LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-13-2006, 03:11 PM   #1
waelaltaqi
Member
 
Registered: Sep 2005
Location: USA, TN
Distribution: CentOS & Ubuntu for Desktop
Posts: 454

Rep: Reputation: 31
Best suggestion for a VPN firewall.


what is the best suggestion for a cool VPN firewall that i can run in my home network. i was looking around and it looks like there is a lot. i would like to hear your suggestions.

thanks guys.
 
Old 10-13-2006, 04:30 PM   #2
gizza23
Member
 
Registered: Jun 2005
Location: Chicago, IL, USA
Distribution: Fedora Core, CentOS
Posts: 188

Rep: Reputation: 31
IPCop is a lot of fun.
 
Old 10-17-2006, 12:15 PM   #3
joshartman
LQ Newbie
 
Registered: Oct 2005
Location: Egliswil, Switzerland
Distribution: Slackware
Posts: 2

Rep: Reputation: 0
What about OpenWRT ? That is fun and small.
 
Old 10-18-2006, 04:10 PM   #4
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
I use OpenVPN
 
Old 10-19-2006, 03:15 PM   #5
waelaltaqi
Member
 
Registered: Sep 2005
Location: USA, TN
Distribution: CentOS & Ubuntu for Desktop
Posts: 454

Original Poster
Rep: Reputation: 31
thanks

well, i was trying to setup ipcop box. it was easy to get it to forward traffic. it's doing Dhcp, web proxy and Dynamic DNS. i was stuck the VPN part though.

my network would be:

192.168.0.0/24 <<<<< IPCOP >>>>> realip


the VPN rule is setup to allow 0.0.0.0 from the RED interface to the local network 192.168.0.1/24 and PSK as authonotication method.. i tried to setup windows VPN client to VPN to my realip but i'm getting no response from the ipcop box. can you guys give me some hints? i've never setup a VPN tunnel before so i'm kind of confused here.
 
Old 10-19-2006, 03:25 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Go buy a router that has VPN installed. And you're set. "Do it in hardware."
 
Old 10-19-2006, 03:43 PM   #7
waelaltaqi
Member
 
Registered: Sep 2005
Location: USA, TN
Distribution: CentOS & Ubuntu for Desktop
Posts: 454

Original Poster
Rep: Reputation: 31
i can buy a wireless router that can do it for me. but i would like to try it the hard way let me say. i'm trying to learn the way it works.
 
Old 10-20-2006, 01:35 PM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Thumbs up Very well then, padewan...

Okay then, fair enough. First, you need to research the big picture. Understand what the various pieces of VPN are doing. There are two basic systems that you might use, ipsec-tools and OpenSWAN. They are, in fact, very similar. But you must first understand, clearly, the context.

Let me give you a very high-level flight over this strange forest... (I happen to use ipsec-tools, most of the time, so my references to tools and commands will be consistent with that.)

(1) An encrypted VPN tunnel is actually implemented, when all the dust settles, by code in the Linux kernel. Study the setkey command. When you set up what is called a Security Policy Definition (SPD), you are actually defining rules as to what TCP/IP traffic needs to be grabbed and stuffed through the tunnel. Traffic that matches the specified "source" and "destination" addresses, and any other criteria, is magically re-routed through the tunnel. (This is separate and distinct, by the way, from "routing!" Don't look for a routing-table entry because you won't find one.)

(2) A security-policy isn't a tunnel. A policy is what causes a particular item of traffic to be snarfed-up and shoved through a tunnel. But a policy isn't a tunnel. "An instance of a tunnel, proper," is what's called a Security Association (SA). Each conversation gets its own unique, and uniquely-negotiated, tunnel (SA). When Linux sees a policy that says that traffic must be encrypted, but there isn't yet a SA that can be used, Linux sends a request, to racoon (ipsec-tools) or pluto (OpenSWAN), to make one. When they have accomplished this, the traffic goes through the tunnel. Once the negotiations succeed, the SA exists and no further negotiations will need to occur until it needs to be renewed.

(3) The purpose of a tunnel is to make a range of IP-addresses "over there" available "over here." The actual traffic is piped between two specific gateway addresses. Although the concept is the same as "routing," once again, VPN uses a separate mechanism.

(4) Security associations are built using clever, automatic negotiations, which actually happen in two phases. In phase-one, the gateways talk to one another and they agree upon how to establish a secure communication channel between themselves... which they can then use to create tunnels. As each tunnel is requested (see (2)), phase-two negotiations occur across that already-encrypted link to establish the actual SA parameters for a particular tunnel. The racoon/pluto (so-called "ISAKMP") daemons do all sorts of clever things to identify themselves, to coin random-used-once encryption keys, and even to renegotiate new keys from time to time. All uber-magic.

(5) The Linux kernel does all the work of encryption and decryption, once the SA is established. Until such time as a link needs to be re-negotiated, racoon/pluto are not further involved. So the process of transferring the packets is very fast.

(6) Negotiations work by means of proposals. In other words, "Hi there! Here's ten different ways that we could protect this conversation, using cipher and message-digest algorithms that I know. Pick one." The other side looks over the proposals, chooses one, or says NO_PROPOSAL_CHOSEN. Usually it picks the "strongest" method that the two of them mutually support. During all of these negotiations, the answering side is programmed not to reveal information because it does not "trust" the party with which it is negotiating. This can make it very hard to debug connections: the party will say "the answer is 'No!'" and will not explain why. This is by design.

(6b) During phase one, the gateways (which could be "your Linux box") are trying to identify themselves and to establish one another's identity. They're also thinking about things like "man in the middle attacks." This happens "once." During phase two, which happens per-conversation (per-SA) both at the beginning and periodically thereafter, they are negotiating the details of a particular conversation (SA). And they're doing it by sending coded messages across the encrypted link established in phase-one... which is basically a secure, separate, control-channel devised expressly for that one purpose.

(7) VPN was designed by committee. Lots of committees. Lots of choices; some esoteric, some not. You could spend many un-successful months trying to "understand it all." That's why it is so important to "understand the forest, first." You need to be able to zero in on what you need to know and do, and exclude what you don't.

(*) You betcha...! Why, I simplified the heck out of this high-level explanation! I waved my hands all over the place. I took all sorts of details and stuffed them down a rabbit-hole. They'll all come hopping back up soon, as you get into it.

(!) You will lose hair! But you are not alone! (Show of hands, here? That many? I believe it.) Yeah, so you're among friends here. But when you finally get it working, you get to wear a pointy wizard-hat.

Last edited by sundialsvcs; 10-20-2006 at 01:53 PM.
 
Old 10-22-2006, 04:50 AM   #9
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
Apart from IPsec and OpenSWAN there is also OpenVPN which is userspace ie you don't need to modify or recompile your kernel. I'm not an expert in this stuff but I chose OpenVPN for a number of reasons:

I didn't have to recompile anything, it is cross-platform and it uses a single UDP port (you can use TCP if you want to) so traversing firewalls and NAT is a cinch. You can even run it between ordinary Windows machines if you want.

However, it will undoubtedly be slower than hardware and probably IPSec and OpenSWAN, but it's easy to try out to see what it's like.

Good luck whatever route you follow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Suggestion for a Hardware firewall for VOIP SW? JakeX General 1 07-10-2006 10:25 AM
MS VPN Through SuSE 9.0 Firewall mephitic Linux - Networking 0 09-21-2004 03:43 PM
any firewall suggestion? nikoz Linux - Security 8 08-29-2004 11:28 PM
Router & Firewall Distro? Need Suggestion :) SADIST_SLY Linux - General 7 08-12-2004 05:22 PM
Need VPN Suggestion gauge73 Linux - Networking 5 04-30-2004 08:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration