VPN client-to-site over IPSec

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

VPN client-to-site over IPSec

João Salvatti
Hi Misc,

Is it possible to implement a client-to-site VPN over IPSec? I have
searched on the web, but only found site-to-site models.

Thanks in advance.

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Toni Mueller-10
Hi,

On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti <[hidden email]> wrote:
> Is it possible to implement a client-to-site VPN over IPSec? I have
> searched on the web, but only found site-to-site models.

what exactly do you mean by "client to site"?

You can distinguish between transport mode, where you use the IP that
you actually use, as an endpoint, and tunnel mode, where you assign an
IP of your chosing for use inside the tunnel, and then use that IP for
all of your connections.

Usually, "site-to-site" is associated with tunnel mode, and I currently
see no reason, and much less any advantage, in using transport mode.


Kind regards,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Marcello Cruz-2
Toni,

Do you mean a VPN where only a HOST will access an entire NETWORK? If so,
then the answer is YES.

For instance, I have some OpenBSD servers acting as VPN Server and they
allow me to connect from home to the networks behind those OpenBSD servers.

PC ------ Internet ------ OpenBSD -------- LAN
PC ------------ IPSec Tunnel -------------- LAN

I also have other situations where I need an entire LAN communicate with
other LAN, like:

LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN
LAN ----------------------- IPSec Tunnel --------------------------- LAN

What do you need?

----- Original Message -----
From: "Toni Mueller" <[hidden email]>
To: <[hidden email]>
Sent: Friday, April 03, 2009 5:43 PM
Subject: Re: VPN client-to-site over IPSec


> Hi,
>
> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti <[hidden email]>
> wrote:
>> Is it possible to implement a client-to-site VPN over IPSec? I have
>> searched on the web, but only found site-to-site models.
>
> what exactly do you mean by "client to site"?
>
> You can distinguish between transport mode, where you use the IP that
> you actually use, as an endpoint, and tunnel mode, where you assign an
> IP of your chosing for use inside the tunnel, and then use that IP for
> all of your connections.
>
> Usually, "site-to-site" is associated with tunnel mode, and I currently
> see no reason, and much less any advantage, in using transport mode.
>
>
> Kind regards,
> --Toni++

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

João Salvatti
Hi folks,

google "ipsec road warrior openbsd", solve my problem!

Thanks for all.


On Fri, Apr 3, 2009 at 6:26 PM, Marcello Cruz <[hidden email]>
wrote:

> Toni,
>
> Do you mean a VPN where only a HOST will access an entire NETWORK? If so,
> then the answer is YES.
>
> For instance, I have some OpenBSD servers acting as VPN Server and they
> allow me to connect from home to the networks behind those OpenBSD servers.
>
> PC ------ Internet ------ OpenBSD -------- LAN
> PC ------------ IPSec Tunnel -------------- LAN
>
> I also have other situations where I need an entire LAN communicate with
> other LAN, like:
>
> LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN
> LAN ----------------------- IPSec Tunnel --------------------------- LAN
>
> What do you need?
>
> ----- Original Message ----- From: "Toni Mueller" <[hidden email]>
> To: <[hidden email]>
> Sent: Friday, April 03, 2009 5:43 PM
> Subject: Re: VPN client-to-site over IPSec
>
>
>> Hi,
>>
>> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti <[hidden email]>
>> wrote:
>>>
>>> Is it possible to implement a client-to-site VPN over IPSec? I have
>>> searched on the web, but only found site-to-site models.
>>
>> what exactly do you mean by "client to site"?
>>
>> You can distinguish between transport mode, where you use the IP that
>> you actually use, as an endpoint, and tunnel mode, where you assign an
>> IP of your chosing for use inside the tunnel, and then use that IP for
>> all of your connections.
>>
>> Usually, "site-to-site" is associated with tunnel mode, and I currently
>> see no reason, and much less any advantage, in using transport mode.
>>
>>
>> Kind regards,
>> --Toni++
>
>



--
"Se Debugar i a arte de remover bugs, programar i a arte de inserm-los".

Donald E. Knuth.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Toni Mueller-10
In reply to this post by Marcello Cruz-2
Hi,

On Fri, 03.04.2009 at 18:26:45 -0300, Marcello Cruz <[hidden email]> wrote:
> Do you mean a VPN where only a HOST will access an entire NETWORK? If so,
> then the answer is YES.

I don't "need" anything specifically right now which would fit into
this thread, but asked questions to better understand what the original
poster wanted to achieve.

> For instance, I have some OpenBSD servers acting as VPN Server and they  
> allow me to connect from home to the networks behind those OpenBSD
> servers.

Me too.

> PC ------ Internet ------ OpenBSD -------- LAN
> PC ------------ IPSec Tunnel -------------- LAN
>
> I also have other situations where I need an entire LAN communicate with  
> other LAN, like:
>
> LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN
> LAN ----------------------- IPSec Tunnel --------------------------- LAN

I just wanted to say that, network-wise, configuring the first
scenario, assuming that you mean transport mode, almost never makes
sense, or at least not to me, and that the the second scenario should
be the default configuration, even if "LAN" and "OpenBSD/Other" might
collapse into only one computer.


Kind regards,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Janne Johansson
In reply to this post by João Salvatti
Joco Salvatti wrote:
> Hi Misc,
>
> Is it possible to implement a client-to-site VPN over IPSec? I have
> searched on the web, but only found site-to-site models.

http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Marcos Laufer - Ipv4networks.com
In reply to this post by Marcello Cruz-2
Marcello ,

If you don't mind, i'd like to know more info or what to read to
acomplish your first scenario:

PC ------ Internet ------ OpenBSD -------- LAN
PC ------------ IPSec Tunnel -------------- LAN

Thanks!
Marcos Laufer

Marcello Cruz escribiC3:

> Toni,
>
> Do you mean a VPN where only a HOST will access an entire NETWORK? If
> so, then the answer is YES.
>
> For instance, I have some OpenBSD servers acting as VPN Server and
> they allow me to connect from home to the networks behind those
> OpenBSD servers.
>
> PC ------ Internet ------ OpenBSD -------- LAN
> PC ------------ IPSec Tunnel -------------- LAN
>
> I also have other situations where I need an entire LAN communicate
> with other LAN, like:
>
> LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN
> LAN ----------------------- IPSec Tunnel --------------------------- LAN
>
> What do you need?
>
> ----- Original Message ----- From: "Toni Mueller" <[hidden email]>
> To: <[hidden email]>
> Sent: Friday, April 03, 2009 5:43 PM
> Subject: Re: VPN client-to-site over IPSec
>
>
>> Hi,
>>
>> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti
>> <[hidden email]> wrote:
>>> Is it possible to implement a client-to-site VPN over IPSec? I have
>>> searched on the web, but only found site-to-site models.
>>
>> what exactly do you mean by "client to site"?
>>
>> You can distinguish between transport mode, where you use the IP that
>> you actually use, as an endpoint, and tunnel mode, where you assign an
>> IP of your chosing for use inside the tunnel, and then use that IP for
>> all of your connections.
>>
>> Usually, "site-to-site" is associated with tunnel mode, and I currently
>> see no reason, and much less any advantage, in using transport mode.
>>
>>
>> Kind regards,
>> --Toni++

Reply | Threaded
Open this post in threaded view
|

Re: VPN client-to-site over IPSec

Marcello Cruz-2
Marcos,

Basically I use the ISAKMPD (daemon) started up from rc.conf.local. The daemon
reads the configurarion from isakmpd.conf and isakmpd.policy. Also, my pf.conf
has rules to block any attempt to access the VPN from unauthorized hosts. This
kind of VPN is perfect for a Windows PC and you can use the ipsecmd or netsh
or ipsecpol scripts or the GUI interface to establish the tunnel to the
network you just created the tunnel. You can use any OS PC to access the VPN,
but this is the scenario my clients ask for.

Below is a sample for the files needed. Please, see that you can add the lines
or modify an existing file to reflect the excerpt.

Pay attention to some modifications you MUST do. In the isakmpd.conf you must
change the settings in bold to reflect your system. For example:
* 212.212.212 is the IP address of your external interface (Internet). It can
be an IP address or an interface, like xl0.
* 222.222.222.222 represents the IP address of the gateway that establishes
the tunnel LAN-LAN.
* your-pre-shared-key-string1 and your-pre-shared-key-string2 must reflect the
pass-phrase used to authenticate your networks and PCs. Basically, it is your
"poor" security mechanism. A better aproach will be the use of certificates.
The can be the same, or not.
* 192.168.0.0 and 255.255.255.0 must identify your network and network mask,
respectively
* 10.0.0.0 and 255.0.0.0 must identify the remote network and network mask,
respectively

As I said before, the use of certificates for a PC-LAN tunnel is more secure
and better manageable as various users can use this VPN. This iskampd.policy
file is very simple, you can do more than that, if you need so.

The flag "-L" creates the file /var/run/isakmpd.pcap that helps to identify
problems to establish the VPN. You can use a command like tcpdump -avs 1440
/var/run/isakmpd.pcap to follow the negotiation between the hosts involved.
After the diagnosis, you can remove the flag "-L" from your configuration -
this file can grow fast depending on the use of the VPN. Also, you can use the
tcpdump to see if UDP/500 traffic has been blocked by your firewall.

The isakmpd.conf below supports the two types of VPN I commented before.

The pf.conf is a joint of various firewalls, so it is a little confusing and
some rules may be not necessary. As you can see, I have a file with the hosts
that can connect to the vpn (despite the pass-phrase). The IP address pointed
by the macro netX_fw could be in the files vpn-cli.txt. With the netX-lan is
slightly different because the tunnel has two blocking points: the gateways
involved and the hosts/lans involved. As you can see, you can block the
traffic inside the tunnel. In the kind of VPN you asked for, the gateway is
the same as the endpoint.

Finally, here are two ways to connect a Windows PC with the tunnel: ipseccmd
and netsh. The ipsecpol is old (Windows 2000) and the GUI way have a KB
article from Microsoft (http://support.microsoft.com/kb/816514/en-us). There
is a problem with the W2K8 and Vista with IPSec. You call any of the scripts
providing your IP address as a parameter, like:
* c:\mytunnel_ipseccmd.cmd <mi_direccion_ip>
* c:\mytunnel_netsh.cmd <mi_direccion_ip>


Just for the sake of curiosity: where are you from? IB4m from Brazil.

Best Regards,
Marcello

c:\mytunnel_ipseccmd.cmd
ipseccmd.exe -u
ipseccmd.exe -f 0=192.168.0.0/255.255.255.0 -n ESP[3DES,SHA] -t
212.212.212.212 -a PRESHARE:"your-pre-shared-key-string2" -1s 3DES-SHA-2
ipseccmd.exe -f 192.168.0.0/255.255.255.0=0 -n ESP[3DES,SHA] -t %1 -a
PRESHARE:"your-pre-shared-key-string2" -1s 3DES-SHA-2

c:\mytunnel_netsh.cmd
netsh ipsec dynamic add mmpolicy name=Remoto-MM mmsecmethods=3DES-SHA1-2
netsh ipsec dynamic add qmpolicy name=Remoto-QM soft=no pfsgroup=NOPFS
qmsecmethods=ESP[3DES,SHA1]

netsh ipsec dynamic add rule srcaddr=0.0.0.0 dstaddr=192.168.0.0
mmpolicy=Remoto-MM qmpolicy=Remoto-QM mirrored=no srcmask=32 dstmask=24
tunneldstaddres=212.212.212.212 psk=your-pre-shared-key-string2

netsh ipsec dynamic add rule srcaddr=192.168.0.0 dstaddr=0.0.0.0
mmpolicy=Remoto-MM qmpolicy=Remoto-QM mirrored=no srcmask=24 dstmask=32
tunneldstaddres=%1 psk=your-pre-shared-key-string2

/etc/pf.conf
table <vpn_cli> persist file "/etc/folder/vpn-cli.txt"
netX_fw = "222.222.222.222"
netX_lan = "10.0.0.0/24"

# Rules to permit LAN-LAN IPSec traffic
#######################################
pass in  quick on $ext_if inet proto esp from { $netX_fw } to $ext_if
pass out quick on $ext_if inet proto esp from $ext_if to { $netX_fw }
pass in  quick on $ext_if inet proto udp from { $netX_fw } to $ext_if port
isakmp keep state
pass out quick on $ext_if inet proto udp from $ext_if to { $netX_fw } port
isakmp keep state

# Rules to permit PC-LAN IPSec Traffic
######################################
pass in  quick on $ext_if inet proto esp from <vpn_cli> to $ext_if
pass in  quick on $ext_if inet proto esp from $ext_if to <vpn_cli>
pass in  quick on $ext_if inet proto udp from <vpn_cli> to $ext_if port isakmp
keep state
pass out quick on $ext_if inet proto udp from $ext_if to <vpn_cli> port isakmp
keep state

# Rules to encapsulate/decapsulate IP Traffic
#############################################
pass in  quick on enc0 proto ipencap all
pass out quick on enc0 all

# VPN rules between endpoints of the tunnel
###########################################
pass  in  quick log on enc0 inet proto tcp from <vpn_cli> port 1433 to {
192.168.0.1, 192.168.0.254 } keep state
block out quick log on enc0 inet proto tcp from ! 192.168.0.100 to <cpn_cli>
port { 1433, 22, 80, 443 }
block in  quick log on enc0 inet proto tcp from <vpn_cli> port { 1433, 22, 80,
443 } to ! 192.168.0.100
pass  in  quick log on enc0 inet from $netX_lan to $int_net keep state
pass  out quick log on enc0 inet from $int_net to $netX_lan keep state

/etc/folder/vpn-cli.txt
200.200.200.200
192.168.99.1

/etc/rc.conf.local
isakmpd_flags="-L"

/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"

/etc/isakmpd/isakmpd.conf
[General]
Listen-on=                      212.212.212.212
Default-phase-1-lifetime=       1200,60:86400
Default-phase-2-lifetime=       3600,60:86400

[Phase 1]
222.222.222.222=        FW-NetworkX
Default=                RemoteClient

[Phase 2]
Connections=            IPSec-NetworkX
Passive-Connections=    IPSec-Remote

# ISAKMP Phase 1 peer sections
##############################

[FW-NetworkX]
Phase=                  1
Address=                222.222.222.222
Configuration=          Default-main-mode
Authentication=         your-pre-shared-key-string1

[RemoteClient]
Phase=                  1
Configuration=          Remote-main-mode
Authentication=         your-pre-shared-key-string2

# IPSec Phase 2 sections
########################

[IPSec-NetworkX]
Phase=                  2
ISAKMP-peer=            FW-NetworkX
Configuration=          Default-quick-mode
Local-ID=               Local-NET
Remote-ID=              NetworkX-NET

[IPSec-Remote]
Phase=                  2
ISAKMP-peer=            RemoteClient
Configuration=          Remote-quick-mode
Local-ID=               Local-NET
Remote-ID=              Remote-HOST

# Client ID sections
####################

[Local-NET]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.0.0
Netmask=                255.255.255.0

[NetworkX-NET]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.0.0.0

[Remote-HOST]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

# Main mode descriptions
########################

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             DES-MD5

[Remote-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Microsoft-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-GRP2

# Quick mode descriptions
#########################

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-DES-MD5-SUITE

[Remote-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

[Microsoft-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE



----- Original Message -----
From: "Marcos Laufer" <[hidden email]>
To: "Marcello Cruz" <[hidden email]>
Cc: <[hidden email]>
Sent: Wednesday, April 08, 2009 11:37 AM
Subject: Re: VPN client-to-site over IPSec


> Marcello ,
>
> If you don't mind, i'd like to know more info or what to read to
> acomplish your first scenario:
>
> PC ------ Internet ------ OpenBSD -------- LAN
> PC ------------ IPSec Tunnel -------------- LAN
>
> Thanks!
> Marcos Laufer
>
> Marcello Cruz escribiC3:
>> Toni,
>>
>> Do you mean a VPN where only a HOST will access an entire NETWORK? If
>> so, then the answer is YES.
>>
>> For instance, I have some OpenBSD servers acting as VPN Server and
>> they allow me to connect from home to the networks behind those
>> OpenBSD servers.
>>
>> PC ------ Internet ------ OpenBSD -------- LAN
>> PC ------------ IPSec Tunnel -------------- LAN
>>
>> I also have other situations where I need an entire LAN communicate
>> with other LAN, like:
>>
>> LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN
>> LAN ----------------------- IPSec Tunnel --------------------------- LAN
>>
>> What do you need?
>>
>> ----- Original Message ----- From: "Toni Mueller" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Friday, April 03, 2009 5:43 PM
>> Subject: Re: VPN client-to-site over IPSec
>>
>>
>>> Hi,
>>>
>>> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti
>>> <[hidden email]> wrote:
>>>> Is it possible to implement a client-to-site VPN over IPSec? I have
>>>> searched on the web, but only found site-to-site models.
>>>
>>> what exactly do you mean by "client to site"?
>>>
>>> You can distinguish between transport mode, where you use the IP that
>>> you actually use, as an endpoint, and tunnel mode, where you assign an
>>> IP of your chosing for use inside the tunnel, and then use that IP for
>>> all of your connections.
>>>
>>> Usually, "site-to-site" is associated with tunnel mode, and I currently
>>> see no reason, and much less any advantage, in using transport mode.
>>>
>>>
>>> Kind regards,
>>> --Toni++