Getting Started with IPsec

A tbird posting to the The Shmoo Group about how to begin implementing a standards-based VPN.

On Wed, 6 Mar 2002, Paul Holman wrote:

I've been putting off use of VPNs for having had a terrible time with the clients in the past. In general, I try to do application layer encryption/authentication, but that argument starts to break up when you're just wrapping everything with SSH or SSL.

There are some reasons I'm interested in giving this a shot: Securing NFS & Remote access to internal network resources come to mind.

So I could use some guidance as I jump into this. My plan is to hook up with another novice friend tomorrow night and try playing with some Windows & Linux machines to see if we can get them working. Maybe MacOS X too.

I assume I should be using Free S/WAN on Linux. What about Windows. What the hell is that "Click here for a VPN" shit in Win2K? PPTP? Should I be using that or not? Where do I start?

Greetz all --

The FreeS/WAN implementation has gotten a lot easier to use in the last couple of years, but OpenBSD's built-in IPsec support also has a lot of users. FreeS/WAN has beautifully thorough documentation maintained by Sandy Harris; it's at
http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/index.html

My favorite starting document for OpenBSD is
http://www.secureops.com/vpn/ipsecvpn.html

In either case, here's a brief list (in no particular order) of things to watch out for, general suggestions, and other useful URLs:

  • Most everything I know about troubleshooting is at
    http://vpn.shmoo.com/vpn/ipsec_troubleshooting.pdf
  • Routing is what usually proves to be the most annoying. You don't need to configure a default route for the VPN connection anywhere but in the VPN configuration files. Resist the urge. If your traffic doesn't get from point A to point B, it's usually a problem with the security associations you're setting up. Or, if the box is firewalled, you've forgotten to set up rules allowing the encrypted traffic.
  • Get the IPsec connection up and running using secret keys and no IKE; then add in IKE for session negotiation. [Confession: this definitely used to be good advice, but I haven't set anything up from scratch in a while. It's conceivable that IKE is easier to use now, and it's certainly true that IKE's error messages are fairly indicative of what's wrong.]
  • Windows2000 has built in IPsec networking obtained from Cisco. It's a pretty clean implementation. The empire's starting point for documentation is at
    http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
  • Everything in the universe that I know about VPNs is pretty much on
    http://vpn.shmoo.com and the associated mailing list, vpn@lists.shmoo.com

    You don't want to use PPTP. The VPN site has Windows IPsec clients listed if you need to support non-2k boxen.

    Hope that helps.

    cheers -- tbird