| Authors: | Giulio Bottazzi |
|---|---|
| Contact: | <bottazzi@sssup.it> |
| Date: | 29 October 2009 |
| Revision: | 0.4 |
| Copyright: | GPL |
Contents
This document describe how to configure your Linux computer to access the Scuola Sant'Anna VPN. At present, the access point is a Sonicwall network appliance. In order to establish a VPN connection you need a shared encrypted key, which you can obtain from the School's help desk, and a personal account which allows you to access the School's IT services. In what follows the possession of both is assumed.
Several VPN solution are available under Linux. I will consider only one of them, namely openswan. The choice is dictated by the good interoperability of this software with the proprietary solution adopted by the School.
The first step is installing the needed software on your machine. openswan is based on the ipsec protocol, so apart the client itself, you need the extra software tools provided by the ipsec-tools. Moreover, you also need iptables, which is a NAT and Firewall utility. In Gentoo you can install all the necessary software with the command:
# emerge --deep -vu iptables openswan bind-tools ipsec-tools
In Debian, or Debian based systems, like Ubuntu, you can do the same by using the Synaptic interface or dpkg command.
First of all, you should use a kernel of the 2.6 generation. It is very likely that the kernel you use does already contain all necessary modules and options. If not, please refer to the openswan documentation.
In case you have it compiled in the kernel, in order for the openswann program to work you need to switch off ICMP packet redirection. Simply do the following:
# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects # echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
At the same time IP forwarding should be activated:
#echo 1 > /proc/sys/net/ipv4/ip_forward
Once openswann is installed, you have to start the ipsec service:
# /etc/init.d/ipsec start
then you can check if everything is working using:
# ipsec verify
If you intend to use openswan from behind a firewall or in a NAT environment, then you have to forward UDP port 500 and 4500 to the computer on which the VPN connection is started. This is the case for instance if you use your home machine with a private IP. Further instructions are available here.
If you managed to install the software and the check above reported that everything is working, then it's time to configure the access to Sant'Anna VPN.
The openswann configuration is composed of two files, /etc/ipsec/ipsec.conf and /etc/ipsec/ipsec.secrets. The first contains generic installation instructions while the second lists the cryptographic keys used by the program. Both files should be present on your system after installation. Add the following stanza to the first file
| File: | /etc/ipsec/ipsec.conf |
|---|
conn sonicwall
type=tunnel
pfs=no
aggrmode=yes
auto=add
auth=esp
authby=secret
#-- left --
left=%defaultroute
leftid=<machine name>
leftxauthclient=yes
#-- right --
right=193.206.136.46
rightsubnet=192.168.0.0/16
rightxauthserver=yes
rightid=@0006B12025C6
#-- crypto --
keyingtries=0
ike=3des-sha1-modp1024
esp=3des-sha1
where <machine name> is a name identifying your local machine. Notice that the indentation is not casual: the conn line is not indented and define the connection name. The following indented lines represent the settings relative to this connection.
Then add to the second file the following entry
| File: | /etc/ipsec/ipsec.secrets |
|---|
#Shared key for School connection @0006B12025C6 <machine name> : PSK "<shared key>"
where <shared_key> is the shared encryption key you obtained from the School IT staff. Remember to add an empty line after the key, or Openswan will complain. Now restart the service:
# /etc/init.d/ipsec start
and start the connection by hand using the following command:
# ipsec whack --name sonicwall --initiate
You should see various output messages and at some point you will be asked to provide username and password. Use the ones you normally use to access Sant'Anna intranet. If everything goes nicely, you should be rewarded with a message containing IPsec SA established. The connection is now up.
To reach personal machines inside the school you can specify a different value in rightsubnet
| File: | /etc/ipsec/ipsec.conf |
|---|
To access the machines of the School by names (instead than by IP address) it is necessary to use appropriate DNS servers. You can configure manually the way names are resolved by modifying the file /etc/resolv.conf to read
| File: | /etc/resolv.conf |
|---|
nameserver 192.168.64.12 nameserver 192.168.64.11
A better approach is however to configure a local DNS server which can intelligently forward DNS queries. The use of dnsmasq is straightforward. In Gentoo install it with:
# emerge dnsmasq
Then modify the configuration file /etc/dnsmasq.conf adding
| File: | /etc/dnsmasq.conf |
|---|
server=/168.192.in-addr.arpa/192.168.64.12 server=/168.192.in-addr.arpa/192.168.64.11 server=/sssup.it/192.168.64.12 server=/sssup.it/192.168.64.11 server=/sss/192.168.64.12 server=/sss/192.168.64.11
Then add the local host as the first name server in the resolv configuration file
| File: | /etc/resolv.conf |
|---|
nameserver 127.0.0.1
and start the local DNS service:
# /etc/init.d/dnsmasq start
With the connection up and with properly configured DNS servers you can now access the Sant'Anna intranet at www.sss. In order to navigate the web as if you were at the school, you need a proxy server. To configure Firefox select Edit->Preferences go to the tab Advanced->Network, in the Connection part select the Settings... button. Choose Manual proxy configuration and set:
HTTP proxy: proxy.sss Port: 3128
also check out Use this proxy server for all protocols flag.
In recent versions of Firefox you can use the FoxyProxy add-on. To install it go to Tools->Add-ons and search for it in the Get Add-ons tab. This extension allows for easy switching between connection settings and makes possible to select the connection based on the accessed page.
Openswan does not provide any Graphic User Interface (GUI) log utility. In principle the connection which use the XAUTH authentication method, that is a username/password pair, must be started from a terminal. An alternative automatic startup can be obtained by starting the ipsec service early during the boot process:
# rc-update add ipsec default
and adding a line that explicitly starts the connection in /etc/conf.d/local.start
| File: | /etc/conf.d/local.start |
|---|
ipsec whack --name sonicwall --xauthname <usrname> --xauthpass <passwd> --initiate
where <usrname> and <passwd> are the username and password used above. If necessary, add the echo command to disable ICMP packets redirection
| File: | /etc/conf.d/local.start |
|---|
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects ipsec whack --name sonicwall --xauthname <usrname> --xauthpass <passwd> --initiate
This approach has the drawback of leaving your username and password as clear text in the system.
A safer solution is to use the script vpnsssup. This simple script can be used to start and stop the VPN connection. Download it and open it with a text editor to modify a few system specific variables. The default should be fine for a gentoo installation but different Linux flavor could require a minimal tuning. Notice that the script should be run as root. Much better, using the sudo command. To start the connection do:
#sudo ./vpnsssup start sonicwall username password
The first parameter is the name of the connection as defined in /etc/ipsec/ipsec.conf. If the presence of an username and password on the command line sounds dangerous, you can store the username password couple in an encrypted file using gpg and decrypt it on the fly, like:
#sudo ./vpnsssup start sonicwall `gpg -d vpn_secret.gpg`
Remember to switch the connection off at log out:
#sudo ./vpnsssup stop
The present document has been put together thanks to the help of Sant'Anna School IT staff. Further documentation (on which the present document is partly based) is made available at ftp://ftp-scuola2000.sss/Ftp_Telnet_Ssh/VPN. All the mistakes have to be considered, however, an original contribution of the author.