Setting up the master and slave Linux systems
8.4.2.2 Setting up the PPP daemon
The PPP daemon is also required on both systems. After youve extracted the source hierarchy, look at the README file appropriate to your system. On a Linux system, run the configure program to copy the Makefiles into place. Next, run make kernel, which will install the updated PPP drivers into your kernel source tree. Youll then have to build a new kernel with these drivers, install it, and reboot. If youve never built a new kernel before, carefully read the README file in the kernel source tree—typically usrsrclinux. The book Running Linux by Matt Welsh and Lar Kaufman OReilly Associates also describes in detail how to build a kernel. On Linux, the PPP drivers can also be built as a kernel module. Modules are typically used to keep the kernel trim, as it doesnt have to load driver modules until they are needed. For this example, since weve already got a small kernel that only needs to do a few things, we just compiled PPP in directly. If the reboot was successful, return to the PPP daemon source tree and run make to build pppd, auxiliary programs, and the manpages, then run make install to put them into place. In the version of pppd we used, 2.3.5, there was a bug in the Linux kernel driver updates that caused compilation to fail for 2.0.x kernels. While we expect that the authors will have this fixed in future releases, we thought that we would mention it here. If compilation of ppp.c fails with complaints about too few arguments in dev_kfree_skb, edit line 3079 in ppp.c, make VERSION equal to your version of the kernel e.g., change 2,1,86 to 2,0,33. A good place to go for help on these types of problems is the USENET group comp.os.linux.networking or linux.dev.ppp. Once everything is in place, try running pppd from the command line on both the master and slave. On the slave, put a file called .ppprc in vpn1s home directory containing only the word passive. You should see a bunch of garbage characters start to scroll across your terminal screen. It should time out after thirty seconds or so, or you can escape from it by pressing Enter, then ~, then Control-Z. Then kill the process with kill 1 . If you didnt see garbage, something is probably wrong with the PPP daemon itself. On a Linux system, check the varadmmessages and varadmsyslog files for clues or check etcsyslog.conf to see where your files reside. Typically, the messages file will tell you if the daemon started successfully, and syslog will give you protocol-specific errors. If the daemon doesnt believe that the PPP drivers are compiled into the kernel, it will give you a message stating so right away. Use the dmesg command to see if the PPP drivers were loaded.8.4.2.3 Creating a user account on the slave
Because were going to launch the VPN script on the master from startup it will run as root, so theres no need to create a separate VPN account on that box. On the slave, however, its better to create a separate account for the VPN connection rather than logging in as root. This will 134 also allow you to create several accounts for several different VPNs, if different masters are all logging into the same slave. You might have this situation when there are several branch office masters setting up VPNs with one central office slave. For our purposes, well call the user account vpn1. Give it a password thats hard to crack, and it doesnt need to be easy to remember—were going to be using RSA authentication for the SSH login.8.4.2.4 Setting up SSH authentication
Weve already gone through how to set up SSH on a system. Once you set up the SSH daemon to launch at startup, follow these steps to set up SSH authentication: 1. On the master host, set up a key pair for the root account using the ssh-keygen program. If one already exists, check to make sure no existing services are using it. If not, you might want to go ahead and set one up again in order to make sure the keys are not compromised. This process will create the HOME.sshidentity and HOME.sshidentity.pub files for root. When youre prompted for a passphrase, leave it blank and press Enter. Because the VPN script might start up while the machine is unattended such as after a remote reboot, we dont want it to have to enter the passphrase in order to connect with the SSH client. 2. Log into the slave as vpn1 or su to that user. Run ssh-keygen for that user. In that users home directory, create a .rhosts file with the hostname of the master master- gw and the account that the master is going to be logging in as—in this case its vpn1. 3. Next you want to add the slaves public host key to the roots known_hosts file on the master. The easiest way to do this is to run ssh to connect to the slave, and ssh will automatically ask you if you wish to add the slaves public key to the file, to which you respond yes. To add the masters public host key to vpn1s known_hosts file, you can either try to connect to it using the SSH client, or copy the key from etcssh_host_key.pub. 4. Next, copy roots public key from identity.pub on the master and put it in vpn1s authorized_keys file. At this point, we have .rhosts, RSA host, and RSA user authentication all enabled for this connection, providing maximum security. To further tighten security, we can edit the etcsshd_config file on both hosts and modify or verify the following entries: PermitRootLogin no StrictModes yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication no AllowHosts master-gw.ora-vpn.com slave-gw.ora-vpn.com admin.ora-vpn.com The PermitRootLogin setting of no will prevent root from logging in to either system using SSH. A StrictModes of yes means that the SSH daemon will complain if a users home directory is world-writable. The next few entries control the types of authentication permitted: • Setting RhostsAuthentication to no which is the default means that rhosts authentication alone is not enough to allow a user to make an SSH connection.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more