Free Sample
+ Collection
Code Files

Openswan: Building and Integrating Virtual Private Networks

Ken Bantoft, Paul Wouters

Learn from the developers of Openswan how to build industry standard, military grade VPNs and connect them with Windows, MacOSX, and other VPN vendors
RRP $35.99
RRP $59.99
Print + eBook

Want this title & more?

$12.99 p/month

Subscribe to PacktLib

Enjoy full and instant access to over 2000 books and videos – you’ll find everything you need to stay ahead of the curve and make sure you can always get the job done.

Book Details

ISBN 139781904811251
Paperback360 pages

About This Book


  • Learn everything you need to know about Openswan from its core developers
  • Build VPNs that interoperate with Windows, MacOS, and other network vendors
  • Build your own secure hotspots

Who This Book Is For

Network administrators and any one who is interested in building secure VPNs using Openswan. It presumes basic knowledge of Linux, but no knowledge of VPNs is required. 

Table of Contents

Chapter 1: Introduction
The Need for Cryptography
A History of the Internet
History of Internet Engineering
The War on Crypto
Free Software
The History of Openswan
Using Openswan
Chapter 2: Practical Overview of the IPsec Protocol
A Very Brief Overview of Cryptography
IPsec: A Suite of Protocols
Kernel Mode: Packet Handling
Usermode: Handling the Trust Relationships
Chapter 3: Building and Installing Openswan
Linux Distributions
Deciding on the Userland
Choosing the Kernel IPsec Stack
Binary Installation of the Openswan Userland
Building from Source
Building the Openswan Userland from Source
Binary Installation of KLIPS
Building KLIPS from Source
Building KLIPS into the Linux Kernel Source Tree
Verifying the Installation
Chapter 4: Configuring IPsec
Manual versus Automatic
PSK versus RSA
Pitfalls of Debugging IPsec
Pre-Flight Check
The ipsec livetest Command
Configuration of Openswan
Host-to-Host Tunnel
Connecting Subnets Through an IPsec Connection
Avoiding Duplication
KLIPS and the ipsecX Interfaces
Pre-Shared Keys (PSKs)
Dynamic IP Addresses
Connection Management
Subnet Extrusion
NAT Traversal
Dead Peer Detection
Ciphers and Algorithms
Aggressive Mode
Fine Tuning
Chapter 5: X.509 Certificates
X.509 Certificates Explained
Generating Certificates with OpenSSL
Creating X.509-based Connections
Using a Certificate Authority
Chapter 6: Opportunistic Encryption
History of Opportunistic Encryption
Trusting Third Parties
OE in a Nutshell
DNS Key Records
Policy Groups
Internal States
Configuring OE
Testing Your OE Setup
Manipulating OE Connections Manually
Advanced OE Setups
Chapter 7: Dealing with Firewalls
Where to Firewall?
Allowing IPsec Traffic
Configuring the Firewall on the Openswan Host
Chapter 8: Interoperating with Microsoft Windows and Apple Mac OS X
Layer 2 Tunneling Protocol (L2TP)
Client and Server Configurations for L2TP/IPsec
Microsoft Windows XP L2TP Configuration
Microsoft Windows 2000 L2TP Configuration
Apple Mac OS X L2TP Configuration
Server Configuration for X.509 IPsec without L2TP
Client Configuration for X.509 IPsec without L2TP
Importing X.509 Certificates into Windows
Importing X.509 Certificates on Mac OS X (Tiger)
Chapter 9: Interoperating with Other Vendors
Openswan as a Client to an Appliance
Preparing the Interop
Frequently used VPN Gateways
Frequently used VPN Client Appliances
Chapter 10: Encrypting the Local Network
Methods of Encryption
Designing a Solution for Encrypting the LAN
WaveSEC for Windows
Chapter 11: Enterprise Implementation
Cipher Performance
Handling Thousands of Tunnels
Managing Large Configuration Files
Openswan Startup Time
Limitations of the Random Device
Other Performance-Enhancing Factors
Using Anycast
Chapter 12: Debugging and Troubleshooting
Do Not Lock Yourself Out!
Narrowing Down the Problem
Configuration Problems
Openswan Error Messages
Network Issues
Debugging IPsec on Apple Mac OS X
Debugging IPsec on Microsoft Windows
Software Bugs
Common IKE Error Messages
Using tcpdump to Debug IPsec
User Mode Linux Testing
Asking the Openswan Community for Help

What You Will Learn

Chapter 1 presents some historical context of IPsec and Openswan, and discusses the legal aspects about using and selling cryptography such as Openswan, and discusses some of the aspects of weighing encryption privacy and law enforcement.

Chapter 2 explains in non-mathematical terms how the IPsec protocols work. It is written especially with the system administrator in mind, and should appeal to both experts and beginners in the world of cryptography.

Chapter 3 contains all you need to know to install Openswan on your Linux distribution. It covers installing available binary packages, as well as how to build Openswan from  source. It also guides you through the options your kernel needs to support, and helps you choose between the two IPsec stacks that are currently available - KLIPS and NETKEY. 

Read chapter 3: "Building and Installing Openswan" (PDF - 348KB)

Chapter 4 is a step by step tutorial on how to configure the most common type of VPN connections using Openswan. These include net-to-net, host-to-net, roaming users and head office to branch offices. In other words, all the possible Openswan-to-Openswan connections. It also discusses commonly deployed third party scenarios, including Cisco implementations using Aggressive Mode and XAUTH with Openswan as the IPsec client.

Chapter 5 introduces X.509 certificate based authentication for IPsec. It explains how X.509 certificates work, how to generate them for Linux, Windows and MacOSX clients, and how to run your own Certificate Agency.

Chapter 6 explains the Openswan feature called Opportunistic Encryption ("OE"). This method of allows one to automate host-to-host encryption for machines without any specific configuration by the end-user. Using OE, anyone can use IPsec protected connections to your servers without even realizing they are using IPsec. The goal of OE is to make IPsec the de-facto standard for all communication on the internet.

Chapter 7 goes right down to the packet level and discusses common problems that you might face on your IPsec gateway. These include special firewalling rules, handling broken IPsec implementations and the various MTU related issues that can come up.

Chapter 8 discusses IPsec from the two most popular end-user Operating Systems: Microsoft Windows and Apple MacOSX. It helps you decide on whether you would prefer X.509 certificate based IPsec, or the less complex L2TP/IPsec. It has a step by step guide on how to setup L2TP on your Openswan VPN server. It also explains how to configure X.509 or L2TP on your Microsoft Windows or Apple MacOSX clients, and includes all the screenshots to guide your way. It closes with a description on how to configure commonly used third-party software packages for Openswan.

Chapter 9 deals with getting Openswan to properly interoperate with third party IPsec VPN servers such as Cisco, Checkpoint, Netscreen, Watchguard and various DSL based modem/router appliances commonly used by end-users.

Chapter 10 explores how to use IPsec to encrypt all traffic between local machines. It specifically focuses on 802.11 type wireless connections, but it applies in general to all LAN based computers. It discusses the Xelerance designed IPsec deployment scenario called WaveSEC: the implementation used at IETF, BlackHat and DefCon to encrypt their wireless networks.

Chapter 11 discusses the advanced use of Openswan. It discusses how to setup a proper fail-over VPN server with Openswan, and discusses large enterprise deployments bottlenecks,  as well as how to deal with BGP and OSPF using IPsec and Openswan.

Chapter 12 is the culmination of two years of end-user support on the public mailing lists. It discusses the common mistakes and issues that people who are not working with IPsec on a daily basis tend to run into. Unless you are doing something extremely specific to your particular setup, your problem will be shown in this chapter, along with the explanation of what went wrong and how to remedy your situation.

Appendix A is our last minute update to the current events of Openswan. It discusses bleeding edge Linux kernel issues, the latest security vulnerabilities and upcoming features for end-users and developers that did not exist when the authors were writing the bulk of this book. It also discusses known but unsolved bugs existing at the time this book went to the printer.


In Detail

With the widespread use of wireless and the integration of VPN capabilities in most modern laptops, PDA's and mobile phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor watching your wireless? Or are your competitors perhaps engaged in industrial espionage? Do you need to send information back to your office while on the road or on board a ship? Or do you just want to securely access your MP3's at home? IPsec is the industry standard for encrypted communication, and Openswan is the de-facto implementation of IPsec for Linux.

Whether you are just connecting your home DSL connection with your laptop when you're on the road to access your files at home, or you are building an industry size, military strength VPN infrastructure for a medium to very large organization, this book will assist you in setting up Openswan to suit those needs.

The topics discussed range from designing, to building, to configuring Openswan as the VPN gateway to deploy IPsec using Openswan. It not only for Linux clients, but also the more commonly used Operating Systems such as Microsoft Windows and MacOSX. Furthermore it discusses common interoperability examples for third party vendors, such as Cisco, Checkpoint, Netscreen and other common IPsec vendors.

The authors bring you first hand information, as they are the official developers of the Openswan code. They have included the latest developments and upcoming issues. With experience in answering questions on a daily basis on the mailing lists since the creation of Openswan, the authors are by far the most experienced in a wide range of successful and not so successful uses of Openswan by people worldwide.



Read More

Recommended for You

Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter
$ 12.00