VPN na bazata na OpenSwan, OpenSSL, L2TPD
	ot Georgi Ivanov(22-06-2004) reiting (10)   [ dobre ]  [ zle ]  Variant za otpechatvane Statiiata ima za tsel da pomogne na tezi hora koito polzvat Linux iadro 2.6.x i iskat da izgradiat VPN survur polzvaiki softuer razlichen ot standartniia IPSec modul vklyuchen v iadrata 2.6.x . Ponezhe novata versiia na FreeSwan 2.06 e premahnala optsiiata transport kato tip na vruzkata i niama vuzmozhnost za poddruzhka na L2TP (po rannite versii na FreeSwan ne se podurzhat ot 2.6.x iadra) , instrumenta kum koito se nasochih e OpenSwan . Instrumenti koito vi triabvat sa: Openswan 2.1.2 OpenSSL 0.9.7 l2tpd 0.69 Instrumentite sa testvani na Debian 3.0r2 unstable s iadro 2.6.7 Zabelezhka: Predpolaga se , che ste se zanimavali s Linux i mozhete da kompilirate i instalirate iadro! Stsenariiat e sledniia: Rabotite kato Sistemen Administrator v chastna firma mrezhata na koiato se sustoi ot 40-50 kompyutura i edin survur primerno koito sluzhi za gateway i firewall, i shefut vi iska rabotnitsite v izvun rabotno vreme nezavisimo ot tova kude se namirat da mogat da dostupvat po niakakuv nachin vutreshnata mrezha na firmata. 1.Nastroika na iadroto: Qdroto triabva da e kompilirano s poddruzhka na IPSec,ESP,AH,PF_KEY i PPP CONFIG_NET_KEY=y CONFIG_INET_AH=y CONFIG_INET_ESP=y CONFIG_XFRM_USER=y CONFIG_PPP=y CONFIG_PPP_MULTILINK=y CONFIG_PPP_FILTER=y CONFIG_PPP_ASYNC=y CONFIG_PPP_SYNC_TTY=y CONFIG_PPP_DEFLATE=y CONFIG_PPP_BSDCOMP=y Instalirate opeswan,openswan-modules-source: apt-get install openswan openswan-modules-source (vazhi samo za Debian), sled koeto otivate v direktoriia /usr/src/kernel-patches/all/openswan i prilagate popravkata v iadroto: make kpatch sled koeto kompilirate i instalirate iadroto. 2. Generirane na X509 Sertifikati. Purvo zashto polzvam sertifikati a ne preshared keys , zashtoto se predpolaga , che klientite koito shte polzvat VPN survura shte sa s operatsionna sistema Windows, no Windows 2000 ne podurzha preshared keys, sushto taka nedostatuka pone spored stsenariia koito sum opisal, ako se polzvat preshared keys triabva i da se opishe ip address ot koito shte se svurzhe klienta, a tova protivorechi na stsenariia "Da polzvat survura nezavisimo ot tova kade sa". Instalirane na OpenSSL za Debian: apt-get install openssl libssl0.9.7 libssl-dev . Instrumentite CA.pl CA.sh s koito shte se generirat sertifikatite se namirat v /usr/lib/ssl/misc Konfiguratsiia na OpenSSL. Za konkretniiat sluchai ima samo edno neshto koeto triabva da se vklyuchi v konfiguratsionniia fail na OpenSSL i tova e unique_subject = no Sledva generirane na CA Trust Certificate i CA private key cd /usr/lib/ssl/misc ./CA.sh -newca Sled koeto shte budete podkaneni da vuvedete parola za chastniiat klyuch i informatsiia za nego . V sledstvie na gornata komanda shte bude suzdadena direktoriia demoCA (ako ne ste ia promenili izrichno v openssl.cnf) CHastniiat klyuch po podrazbirane e cakey.pem i sedi v /usr/lib/ssl/misc/demoCA/private/cakey.pem, a CA Trust Certificate sedi po podrazbirane v /usr/lib/ssl/misc/demoCA/cacert.pem Sledva generirane na private key za OpenSwan: /usr/lib/ssl/misc/CA.sh -newreq v sledstvie na koeto , shte se suzdade fail s ime newreq.pem . Sledva samopodpisvane: /usr/lib/ssl/misc/CA.sh -sign v sledstvie na koeto shte budete zapitani dali da se podpishe sertifikata otgovariate s "y". Zabelezhka: Pri vseki podpis shte budete podkanvani da vuvedete parolata na CA private key toest cakey.pem koito generirahme. Sledva suzdavane na sertifikat za samiia klient koito stava po sushtiiat nachin kakto i za OpenSwan. Suzdavame i CRL(Certifikate Revokation List) openssl ca -config /etc/ssl/openssl.cnf -genrcl -out crl.pem Kopirate suzdadeniiat CRL fail v /etc/ipsec.d/crls. Za da otmenite sertifikat openssl ca -revoke /etc/ipsec.d/client-cert.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for /usr/lib/ssl/misc/asCA/private/CAkey.pem: DEBUG[load_index]: unique_subject = "no" Revoking Certificate 02. Data Base Updated Predi da generirate klientskiiat sertifikat preimenuvaite newreq.pem i newcert.pem na neshto znachimo za vas primerno: mv newcert.pem openswan-cert.pem mv newreq.pem openswan-priv.pem Vazhno: newreq.pem e chastniiat klyuch , a newcert.pem e podpisaniiat sertifikat. Sled kato preimenuvahme sertifikata za Openswan pravim sushtoto i s klientskiiat sertifikat. mv newreq.pem client-priv.pem mv newcert.pem client.priv.pem I kopirame sertifikatite na tehnite mesta: cp demoCA/cacert.pem /etc/ipsec.d/cacerts/ cp openswan-priv.pem /etc/ipsec.d/private/ cp client-priv.pem /etc/ipses.d/private/ cp openswan-cert.pem /etc/ipsec.d/ cp client-cert.pem /etc/ipsec.d/ Ponezhe PKCS12 e nai masovo izpolzvan format za suhranenie na potrebitelski sertifikati tuk shte izgenerirame takuv sertifikat koito shte se dade na potrebiteliat izpolzvasht VPN survura. Generirane na PKCS12. openssl pkcs12 -export -in /etc/ipsec.d/client-cert.pem \ -inkey /etc/ipsec.d/private/client-priv.pem \ -certfile /usr/lib/ssl/misc/demoCA/cacert.pem -out /etc/ipsec.d/client.p12 Sertifikata se dava na klienta v tozi format i parolta s koiato e zaklyuchen samiiat client.p12 3. Konfigurirane na OpenSwan Konfiguratsionniiat fail se namira v direktoriia /etc , a samiiat fail se kazva ipsec.conf Konfiguratsiia: version 2.0 config setup interfaces=%defaultroute klipsdebug=all plutodebug=dns uniqueids=no conn %default keyingtries=1 compress=yes disablearrivalcheck=yes authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert leftcert=/etc/ipsec.d/freeswan-cert.pem left=%defaultroute conn l2tp type=transport pfs=no leftprotoport=udp/0 rightprotoport=udp/1701 right=%any auto=add conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore include /etc/ipsec.d/examples/no_oe.conf Dobaviame sledniiat red v /etc/ipsec.secrets : RSA openswan-priv.pem "password" kudeto password e parolata na klyucha 4. Konfiguratsiia na l2tpd za Debian Instalirame l2tpd posredstvom apt-get install l2tpd i redaktirame faila /etc/l2tpd/l2tpd.conf [global] port = 1701 # Porta na koito slusha samiia demon listen-addr = x.z.y.u # Adresa na samiia gateway [lns default] ip range = 192.168.7.2 - 192.168.7.245 # range ot adresi, koito shte budat prisvoiavani na klientite local ip = 192.168.7.1 # Lokalniiat adres na l2tpd require chap = yes # Zadulzhitelna CHAP avtentichnost refuse pap = yes # Othvurliane na PAP require authentication = yes # Zadulzhitelno udostoveriavane hostname = some.example.com # host na survura ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd # Fail s optsii length bit = yes Sled tova suzdavate faila /etc/ppp/options.l2tpd ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.12 ms-wins 192.168.1.15 auth crtscts idle 1800 mtu 1400 mru 1400 nodefaultroute nodetach debug lock connect-delay 5000 Survurut e gotov za polzvane. Preporuchitelno e za klientskata chast da se izpolzva SSHSentinel za Windows2000 za WindowsXP versiiata na SSHSentinel triabva da e 1.3 ili po visoka. << Primer za upotreba na Access Control Lists s Linuks | SHTo e to SPF i kak shte ni pomogne da se zashtitim ot spam >>

Komentari: (obshto 7)	Otseneni s -1 0 1 2 3 4 5 ili poveche	[Pulen pregled>>]
[Dobavi komentar]

• Propusk [21-06-2004] {1/Neutralen}
• otnosno l2tp [21-06-2004] {1/Neutralen}
• Lipsi i dr. [21-06-2004] {1/Neutralen}
• Kum: otnosno l2tp [21-06-2004] {1/Neutralen}
• lipsi [21-06-2004] {1/Neutralen}
• Kum: lipsi [21-06-2004] {1/Neutralen}
• KUM: Lipsi [21-06-2004] {1/Neutralen}