Linux VPN Configuration
Posted in Linux VPN Configuration
As the company network grows it needs to make some secure data links with business partners, customers, sellers and vendors while you are providing them access to your servers behind internet firewall. It can be done using a private network known as VPN which is used to provide an encrypted data stream between the company firewall and customers or vendors etc.
VPN is very convenient and secure to access remote server not only using the public translated IP address but also using their real IP addresses. To do this you can avoid from some inherent problems to access servers following many to one relation.
Here you will read about permanent one-to-one VPN link or tunnel by using Openswan which is known as one of the most famous VPN package in Linux.
Before Starting SOHO Linux VPN
Here is some information which is recommended to consider before configuring a simple SOHO Linux VPN.
- Disable NAT of firewall for the packets which will traverse VPN because IPSec protocol on which VPNs are based will tolerate the data packets.
- First of all configure and test the firewall and then configure VPN and make Linux VPN box to perform as firewall.
- IP addresses at both ends of a network must be unique and you can assign them again if overlaps occurs.
VPNs are needed permanent and site to site at both ends using static DHCP and IP addresses.
Figure below shows VPN topology between two SOHO network environments using this scenario.
- Both sites needs VPN to communicate with each other without danger of eavesdropping.
- Here site 1 is using private IP address 172.168.1.0/24 and is using Linux VPN/firewall as default gateway and have external IP address 97.158.253.25.
- While site 2 is using private address 10.0.0.0/24 and using VPN/firewall device as default gateway using external IP address of 6.25.232.1.
Openswan Topolology Figure
Example of Openswan VPN 1
Downloading and Installing Openswan Package :
Download openswan RPM package from www.openswan.org and you can find guideline from here about how to install this package on Fedora and Redhat and other core of Linux. Before downloading this package, you must have installed ipsec-tools RPM package on you PC.
Getting started with Openswan:
Configure openswan using chkconfig command:
[root@linux-server tmp]# chkconfig ipsec on
Start, stop and restart openswan by using ipsec service initialization script:
[root@linux-server tmp]# service ipsec start
[root@linux-server tmp]# service ipsec stop
[root@liux-server tmp]# service ipsec restart
Keep in mind that always restart the ipsec process whenever you make some changes to ipsec.conf file so that changes can take effect instantly.
Find out status of Openswan Installation :
After you have installed openswan check the status of using ipsec verify command. It should show an [OK]status.
[root@vpn3 tmp]# ipsec verify
Checking your system to see if IPsec got installed and started properly
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.8-1.522 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Three or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Checking for ’setkey’ command for native IPsec stack support [OK]
[root@vpn3 tmp]#
