test

System Administration Guide, Volume 3

How to Set Up a Virtual Private Network

This procedure shows you how to set up a VPN using the Internet to connect two networks within an organization, and secure the traffic between the networks with IPsec. This procedure assumes that the networks' le1 interfaces are inside the VPN, and the le0 interfaces are outside the VPN on the two systems that implement the VPN link.

The procedure also uses ESP with DES and MD5. The algorithms used affect the key lengths, 64 bits (56 bits+ 8 bits parity) for DES and 128 bits for MD5. You must do the following procedure on the two systems that act as the gateway through the Internet. For a descripton of VPNs, see "Enabling Virtual Private Networks".

  1. Become superuser on the system console.

    Note -

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

  2. Turn off IP forwarding by typing the following command:


    # ndd -set /dev/ip ip_forwarding 0

    Turning off IP forwarding prevents packets from being forwarded from one network to another through this system.

  3. Turn on IP strict destination multihoming by typing the following command:


    # ndd -set /dev/ip ip_strict_dst_multihoming 0

    Turning on IP strict destination multihoming ensures that packets for one of the system's destination addresses arrives on the interface to which that address is assigned.

    When you use the ndd(1M) command to turn off IP forwarding and turn on IP strict destination, multihoming shuts down the flow of packets except to the system itself, and then only if the packets arrive on the interface that corresponds to the destination IP address.

  4. Disable most (if not all) network services on the Solaris system by doing the following substeps, as needed:

    Note -

    The VPN router should allow very few incoming requests. You need to disable all processes that accept incoming traffic (for example, comment out lines in the inetd.conf file, kill SNMP, and so on), or use techniques similar to the "How to Secure a Web Server Using IPsec Policy".

    1. If inetd.conf has been edited to remove all but essential services, type the following command:


      # pkill -HUP inetd

    2. If inetd.conf has not been edited to remove all but essential services, type the following command on a command line:


      # pkill inetd

    3. Disable other Internet services, such as SNMP, NFS, and so on, by typing one or more commands like the following examples, as needed:


      # /etc/init.d/nfs.server stop
# /etc/init.d/sendmail stop

      Disabling network services keeps IP packets from doing any harm to the system. For example, an SNMP daemon, telnet, or rlogin could be exploited.

  5. On each system, add a pair of security associations between the two systems by doing the following substeps:

    1. Type the following command:


      # ipseckey

      This enables the ipseckey command mode.

    2. At the ipseckey command mode prompt, type the following command:


      > add esp spi random-number src system1_addr dst system2_addr \
auth_alg md5 encr_alg des \
authkey very-random-hex-string-of-32-characters \
encrkey very-random-hex-string-of-16-characters

    3. Press the Return key.

      This executes the command and redisplays the ipseckey command mode prompt.

    4. At the ipseckey command mode prompt, type the following command:


      > add esp spi random-number src system2_addr dst system1_addr \
auth_alg md5 encr_alg des \
authkey very-random-hex-string-of-32-characters \
encrkey very-random-hex-string-of-16-characters
      Note -

      The keys and SPI can and should be different for each security association.

    5. At the ipseckey command mode prompt, type Ctrl-D or Exit to exit this mode.

  6. Configure a secure tunnel, ip.tun0, by doing the following substeps:

    1. On System 1 type the following commands:


      # ifconfig ip.tun0 plumb

# ifconfig ip.tun0 system1-taddr system2-taddr \
tsrc system1-addr tdst system2-addr encr_algs des encr_auth_algs md5

# ifconfig ip.tun0 up

    2. On System 2 type the following commands:


      # ifconfig ip.tun0 plumb

# ifconfig ip.tun0 system2-taddr system1-taddr \
tsrc system2-addr tdst system1-addr encr_algs des encr_auth_algs md5

# ifconfig ip.tun0 up

    This sets up the secure tunnel and adds another physical interface from the IP perspective.

  7. On each system, turn on (in this example) le1:ip_forwarding and ip.tun0:ip_forwarding by typing the following commands:


    # ndd -set /dev/ip le1:ip_forwarding 1

# ndd -set /dev/ip ip.tun0:ip_forwarding 1

    ip_forwarding means that packets arriving off an interface can be forwarded, and packets leaving this interface might have originated on another interface. To successfully forward a packet, both the receiving and transmitting interfaces must have their ip_forwarding turned on.

    Since le1 is inside the Intranet, and ip.tun0 connects the two systems through the Internet, ip_forwarding must be turned on for these two interfaces.

    The le0 interface still has its ip_forwarding turned off. This prevents someone on the outside (that is, the Internet) from injecting packets into the protected Intranet.

  8. On each system, ensure that routing protocols do not advertise the default route within the Intranet by typing the following command:


    # ifconfig le0 private

    While le0 has ip_forwarding turned off, any routing protocol implementation (for example, in.routed) might still advertise that le0 is a valid interface for forwarding packets to its peers inside the Intranet. Setting the interface's private flag helps reduce these advertisements.

  9. On each system, manually add a default route over le0 by typing the following commands:


    # pkill in.rdisc

# route add default router-on-le0-subnet

    Even though le0 is not part of the Intranet, it does need to reach across the Internet to its peer machine. To do this, Internet routing information is needed. The VPN system looks like a host (as opposed to a router) to the rest of the Internet, so either using a default route or running router discovery is sufficient.

  10. Prevent in.rdisc from restarting when the system is rebooted by doing the following substeps:

    1. Put the IP address of the default router on the le0 subnet in the file /etc/defaultrouter.

      This stops in.rdisc from being started at reboot.

    2. Type the following command.


      # touch /etc/notrouter

      This keeps the vulnerability down by preventing routing to occur early in the boot sequence.

    3. Edit the /etc/hostname.ip.tun0 file and add the following lines.


      system1-taddr system2-taddr tsrc system1-addr \
     tdst system2-addr encr_algs des encr_auth_algs md5

    4. Edit the /etc/rc3.d/S99ipsec_setup file and add the following lines in the if/then statement at the end.


      ndd -set /dev/ip le1:ip_forwarding 1
ndd -set /dev/ip ip.tun0:ip_forwarding 1
ifconfig le0 private
in.routed

      The file should look like:


      if [ -f /etc/inet/ipseckeys -a -f /etc/inet/ipsecinit.conf ]; then
     /usr/sbin/ipseckey -f /etc/inet/ipseckeys
     ndd -set /dev/ip le1:ip_forwarding 1
     ndd -set /dev/ip ip.tun0:ip_forwarding 1
     ifconfig le0 private
     in.routed
fi

  11. On each system, run a routing protocol by typing the following command:


    # in.routed

To prevent an adversary from having too much time to break your cryptosystem, you need to replace periodically the security associations that you invoked in step 2 with new ones. Use the following procedure to replace your current security associations.