Novell Home

AppNote: NBM to Openswan: Site-to-site VPN Made Easy

Novell Cool Solutions: AppNote
By Gaurav Vaidya

Digg This - Slashdot This

Posted: 2 Dec 2004
 

NBM - Openswan: Site to Site VPN in Easy Steps

Gaurav Vaidya, Senior Software Engineer
gvaidya@novell.com

Novell Border Manager 3.8 VPN service, is designed to interoperate with any standard IPsec-based VPN service. If two remote sites (one working with NBM 3.8 and another with Openswan) need to securely communicate over the Internet, the best way is to establish a site-to-site VPN connection between the two. This AppNote describes the procedure to establish a site-to-site VPN connection between Openswan and Novell Border Manager 3.8 servers.

Introduction

This AppNote details the configuration of a site-to-site IPsec tunnel between Openswan and NBM 3.8 using:

  • Certificate mode
  • PSK mode

Software Requirements

Before you begin the configuration, ensure that the following are installed:

  1. NBM 3.8 with the latest support pack (SP2), installed on Netware Server (NetWare 6.5 with SP2)
  2. Openswan and other required software packages (IPsec-tools and OpenSSL), installed on a Linux server

If they are not installed, download the available version of the required RPMs and install as follows:

  • rpm -ivh ipsec-tools-version
  • rpm -ivh openswan-version

Note: Package versions of Linux referred in this AppNote are:

  • SLES (SUSE Linux Enterprise Server 9 / Kernel 2.6.5-7.51-default)
  • Openswan: 2.2.0-2.1
  • IPsec tools: 0.3.3-1.2

Conventions

Term Description
SLES SUSE Linux Enterprise Server
SA Security Association: a unidirectional association between two VPN entities
S2S Site to Site: a VPN connection between two VPN servers which secures two local sites or LANs. Also known as net to net VPN.
Internet Key Exchange protocol IKE
IPsec Internet Protocol Security
NBM 3.8 Novell Border Manager, Version 3.8: Latest version of Novell Border Manager, which has ICSA certification for both firewall (4.0 Corporate) and IPsec (1.0D)
CA Certificate Authority
TRC Trusted Root Container
TRO Trusted Root Object
Openswan Open service implementation of IPsec, for Linux OS

Initial Configuration

Ensure that the following configuration is done:



Figure 1: Set-up diagram for S2S VPN between NBM and Openswan

NBM 3.8 Server

In the diagram above, an NBM 3.8 server connects the internal LAN 192.168.10.1/24 to the internet. The NBM3.8 server's WAN (Internet) interface has the address 164.99.160.98/23.

  • Server Name : F4E
  • WAN Interface IP Address : 164.99.160.98 / 255.255.252.0
  • LAN Interface IP Address : 192.168.10.1 / 255.255.255.0
  • Default Gateway : 164.99.160.88

1.5 Openswan Server

In the previous diagram, an Openswan server connects internal LAN 192.168.199.1/24 to the internet. Openswan server's WAN (Internet) interface has the address 172.32.22.12/16.

  • Server Name : SLES
  • WAN Interface IP Address : 172.32.22.12 / 255.255.0.0
  • LAN Interface IP Address : 192.168.199.1 / 255.255.255.0
  • Default Gateway : 172.32.22.88

Router

In this test scenario, a router connects the WAN networks of NBM 3.8 (164.99.160.98) and the Openswan server (172.32.22.12). The addresses of the two interfaces of the router, connecting to NBM 3.8 and Openswan servers, are 164.99.160.10 and 172.32.22.10.

IPsec Parameters

It is recommended that you follow IPsec parameters (for IKE Phase-1 and IKE Phase-2 SA negotiations), for smooth interoperability of Openswan and NBM 3.8.

Note: If any other set of parameters is used for the configuration, ensure that the parameters are similar at both ends.

IKE Phase-1 Parameters

  • IKE mode: Main mode
  • IKE lifetime: 14400 Secs / 240 Mins / 4 hours
  • IKE encryption: Triple DES (3DES)
  • IKE integrity: MD5
  • IKE group: (MODP 1024 group 2)
  • IKE authentication: Certificate OR Pre-Shared Key

1.7.2 IKE Phase-2 Parameters

    IPsec mode: tunnel (for all VPN connections)

    IPsec lifetime: 3600 Secs / 60 mins / 1 hour

    IPsec encryption: Triple DES (3DES)

    IPsec integrity: MD5

    PFS: enabled (MODP 1024, group 2)

    IP compress: disabled

    Selectors: For all protocols between 192.168.199.0/24 and 192.168.10.0/24 IPv4 Subnets

Configuration

VPN is needed to build a secure communication channel (IPsec Tunnel) between two LANs, protected by the Openswan and NBM 3.8 servers. Depending on the type of authentication between the servers, the IPsec Tunnel can be configured in any of the following modes:

  1. X.509 Certificates mode
  2. Pre-Shared Key (PSK) mode

The X.509 Certificate method is recommended. Though complex in configuration, it is more secure and easy to maintain. The PSK mode, though easy to configure, is less secure and less scalable.

2.1 Site-to-site Configuration in X.509 Certificate Mode

To configure site-to-site communication in X.509 Certificate mode,

  1. Create the CA and certificate for Openswan.
  2. Install certificates on Openswan.
  3. Configure VPN service on NBM 3.8.
  4. Configure a verification CA on NBM 3.8 and Openswan. Note: Use different CAs for the NBM 3.8 and Openswan servers.
  5. Configure VPN service on Openswan.
  6. Add the Openswan VPN to the NBM 3.8 server.
  7. Verify the tunnel.

Creating the CA and Certificate for Openswan

You can use the utility supplied with OpensslCA.sh to configure CA and Certificate.

  1. Create a directory (e.g., Openswan-CA).
  2. From the directory, run CA.sh commands (as shown below).
  3. The CA.sh file should be found under the path "/usr/share/ssl/misc/".

    The following commands assume that either this file is included in the given path. If it is not, use the full path instead.

    Note: Configure /etc/openssl.cnf file for default values of country, company name, etc., for your certificate. These parameters are configured in section '[ req_distinguished_name ]'.

  4. Run "CA.sh -newca" and follow the instructions. The directories demoCA and keyfile cakey.pem will be created.
  5. Create a new certificate request using command "CA.sh -newreq". This request can be sent to sign from any CA or from the CA generated in step 1.
  6. Sign the certificate request with the newly created CA, using the command "CA.sh -sign". Now there are three files: newreq.pem, newcert.pem and ./demoCA/cacert.pem.

Installing Certificates for Openswan

After creating CA and server certificates, certificates for Openswan can be installed in the Openswan gateway. Copy the newly created certificates and keys into the ipsec.d directory as follows:

cp newreq.pem /etc/ipsec.d/private
cp newcert.pem /etc/ipsec.d/certs
cp demoCA/cacert.pem /etc/ipsec.d/cacert

Configuring VPN service on NBM 3.8.

  1. Configure the Server Address as 164.99.160.98 / 255.255.252.0.
  2. Configure the Tunnel Address as 112.1.1.1 / 255.0.0.0.
  3. Specify the Key lifetime in minutes (the default value is 480). To match the configuration on Openswan server, the Key lifetime can be 240.
  4. To enable PFS, check the Perfect Forward Secrecy check box.
  5. Check the Site to Site check box.
  6. Click the Master radio button.
  7. Click Details for Site to Site. The Issuer Certificate will be displayed.
  8. Check the Subject Name.
  9. Browse for the server certificate and click it. The certificate subject name will be populated in the text box.
  10. Provide the protected network of the NBM 3.8 server in the Protected Networks list (here it is 192.168.10.0 / 255.255.255.0).
  11. Click OK.

The VPN Server configuration is shown below.



Figure 2: NBM3.8 VPN Server Configuration

For more information on configuring VPN service on NBM3.8 server refer online documents at: http://www.novell.com/documentation/nbm38/index.html

Configuring Verification CA

For the X.509 Certificate mode of authentication, both VPN servers should be able to verify the authenticity of the peer certificates. To do so, NBM and Openswan should have access to the verification CA.

The information in this section describes the configuration of the verification CA on the NBM 3.8 and Openswan servers.

To export the Trusted Root certificate as F4E-TrustedRoot.der, from the NBM 3.8 server to the Openswan server:

  • From iManager, click eDirectory Maintenance > Modify Object.
  • Select the Trusted Root certificate and export it as a .DER certificate.
  • Copy the exported certificate to the Openswan Server.
  • Convert the .DER-format trusted root certificate to .PEM format for Openswan, using this command:
  • openssl x509 -inform DER -outform PEM -in F4E-TrustedRoot.der -out F4E-TrustedRoot.pem
  • Copy F4E-TrustedRoot.pem to the folder /etc/ipsec.d/cacert.

To export the CA certificate from Openswan to NBM3.8,

On the Openswan server, convert the cacert.pem file to .DER format using following command: openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der From iManager, use the cacert.der file to create a Trusted Root Object (TRO) in the default TRC of the NBM3.8 server.

2.1.5 Configuring IPsec on Openswan

  1. Open the file /etc/ipsec.secrets and add the following line (here "my-passphrase" is the passphrase for the certificate):
  2. : RSA newreq.pem "my-passphrase"
  3. Open the file /etc/ipsec.conf and add the following connection:
conn %default
leftrsasigkey=%cert
rightrsasigkey=%cert
#ikelifetime=20m
#keylife=1h
conn nbmcert
#General
keyingtries=1
disablearrivalcheck=no
auto=add
#IKE params 
authby=rsasig
ike="3des-sha-modp1024"
keyexchange=ike
ikelifetime=240m
#IPsec Params
type=tunnel
auth=esp
esp="3des-md5"
pfs=yes
compress=no
keylife=60m
# Left security gateway, subnet behind it, next hop toward right.
left=172.32.22.12
leftsubnet=192.168.199.0/24
leftnexthop=172.32.22.10
# Right security gateway, subnet behind it, next hop toward left.
right=164.99.160.98
rightsubnet=192.168.10.0/24
rightnexthop=164.99.160.10
#Certificate Information
leftcert="/etc/ipsec.d/certs/newcert.pem"
rightcert="/etc/ipsec.d/certs/ServerCert-NBM.pem"

Adding an Openswan VPN on NBM 3.8

To add Openswan as a slave server to NBM 3.8,

  1. Go to the Member Lists tab and click Add.
  2. Configure following parameters as shown in Figure 3.


Figure 3: Adding Openswan as 3rd-Party VPN server to NBM3.8

Here are the steps for configuring the parameters:

  1. Configure the IP Address and the subnet mask of the Openswan server.
  2. Configure the tunnel IP Address in the same network as the NBM 3.8 server Tunnel IP (here, it is 12.2.2.2 / 255.0.0.0).
  3. Check the Non-Border Manager check box.
  4. Check certificates as "Authentication Method".
  5. Configure the Openswan CA certificate as the issuer.
  6. Configure the corresponding subject name of the CA certificate.
  7. In the Protected IP Network list, add 192.168.199.0 / 255.255.255.0.
  8. Click Apply and click OK.

To add 3rd-Party Traffic Rules for Openswan on NBM 3.8,

  1. Select the Third Party Traffic Rules tab. To add new Traffic Rule for Openswan, click New (see Figure 4 below).
  2. Specify a name to the rule.
  3. Expand the "3rd Party Server Configuration" as follows:
  4. Select the IP Address for the Openswan Server (e.g., 172.32.22.12) from the "3rd Party Server Gateway Address" dropdown box.
  5. Click the "Only Use IP List" radio button under "Rule Applies To:"
  6. Click Add.
  7. Enter the network IP Address for the Openswan Server (here, it is 192.168.199.0 / 255.255.255.0).
  8. Expand the "NBM Server Protected Network list" as follows:

  9. Select the "Only Use IP List" radio button under "Rule Applies To:"
  10. Click Add.
  11. Enter the network IP Address for the NBM3.8 Server (here, it is 192.168.10.0 / 255.255.255.0).
  12. Expand "Define Action". The default choice for traffic is "encrypt".
  13. In the Encryption "Key lifetime by time," enter the IKE Phase-2 SAs lifetime value.
  14. Change the default value to 60 as per the configuration of Openswan.
  15. As per the setting for Openswan, the Encryption Algorithm should be 3DES, and the Authentication Algorithm should be HMAC- SHA1.
  16. Click Apply and then OK.


Figure 4: Adding 3rd-Party Traffic rule for Openswan

Verifying the tunnel

To establish the VPN tunnel, restart the IPsec service and run the following command:

ipsec auto -up nbmcert

Initiate the connection from any client in the protected (LAN) network of NBM 3.8 server to any client in the protected (LAN) network of Openswan Server, or vice versa. They should be able to communicate with the traffic going encrypted.

Configuring S2S IPSec tunnel using PSK

To configure a site-to-site IPsec tunnel between NBM 3.8 and Openswan, using Pre Shared Key (PSK), follow these steps:

1. Configure the VPN service on NBM 3.8. 2. Configure the VPN service on Openswan. 3. Add the Openswan VPN to NBM 3.8. 4. Verify the tunnel.

Configuring VPN service on NBM 3.8

Follow the same steps detailed in Configuring VPN Service on NBM 3.8 Service.

Configuring the Openswan VPN server

1. Open the /etc/ipsec.secrets file and enter the following (where "my-shared-secret" is the pre-shared key for IKE negotiation): 164.99.160.22 164.99.160.98: PSK "my-shared-secret" 2. Open the /etc/ipsec.conf file and add the following connection: conn nbmpsk
#General
keyingtries=1
disablearrivalcheck=no
auto=add
#IKE params 
authby=secret
keyexchange=ike
ikelifetime=240m
#IPsec Params
type=tunnel
auth=esp
pfs=yes
compress=no
keylife=60m
# Left security gateway, subnet behind it, next hop toward right.
left=172.32.22.12
leftsubnet=192.168.199.0/24
leftnexthop=172.32.22.10
# Right security gateway, subnet behind it, next hop toward left.
right=164.99.160.98
rightsubnet=192.168.10.0/24
rightnexthop=164.99.160.10

Adding Openswan VPN on NBM 3.8

To add the Openswan VPN on NBM 3.8,

  1. Configure the IP Address and the subnet mask of the Openswan server.
  2. Configure the tunnel IP Address in the same network as the NBM 3.8 server Tunnel IP (here, it is 112.2.2.2 / 255.0.0.0).
  3. Check the Non-Border Manager check box.
  4. Check "PSS" as Authentication Method.
  5. Configure the pre-shared key, just as configured on the Openswan server ("my-shared-secret").
  6. In the Protected IP Network list, add 192.168.199.0 / 255.255.255.0.
  7. Click Apply and then click OK.

Third party traffic rule configuration is same as detailed in the second part of the Adding an Openswan VPN on NBM 3.8 section.

Verifying the Tunnel

To establish the VPN tunnel, restart the IPsec service and run the following command:

ipsec auto -up nbmpsk

Initiate the connection from any client in the protected (LAN) network of NBM 3.8 server to any client in the protected (LAN) network of Openswan Server or vice versa. They should be able to communicate with the traffic going encrypted.

Tips and Tricks

  1. If the tunnel negotiation fails, view the log messages (/var/log/messages file on the Openswan machine, and /ETC/IKE/IKE.LOG file on the NBM3.8 machine). Or, you can look at VPN monitoring on NBM 3.8 for specific log messages.
  2. Make sure that all the IPsec parameters configured on both sides are the same for both Phase-1 and Phase-2 tunnel negotiations.
  3. If the IPsec tunnel is established , and protected network machines cannot communicate, then:
  • Ensure that the firewalls at both NBM 3.8 and Openswan servers are configured to allow corresponding traffic.
  • Ensure that the protected networks are added for both NBM 3.8 and Openswan server in the NBM 3.8 VPN configuration.

Although this AppNote considers a separate CA for Openswan and NBM 3.8, there can be instances where only Openswan or Novell Certificate server is used as the CA for both. This would require corresponding certificate configuration at both ends.

Conclusion

NBM 3.8 can interoperate with Openswan VPN on Linux in both Certificate mode and PSK mode. There is no need for both servers to be issued certificates from the same certificate authority.

Additional Information

For more information on how to configure site-to-site VPN between Openswan and NBM, refer to this Cool Solutions article: Setting up a VPN Tunnel - NBM and Openswan Slaves.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell