Virtual Private Networks: Difference between revisions

From
Jump to navigation Jump to search
Line 46: Line 46:
I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2).
I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2).
You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built.
You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built.

Just configure

/etc/modules.conf
/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets

to your needs. You can find some help here:

[http://poptop.sourceforge.net/dox/ poptop Documentation]

''modules.conf'' and ''chap-secrets'' don't need to be explained here and also ''options.pptpd'' needs only a few adjustments for your personal setup. Check that the name of the service is correctly referenced in both ''options.pptpd' and ''chap-secrets''. The most interesting file is ''pptpd.conf''. The options you should have a closer look at are

bcrelay <if>
localip/remoteip

Check that your router is correcty routing VPN-clients between ppp0 and eth0.


===Clients===
===Clients===

Revision as of 13:39, 14 September 2005

Preface

This Page is also available in German.

Diese Seite ist auch auf deutsch verfügbar.

Definition

A regular phyiscally existing network consisting of cables and routers/switches/etc is called a network. You run the various known internet protocols layer 1-4 on it. You can also use those protocols to emulate a virtual network. If you secure your tunnel as well with various encryption methods one might call the tunneled data a virtual private network. This is used in various scenarios, mostly for tunneling sensitive information over an inherently insecure architecture - for example to connect two corporate LANs over the internet.

Theory

Virtualization in mostl environments is done in layer 2 (IP). You tunnel the data of the virtual network encapsulated in IP-Packets for example.

Implementation

OpenVPN

PPTP (Microsoft)

Preface

How does it work?

Authentication

Encryption

Servers

Implementation Windows

Implementation Linux

The implementation basically consists of three parts: First of all the PPTP-daemon that ist needed to handle the PPTP-connections. Second a PPP-daemon that is needed to dial into the network from the remote site. Last but not least you might want to encrypt your PPTP-Datatunnel. This is accomplished on PPP-Level with mppe. Since it isn't secure and announced obsolete by Microsoft there is no strong will to implement support into the Linuxkernel itself, so you have to patch your kernel to get the module.

Poptop - The PPTP Server for Linux

I used Debian Sarge as a base system. Your mileage may vary on different platforms, the Setup on a Debian-machine is pretty straight forward. This Howto explains everything step by step:

Debian-poptop-Howto

For the mppe-patch you might wanna use this howto:

Debian-MPPE-Howto

I can confirm this to be perfectly working on the current sarge-kernel (2.6.8-2). You might want to make a menuconfig oder oldconfig to ensure that MPPE-support is being built.

Just configure

/etc/modules.conf /etc/pptpd.conf /etc/ppp/options.pptpd /etc/ppp/chap-secrets

to your needs. You can find some help here:

poptop Documentation

modules.conf and chap-secrets don't need to be explained here and also options.pptpd needs only a few adjustments for your personal setup. Check that the name of the service is correctly referenced in both options.pptpd' and chap-secrets. The most interesting file is pptpd.conf. The options you should have a closer look at are

bcrelay <if> localip/remoteip

Check that your router is correcty routing VPN-clients between ppp0 and eth0.

Clients

Windows

Linux

pptclient

MacOS

Mac OS X supports VPN-Connections out the box since 10.3. Included are Clients for PPTP and L2TP over IPSec. Unfortunately, not all of the major open source clients seems to have been ported to this platform. But the 10.3+ Clients are well integrated into the OS and provide a basic level functionality that should be sufficient. The onboard-Clients are available via "Internet Connect.app" where you can setup new VPN-Connections.

IPSec

isakmpd (originally OpenBSD)

Freeswan

Openswan

L2TP/IPSec