How to Set Up a Virtual Private Network

This procedure shows you how to set up a VPN by using the Internet to connect two networks within an organization. The procedure then shows you how to secure the traffic between the networks with IPsec. This procedure assumes that the networks' le1 interfaces are inside the VPN, and the le0 interfaces are outside the VPN on the two systems that implement the VPN link.

The procedure also uses ESP with DES and MD5. The algorithms that are used affect the key lengths, 64 bits (56 bits + 8 bits parity) for DES and 128 bits for MD5. You must perform the following procedure on the two systems that act as the gateway through the Internet. For a description of VPNs, see Virtual Private Networks.

1. Become superuser on the system console.

   ---

   Note –

   Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

   ---

2. Turn off IP forwarding:

   # ndd -set /dev/ip ip_forwarding 0

   Turning off IP forwarding prevents packets from being forwarded from one network to another through this system.

3. Turn on IP strict destination multihoming:

   # ndd -set /dev/ip ip_strict_dst_multihoming 1

   Turning on IP strict destination multihoming ensures that packets for one of the system's destination addresses arrives on the interface to which that address is assigned.

   When you use the ndd(1M) command to turn off IP forwarding and turn on IP strict destination, multihoming shuts down the flow of packets except to the system itself, and then only if the packets arrive on the interface that corresponds to the destination IP address.

4. Disable most (if not all) network services on the Solaris machine by doing the following substeps, as needed:

   ---

   Note –

   The VPN router should allow very few incoming requests. You need to disable all processes that accept incoming traffic (for example, comment out lines in the inetd.conf file, kill SNMP, and so on). Alternately, you can use techniques similar to those in How to Secure a Web Server.

   ---

   1. If inetd.conf has been edited to remove all but essential services, type the following command:

      # pkill -HUP inetd

   2. If inetd.conf has not been edited to remove all but essential services, type the following command on a command line:

      # pkill inetd

   3. Disable other Internet services, such as SNMP, NFS, and so on, by typing one or more commands such as the following examples, as needed:

      # /etc/init.d/nfs.server stop # /etc/init.d/sendmail stop

      Disabling network services prevents IP packets from doing any harm to the system. For example, an SNMP daemon, telnet, or rlogin could be exploited.

5. On each machine, add a pair of security associations between the two systems.

   If the systems are using IPv4 addresses, the IKE daemon automatically creates the security associations after you have configured IKE to create them. You can use one of the following procedures to set up IKE for the VPN: How to Configure IKE With Pre-Shared Keys, How to Configure IKE With Self-Signed Public Certificates, or How to Configure IKE With Public Keys Signed by a Certificate Authority.

   If the systems are using IPv6 addresses, you must manually create the security associations by doing the following substeps:

   1. Enable the ipseckey command mode:

      # ipseckey >

      The > prompt indicates that you are in ipseckey command mode.

   2. Type the following command:

      > add esp spi random-number src system1_addr dst system2_addr \ auth_alg md5 encr_alg des \ authkey random-hex-string-of-32-characters \ encrkey random-hex-string-of-16-characters

   3. Press the Return key to execute the command.

   4. Type the following command:

      > add esp spi random-number src system2_addr dst system1_addr \ auth_alg md5 encr_alg des \ authkey random-hex-string-of-32-characters \ encrkey random-hex-string-of-16-characters

      ---

      Note –

      The keys and SPI can and should be different for each security association.

      ---

   5. Type Control-D or quit to exit this mode.

6. Configure a secure tunnel, ip.tun0 that adds another physical interface from the IP perspective, by performing the following substeps:

   1. On System 1, type the following commands:

      # ifconfig ip.tun0 plumb # ifconfig ip.tun0 system1-taddr system2-taddr \ tsrc system1-addr tdst system2-addr encr_algs des encr_auth_algs md5 # ifconfig ip.tun0 up

   2. On System 2, type the following commands:

      # ifconfig ip.tun0 plumb # ifconfig ip.tun0 system2-taddr system1-taddr \ tsrc system2-addr tdst system1-addr encr_algs des encr_auth_algs md5 # ifconfig ip.tun0 up

7. On each machine, turn on (in this example) le1:ip_forwarding and ip.tun0:ip_forwarding:

   # ndd -set /dev/ip le1:ip_forwarding 1 # ndd -set /dev/ip ip.tun0:ip_forwarding 1

   ip_forwarding means that packets that arrive off an interface can be forwarded, and packets that leave this interface might have originated on another interface. To successfully forward a packet, both the receiving and transmitting interfaces must have their ip_forwarding turned on.

   Because le1 is inside the Intranet, and ip.tun0 connects the two systems through the Internet, ip_forwarding must be turned on for these two interfaces.

   The le0 interface still has its ip_forwarding turned off. This configuration prevents someone on the outside (that is, the Internet) from injecting packets into the protected Intranet.

8. On each machine, ensure that routing protocols do not advertise the default route within the Intranet:

   # ifconfig le0 private

   While le0 has ip_forwarding turned off, any routing protocol implementation (for example, in.routed) might still advertise that le0 is a valid interface for forwarding packets to its peers inside the Intranet. Setting the interface's private flag helps reduce these advertisements.

9. On each system, manually add a default route over le0:

   # pkill in.rdisc # route add default router-on-le0-subnet

   Even though le0 is not part of the Intranet, it does need to reach across the Internet to its peer machine. To do this, Internet routing information is needed. The VPN system looks like a host (as opposed to a router) to the rest of the Internet, so either using a default route or running router discovery is sufficient.

10. Prevent in.rdisc from restarting when the system is rebooted by performing the following substeps:

    1. Put the IP address of the default router on the le0 subnet in the file /etc/defaultrouter.

       This step prevents in.rdisc from being started at reboot.

    2. Prevent routing from occurring early in the boot sequence, and thus reduce vulnerability:

       # touch /etc/notrouter

    3. Edit the /etc/hostname.ip.tun0 file and add the following lines.

       system1-taddr system2-taddr tsrc system1-addr \ tdst system2-addr encr_algs des encr_auth_algs md5 up

    4. Create an /etc/rc3.d/S99vpn_setup file and type the following lines.

       ndd -set /dev/ip le1:ip_forwarding 1 ndd -set /dev/ip ip.tun0:ip_forwarding 1 ifconfig le0 private in.routed

11. On each machine, run a routing protocol:

    # in.routed

To prevent an adversary from having time to break your cryptosystem, you need to periodically replace the security associations that you created in Step 5 with new ones. Use the following procedure to replace your current security associations. If you are running an IPv4 network, the IKE module manages the replacement of security associations.