This assignment introduces you to the Virtual Private Network (VPN) concept. You will use IPsec to establish a VPN in practice by creating and examing a host-to-net VPN scenario (see the figure below). A roadwarrior host (RW) establishes a secure tunnel to a gateway (GW). Traffic can flow from the roadwarrior through the gateway to a client (C) and back. Hosts on the right-side local link can not eavesdrop or modify the traffic flowing inside the tunnel. The goal of this assignment is to test communication between the client and the roadwarrior by succesfully pinging and tracerouting each host in both directions. The IPSec tunnel mode is used in this assigment using the Openswan IPSec implementation. In addition, RSA private keys are used as secrets.

The notation xxx(y) in this document means the relevant UNIX manual pages in that phase. Use the command man y xxx to read them.

Network configuration

Note: the above addresses for eth0 interfaces are not up-to-date - your addresses are actually in the 172.16.0.0/16 network.

Client, Gateway, and Roadwarrior

Install openswan package if it has not been preinstalled.

Set up the eth1/eth2 interfaces of the client, the gateway, and the roadwarrior hosts. The eth1 interfaces on C and RW must be in different subnets (think of RW's eth1/GW's eth2 subnet as the Internet, through which you want to create the secure tunnel). eth1 interfaces on C/GW then form a "LAN" subnet, and the RW wants to communicate with that LAN. In this exercise, the eth0 interfaces are only used for SSH remote access. Do not use them for any other traffic. Verify that you can ping the gateway from the other hosts, and that you can not ping the roadwarrior from the client or vice versa. Write down the network configuration.

ifconfig (8), ping (8)

Examine the Openswan configuration on these hosts. The hosts have Openswan installed, but not yet fully configured. Examine the example ipsec configuration files /etc/ipsec.conf and /etc/ipsec.secrets.

ipsec.conf(5), ipsec.secrets(5)

In case you can not find existing secrets, you can use the following command on the gateway and on the roadwarrior hosts:
ipsec newhostkey --verbose --bits 256 --output /etc/ipsec.d/gw-rw.secrets.
Print the corresponding public key on each host: ipsec showhostkey --left.

ipsec(8)

Command ipsec barf also gives lots of information about the IPSec subsystems and configuration files.

Update 1:

You can uncomment the line:

# plutodebug="control parsing"

in ipsec.conf to get more debug information.

Question set 1:

1.1	What is the purpose of the two files? How they need to be protected?	1 p
1.2.	What do the terms "left" and "right" stand for in the configuration files?	1 p
1.3	Explain the following parameters that can be set in the ipsec.d/*.conf or ipsec.conf : leftid, leftrsasigkey, leftsubnet, rightsourceip .	2 p
1.4	What is the problem with the given command to create the secret?	1 p

You have at least two options for establishing a host-to-net VPN. You can set up a new virtual subnet, to which no hosts initially belong, but RW will be added by Openswan. Alternatively, you can allocate the RW an address from the "LAN subnet", ie. the one to which C belongs (this type of configuration is called "extruded subnet"). In our topology, the choice only results in minor differences. We describe how to assign RW an address from the LAN subnet

Openswan is able to use an identical configuration on both the GW and the RW in favorable situations, such as ours.

Copy the template for /etc/ipsec.d/road.conf here and place it on both the GW and RW. Configure Openswan to include this config and finish it. It is sufficient to have a single-host subnet on the roadwarrior side, ie. you can use /32 in the RW-side subnet specification.

ipsec.conf(5)

road.conf
conn road left= leftid= leftsourceip= leftrsasigkey= leftsubnet= right= rightid= rightsourceip= rightrsasigkey= rightsubnet= auto=add

On the gateway, use commands sysctl -w net.ipv4.ip_forward=1 and sysctl -w net.ipv4.conf.all.rp_filter=0

sysctl(8)

Restart the IPSec subsystems using the command /etc/init.d/ipsec restart on the gateway and on the roadwarrior.

Question set 2:

2.1	Describe your network configuration. What IPs did you assign to the interfaces (4 interfaces in all) of each the three hosts? Explain your settings in road.conf.	2 p
2.2.	What network address space did you assign to the "LAN" subnetwork behind the gateway where the client resides? How does this correspond to the left/rightsourceip parameter in the roadwarrion configuration?	1 p

Establish security associations (SA)

You must initiate the IPSec SA handshakes from the roadwarrior. Use command ipsec auto --up road .

ipsec_auto(8)

To stop the connection, use the command ipsec auto --down road .

You can use command ipsec auto --status to check the current connection status and command setkey -D to view the security associations.

Update. You may also print the current IPSec policies by using command ip xfrm policy list.

setkey(8), ip (8)

If the security associations were correctly created, you can try to ping and traceroute the hosts (in both directions). Use tcpdump to view the network traffic on each host.

Question set 3:

3.1	What details can you find about the security associations? How are security associations identified? Include the output from the preceding commands.	2 p
3.2.	Give an example of the output of tcpdump when examining traffic over the IPSec tunnel.	1 p
3.3	What is wrong with the current configuration?	1 p

On the gateway, give the command sysctl -w net.ipv4.conf.eth1.proxy_arp=1. You probably had to add extra routes before enabling Proxy ARP to make some communications work - remove them now. Again, use ping and traceroute (in both directions). Use tcpdump to view the network traffic on each host.

arp(7), route(8)

Question set 4:

4.1	How did the previous commands change your configuration? Use arp -an on the client host to view the ARP entries. How does one of the entries correspond to the gateway?	1p
4.2	Give an example of the output of tcpdump when examining ping traffic on the RW. You should see some unencrypted traffic. Why?	1p

arp(8)

Question set 5:

5

Once you are satisfied with the VPN configuration, run ipsec barf and show the output.

1p

6.

Extra points for an excellent demo, or in-depth mastery of the topic or software

3p