509 Certificates on Mac OS X (Tiger)
- Summary
- Chapter 9: Interoperating with Other Vendors
- Openswan as a Client to an Appliance
- Preparing the Interop
- The Human Factor
- Terminology
- Preparation
- IPsec Passthrough
- Tunnel Limitations
- Anticipate Known Problems
- Update the Firmware
- GUI Issues
- Keepalives
- ISP Filtering
- Frequently used VPN Gateways
- Webmin with Openswan
- Cisco VPN 3000
- Cisco PIX Concentrator
- Nortel Contivity
- Checkpoint
- WatchGuard Firebox
- Symantec
- Frequently used VPN Client Appliances
- ZyXEL
- DrayTek Vigor
- The Vigor Web Interface
- Windows Logon Issues
- Other Vigorisms
- Unresolved Issues
- SonicWALL
- BinTec
- LANCOM
- Linksys
- Lucent Brick
- NETGEAR
- KAME/Racoon
- Chapter 10: Encrypting the Local Network
- Methods of Encryption
- Host-to-Host Mesh
- Host-to-Gateway Setup
- Single IP Extrusiautomation or L2TP
- Opportunistic Encryption in the LAN
- Non-OE-Capable Machines
- Designing a Solution for Encrypting the LAN
- Design Goals
- Separation of WiFi and Crypto
- Link Layer Protection
- The Logical Choice: IPsec
- Hotspot
- WaveSEC
- Full WaveSEC
- Catch 22 Traffic
- Building a WaveSEC Server
- DHCP Server Setup
- DNS Server Setup
- Openswan Server Setup
- Catch 22 Traffic Setup
- Building a WaveSEC Client
- DH Client Setup
- Openswan Setup
- Testing the WaveSEC
- Starting the WaveSEC Connection
- Known Issues with WaveSEC
- WaveSEC for Windows
- Design Limitations
- Building a WaveSEC for Windows Server
- Obtaining the Certificate and Client Software
- Our Prototype Experiences
- Openswan Issues
- Windows Kernel Issues
- Chapter 11: Enterprise Implementation
- Cipher Performance
- Handling Thousands of Tunnels
- Managing Large Configuration Files
- Standard Naming Convention
- The also= Parameter
- The include Parameter
- Openswan Startup Time
- Limitations of the Random Device
- Other Performance-Enhancing Factors
- Logging to Disk
- Disable Dead Peer Detection
- Reducing the Number of Tunnels
- High Availability
- Heartbeat
- Xen Migration
- Network Issues
- Firewalls
- MTU and Fragmentation Issues
- Debugging IPsec on Apple Mac OS X
- Debugging IPsec on Microsoft Windows
- Oakley Debugging
- Debugging ipsec.exe
- Microsoft L2TP Errors
- You Suddenly Cannot Log in Anymore over the VPN
- Software Bugs
- Userland Issues: Assertion Failed or Segmentation Faults
- Kernel Issues: Crashes and Oopses
- Memory Issues
- Common IKE Error Messages
- Common Kernel-Related Error Messages
- Common Errors when Upgrading
- Using tcpdump to Debug IPsec
- Situation A: No Communication on Port 500
- Situation B: Failure at Third Exchange
- Situation C: QUICK Mode Initiates, but Never Completes
- Situation D: All IKE Messages Occur, but no Traffic Flows
- A Final tcpdump Example
- User Mode Linux Testing
- Preparing the Openswan for the UML Build Process
- Running the UMLs
- Writing a UML Test Case
- Debugging the Kernel with GDB
- Asking the Openswan Community for Help
- Internet Relay Chat (IRC)
- The Openswan Mailing Lists
- Posting to the Lists
- Research First, Ask Later
- Free, as in Beer
- Do not Anonymize
- Appendix A: Unresolved and Upcoming Issues
- Linux Kernel Developments
- Kernel API Changes between 2.6.12 and 2.6.14
- Red Hat Kernel Developments
- Fedora Kernel Source/Headers Packaging Change
- MD5 Insecurities
- Discontinuation of Openswan 1 by the End of 2005
- Update on UML Testing Suite Installation
- Openswan GIT Repositories
- Openswan on Windows and Mac OS X Updates
- Known Outstanding Bugs
- Vulnerability Fixes in Openswan 2.4.4
- Appendix B: Networking 101
- The OSI Model and the IP Model
- No Layers, Just Packets
- The Protocol
- IP Network Overview
- IP Address Management
- The Old IP Classes
- Classless IP Networks
- The Definition of a Subnet
- Calculating with Subnets: The Subnet Mask
- The Rest of the Network
- Linux Networking Commands
- Routing
- Routing Decisions
- Peering
- Network Address Translation
- Port Forwarding
- Appendix D: IPsec-Related Requests For Comments (RFCs)
- Overview RFCs
- Basic Protocols
- Key Management
- Procedural and Operational RFCs
- Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- Dead Peer Detection RFCs
- NAT-Traversal and UDP Encapsulation RFCs
- RFCs for Secure DNS Service, which IPSEC May Use
- RFCs Related to L2TP, Often Used in Combination with IPsec
- RFCs on IPsec in Relation to Other Protocols
- RFCs Not in Use or Implemented across Multiple Vendors
| |
|
