Statiiata ima za tsel da pomogne na tezi hora koito polzvat
Linux iadro 2.6.x i iskat da izgradiat VPN survur polzvaiki
softuer razlichen ot standartniia IPSec modul vklyuchen v iadrata
2.6.x . Ponezhe novata versiia na FreeSwan 2.06 e premahnala
optsiiata transport kato tip na vruzkata i niama vuzmozhnost za
poddruzhka na L2TP (po rannite versii na FreeSwan ne se podurzhat
ot 2.6.x iadra) , instrumenta kum koito se nasochih e
OpenSwan .
Instrumenti koito vi triabvat sa:
Openswan 2.1.2
OpenSSL 0.9.7
l2tpd 0.69
Instrumentite sa testvani na Debian 3.0r2 unstable s iadro
2.6.7
Zabelezhka:
Predpolaga se , che ste se zanimavali s Linux i mozhete da
kompilirate i instalirate iadro!
Stsenariiat e sledniia:
Rabotite kato Sistemen Administrator v chastna firma mrezhata
na koiato se sustoi ot 40-50 kompyutura i edin survur primerno
koito sluzhi za gateway i firewall, i shefut vi iska
rabotnitsite v izvun rabotno vreme nezavisimo ot tova kude se
namirat da mogat da dostupvat po niakakuv nachin vutreshnata
mrezha na firmata.
1.Nastroika na iadroto:
Qdroto triabva da e kompilirano s poddruzhka na IPSec,ESP,AH,PF_KEY i
PPP
CONFIG_NET_KEY=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_XFRM_USER=y
CONFIG_PPP=y
CONFIG_PPP_MULTILINK=y
CONFIG_PPP_FILTER=y
CONFIG_PPP_ASYNC=y
CONFIG_PPP_SYNC_TTY=y
CONFIG_PPP_DEFLATE=y
CONFIG_PPP_BSDCOMP=y
Instalirate opeswan,openswan-modules-source:
apt-get install openswan openswan-modules-source
(vazhi samo za Debian), sled koeto otivate v
direktoriia /usr/src/kernel-patches/all/openswan i prilagate
popravkata v iadroto:
make kpatch
sled koeto kompilirate i instalirate iadroto.
2. Generirane na X509 Sertifikati.
Purvo zashto polzvam sertifikati a ne preshared keys , zashtoto
se predpolaga , che klientite koito shte polzvat VPN survura shte
sa s operatsionna sistema Windows, no Windows 2000 ne podurzha
preshared keys, sushto taka nedostatuka pone spored stsenariia
koito sum opisal, ako se polzvat preshared keys triabva i da
se opishe ip address ot koito shte se svurzhe klienta, a tova
protivorechi na stsenariia "Da polzvat survura nezavisimo ot
tova kade sa".
Instalirane na OpenSSL za Debian:
apt-get install openssl libssl0.9.7 libssl-dev .
Instrumentite CA.pl CA.sh s koito shte se generirat
sertifikatite se namirat v /usr/lib/ssl/misc
Konfiguratsiia na OpenSSL.
Za konkretniiat sluchai ima samo edno neshto koeto triabva da se
vklyuchi v konfiguratsionniia fail na OpenSSL i tova e
unique_subject = no
Sledva generirane na CA Trust Certificate i CA private key
cd /usr/lib/ssl/misc
./CA.sh -newca
Sled koeto shte budete podkaneni da vuvedete parola za chastniiat
klyuch i informatsiia za nego . V sledstvie na gornata komanda shte
bude suzdadena direktoriia demoCA (ako ne ste ia promenili
izrichno v openssl.cnf) CHastniiat klyuch po podrazbirane e
cakey.pem i sedi
v /usr/lib/ssl/misc/demoCA/private/cakey.pem,
a CA Trust Certificate sedi po podrazbirane
v /usr/lib/ssl/misc/demoCA/cacert.pem
Sledva generirane na private key za OpenSwan:
/usr/lib/ssl/misc/CA.sh -newreq
v sledstvie na koeto , shte se suzdade fail s ime newreq.pem .
Sledva samopodpisvane:
/usr/lib/ssl/misc/CA.sh -sign
v sledstvie na koeto shte budete zapitani dali da se podpishe
sertifikata otgovariate s "y".
Zabelezhka:
Pri vseki podpis shte budete podkanvani da vuvedete parolata na
CA private key toest cakey.pem koito generirahme.
Sledva suzdavane na sertifikat za samiia klient koito stava po
sushtiiat nachin kakto i za OpenSwan.
Suzdavame i CRL(Certifikate Revokation List)
openssl ca -config /etc/ssl/openssl.cnf -genrcl -out crl.pem
Kopirate suzdadeniiat CRL fail v /etc/ipsec.d/crls.
Za da otmenite sertifikat
openssl ca -revoke /etc/ipsec.d/client-cert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /usr/lib/ssl/misc/asCA/private/CAkey.pem:
DEBUG[load_index]: unique_subject = "no"
Revoking Certificate 02.
Data Base Updated
Predi da generirate klientskiiat sertifikat preimenuvaite
newreq.pem i newcert.pem na neshto znachimo za vas primerno:
mv newcert.pem openswan-cert.pem
mv newreq.pem openswan-priv.pem
Vazhno:
newreq.pem e chastniiat klyuch , a newcert.pem e podpisaniiat
sertifikat.
Sled kato preimenuvahme sertifikata za Openswan pravim
sushtoto i s klientskiiat sertifikat.
mv newreq.pem client-priv.pem
mv newcert.pem client.priv.pem
I kopirame sertifikatite na tehnite mesta:
cp demoCA/cacert.pem /etc/ipsec.d/cacerts/
cp openswan-priv.pem /etc/ipsec.d/private/
cp client-priv.pem /etc/ipses.d/private/
cp openswan-cert.pem /etc/ipsec.d/
cp client-cert.pem /etc/ipsec.d/
Ponezhe PKCS12 e nai masovo izpolzvan format za suhranenie na
potrebitelski sertifikati tuk shte izgenerirame takuv
sertifikat koito shte se dade na potrebiteliat izpolzvasht VPN
survura.
Generirane na PKCS12.
openssl pkcs12 -export -in /etc/ipsec.d/client-cert.pem \
-inkey /etc/ipsec.d/private/client-priv.pem \
-certfile /usr/lib/ssl/misc/demoCA/cacert.pem
-out /etc/ipsec.d/client.p12
Sertifikata se dava na klienta v tozi format i parolta s
koiato e zaklyuchen samiiat client.p12
3. Konfigurirane na OpenSwan
Konfiguratsionniiat fail se namira v direktoriia /etc , a samiiat
fail se kazva ipsec.conf
Konfiguratsiia:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=dns
uniqueids=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=/etc/ipsec.d/freeswan-cert.pem
left=%defaultroute
conn l2tp
type=transport
pfs=no
leftprotoport=udp/0
rightprotoport=udp/1701
right=%any
auto=add
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
include /etc/ipsec.d/examples/no_oe.conf
Dobaviame sledniiat red v /etc/ipsec.secrets
: RSA openswan-priv.pem "password"
kudeto password e parolata na klyucha
4. Konfiguratsiia na l2tpd za Debian
Instalirame l2tpd posredstvom
apt-get install l2tpd
i redaktirame faila /etc/l2tpd/l2tpd.conf
[global]
port = 1701 # Porta na koito slusha samiia demon
listen-addr = x.z.y.u # Adresa na samiia gateway
[lns default]
ip range = 192.168.7.2 - 192.168.7.245 # range ot adresi, koito shte budat prisvoiavani na klientite
local ip = 192.168.7.1 # Lokalniiat adres na l2tpd
require chap = yes # Zadulzhitelna CHAP avtentichnost
refuse pap = yes # Othvurliane na PAP
require authentication = yes # Zadulzhitelno udostoveriavane
hostname = some.example.com # host na survura
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd # Fail s optsii
length bit = yes
Sled tova suzdavate faila /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.12
ms-wins 192.168.1.15
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
nodetach
debug
lock
connect-delay 5000
Survurut e gotov za polzvane.
Preporuchitelno e za klientskata chast da se izpolzva
SSHSentinel za Windows2000 za WindowsXP versiiata na
SSHSentinel triabva da e 1.3 ili po visoka.