[ale] VPN Howto?
Greg Freemyer
greg.freemyer at gmail.com
Wed Jun 25 16:00:04 EDT 2008
The D-Link router we use is a low cost DI-808HV and is a few years old.
It seems to offer real VPN end-point support, not merely allowing
ports to be opened to pass through VPN tunnels.
We would likely only have a couple remote users at any one time, but
we might have 10 of us that have client software configured on our
machines. (both linux and windows).
As to access control, a simple none / full access is fine. ie. If you
are authorized to connect remotely, you are fully authorized to access
our machines at least from the VPNs perspective.
Looks to me like it supports IPsec, L2TP, and PPTP. (Maybe others).
Based on what people have said, maybe I should look at OpenSWAN / IPsec?
==========>
==========> From here to the end of the email, I am just quoting the
d-link help:
VPN Settings
VPN Settings are settings that are used to create virtual private
tunnels to remote VPN gateways. The tunnel technology supports data
confidentiality, data origin authentication and data integrity of
network information by utilizing encapsulation protocols, encryption
algorithms, and hashing algorithms.
VPN enable item:VPN protects network information from ill
network inspectors. But it greatly degrades network throughput. Enable
it when you really need a security tunnel. It is disabled for default.
VPN enable item:Computers running Microsoft Windows can
communicate with one another using NetBIOS. Users can access remote
network resources by browsing the Window Network Neighborhood.
Max. number of tunnels item:Since VPN greatly degrades network
throughput, the allowable maximum number of tunnels is limited. Be
careful to set the value for allowing the number of tunnels can be
created simultaneously. Its value ranges from 1 to 40.
Tunnel name:Indicate which tunnel that is focused now.
Method:IPSec VPN supports two kinds of key-obtained methods:
manual key and automatic key exchange. Manual key approach indicates
that two end VPN gateways setup authenticator and encryption key by
system managers manually. However, IKE approach will perform automatic
Internet key exchange. System managers of both end gateways only need
set the same pre-shared key.
Dynamic VPN settings:VPN gateway allows users to build VPN
tunnel from remote mobile host. Click this button to finish detailer
configuration.
More...:To setup detailer configuration for manual key or IKE
approaches by clicking the "More" button.
View VPN Status:Click this button and you will get more detailed
information about IPSec tunnel of VPN gateway. You can also terminate
certain IPSec tunnel manually by pressing drop button.
Dynamic VPN Settings
VPN gateway can ignore IP information of client when using Dynamic
VPN, so it is suitable for users to build VPN tunnel with VPN gateway
from remote mobile host.
Dynamic VPN enable item : Enable it when you need remote mobile
hosts build security tunnel with DI-808HV. It is disabled for default.
Local subnet :The subnet of LAN site of local VPN gateway. It
can be a host, a partial subnet, and the whole subnet of LAN site of
local gateway.
Local netmask :Local netmask combined with local subnet to form
a subnet domain. Pre-shared key :The first key that supports IKE
mechanism of both VPN gateway and VPN client host for negotiating
further security keys. The pre-shared key must be same for both VPN
gateways and clients.
Select IKE proposal :Click the button to setup a set of
frequent-used IKE proposals and select from the set of IKE proposals
for the dedicated tunnel.
Select IPSec proposal :Click the button to setup a set of
frequent-used IPSec proposals and select from the set of IKE proposals
for the dedicated tunnel.
L2TP Server Setting
The VPN gateway can behave as a L2TP server, and allows remote hosts
to access LAN servers after establishing L2TP connection with it. The
device can support three authentication methods: PAP, CHAP, and
MSCHAP(v1). Users can also enable MPPE encryption when using MSCHAP.
L2TP Server : Check this checkbox to enable function of L2TP server.
Virtual IP of L2TP Server :The IP address of L2TP server. This
IP address should be different from IP address of PPTP server and LAN
subnet of VPN gateway.
Authentication Protocol :Users can choose authentication
protocol as PAP, CHAP, or MSCHAP(v1).
MPPE Encryption Mode :Check this checkbox to enable MPPE
encryption. Please note that MPPE needs to work with MSCHAP
authentication method.
Tunnel Setting
Users can input five different user accounts for L2TP server.
Tunnel Name :Input the name for tunnel.
User Name :Input a user name that is allowed to establish L2TP
connection with VPN gateway.
Password :Input the password for the user.
PPTP Server Setting
The VPN gateway can behave as a PPTP server, and allows remote hosts
to access LAN servers after establishing PPTP connection with it. The
device can support three authentication methods: PAP, CHAP, and
MSCHAP(v1). Users can also enable MPPE encryption when using MSCHAP.
PPTP Server : Check this checkbox to enable function of PPTP server.
Virtual IP of PPTP Server :The IP address of PPTP server. This
IP address should be different from IP address of PPTP server and LAN
subnet of VPN gateway.
Authentication Protocol :Users can choose authentication
protocol as PAP, CHAP, or MSCHAP(v1).
MPPE Encryption Mode :Check this checkbox to enable MPPE
encryption. Please note that MPPE needs to work with MSCHAP
authentication method.
Tunnel Setting
Users can input five different user accounts for PPTP server.
Tunnel Name :Input the name for tunnel.
User Name :Input a user name that is allowed to establish PPTP
connection with VPN gateway.
Password :Input the password for the user.
VPN Settings - IKE
There are three parts that are necessary to setup the configuration of
IKE for the dedicated tunnel: basic setup, IKE proposal setup, and
IPSec proposal setup. Basic setup includes the setting of following
items: local subnet, local netmask, remote subnet, remote netmask,
remote gateway, and pre-shared key. The tunnel name is derived from
previous page of VPN setting. IKE proposal setup includes the setting
of a set of frequent-used IKE proposals and the selecting from the set
of IKE proposals. Similarly, IPSec proposal setup includes the setting
of a set of frequent-used IPSec proposals and the selecting from the
set of IPSec proposals.
Basic setup :
Aggressive Mode : Enabling this mode will accelerate
establishing tunnel, but the devicewill suffer from less security in
the meanwhile. Hosts in both ends of the tunnel must support this mode
so as to establish the tunnelproperly.
Local subnet : The subnet of LAN site of local VPN gateway. It
can be a host, a partial subnet, and the whole subnet of LAN site of
local gateway.
Local netmask : Local netmask combined with local subnet to form
a subnet domain.
Remote subnet :The subnet of LAN site of remote VPN gateway, it
can be a host, a partial subnet, and the whole subnet of LAN site of
remote gateway.
Remote netmask :Remote netmask combined with remote subnet to
form a subnet domain of remote end.
Remote gateway :The IP address of remote VPN gateway.
IKE Keep Alive(Ping IP Address) :Input the IP address of remote
host that exist in the opposite side of the VPN tunnel (Ex. You can
input the LAN IP address of remote VPN gateway). The device will start
to Ping remote host when there is no traffic within the VPN tunnel. If
the device can't get ICMP response from remote host anymore, then it
will terminate the VPN tunnel automatically.
Pre-shared key :The first key that supports IKE mechanism of
both VPN gateways for negotiating further security keys. The
pre-shared key must be same for both end gateways.
Extended Authentication (xAuth) :With xAuth feature, the VPN
client (or initiator) needs to provide additional user information to
remote VPN server (or VPN gateway) for extended authentication. The
VPN server would reject the connect request from VPN clients because
of the unknown user, even though the pre-shared key is correct. This
function is suitable to remote mobile VPN clients. You can not only
configure a VPN rule with a pre-shared key for all remote users using,
but you can also designate only someone is permitted to establish VPN
connection with VPN server.
Enable : Check this checkbox to enable extended authentication
with this rule.
Server mode : Check this checkbox if the device behaves as a VPN
server, and will verify the legality of user information from VPN
client. The user information that is provided by VPN client needs to
match to user information that is in local user database of VPN
server. You can press "Set local user" button to edit local user
database. Please note that only VPN clients with xAuth can establish
VPN connection with the device if you have checked this checkbox.
Client mode : Check this checkbox if the device behaves as a VPN
server, and will send user information to remote VPN server for
extended authentication. You need to input correct user name and
password to pass authentication. Please note that remote VPN server
which is without xAuth will reject your connect request if you have
checked this checkbox.
User Name : Input user name that is provided by remote VPN
server. This field is for xAUTH client mode use only.
Password : Input password that is corresponded to the user name
above. This field is for xAUTH client mode use only.
Select IKE proposal... : Click the button to setup a set of
frequent-used IKE proposals and select from the set of IKE proposals
for the dedicated tunnel.
Select IPSec proposal... : Click the button to setup a set of
frequent-used IPSec proposals and select from the set of IKE proposals
for the dedicated tunnel..
VPN Settings - xAuth - Set Local User
You can edit user information with this configuration page. These user
information is for xAuth server mode use only.
VPN Settings - Manual key
Tunnel name :Indicate which tunnel that is focused now.
Local subnet :The subnet of LAN site of local VPN gateway. It
can be a host, a partial subnet, or the whole subnet of LAN site of
local gateway.
Local netmask :Local netmask combined with local subnet to form
a subnet domain.
Remote subnet :The subnet of LAN site of remote VPN gateway, it
can be a host, a partial subnet, or the whole subnet of LAN site of
remote gateway.
Remote netmask :Remote netmask combined with remote subnet to
form a subnet domain of remote end.
Remote gateway :The IP address of remote VPN gateway.
Local SPI :SPI is an important parameter during hashing. Local
SPI will be included in the outbound packet transmitted from WAN site
of local gateway. The value of local SPI should be set in hex
formatted.
Remote SPI :Remote SPI will be included in the inbound packet
transmitted from WAN site of remote gateway. It will be used to
de-hash the coming packet and check its integrity. The value of remote
SPI should be set in hex formatted.
Encapsulation protocol : There are two protocols can be
selected: ESP and AH.
Encryption algorithm : There are two algorithms can be selected:
3DES and DES. But when the encapsulation protocol is AH, encryption
algorithm is unnecessarily set.
Encryption key :Encryption key is used by the encryption
algorithm. Its length is 8 bytes if encryption algorithm is DES or 24
bytes if 3DES. The key value should be set in hex formatted.
Authentication algorithm : There are two algorithms can be
selected: SHA1 and MD5. But none also can be selected here for no
hashing operation.
Authentication key : Authentication key is used by the
authentication algorithm. Its length is 16 bytes if authentication
algorithm is MD5 or 20 bytes if SHA1. Certainly, its length will be 0
if no authentication algorithm is chosen. The key value should be set
in hex formatted.
Life time : The unit of life time is based on the value of Life
Time Unit. If the value of unit is second, the value of life time
represents the life time of dedicated VPN tunnel between both end
gateways. Its value ranges from 300 seconds to 172,800 seconds. If the
value of unit is KB, the value of life time represents the maximum
allowable amount of transmitted packets through the dedicated VPN
tunnel between both end gateways. Its value ranges from 20,480 KBs to
2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
VPN Settings - Set IKE Proposal
IKE Proposal index :A list of selected proposal indexes from the
IKE proposal pool listed below. The selecting activity is performed by
selecting a proposal ID and clicking "add to" button in the bottom of
the page. There are only four indexes can be chosen from the proposal
pool for the dedicated tunnel. Remove button beside the index list can
remove selected proposal index before.
Proposal name :It indicates which IKE proposal to be focused.
First char of the name with 0x00 value stands for the IKE proposal is
not available.
DH group :There are three groups can be selected: group 1
(MODP768), group 2 (MODP1024), group 5 (MODP1536).
Encryption algorithm :There are two algorithms can be selected:
3DES and DES.
Authentication algorithm :There are two algorithms can be
selected: SHA1 and MD5.
Life time :The unit of life time is based on the value of Life
Time Unit. If the value of unit is second, the value of life time
represents the life time of dedicated VPN tunnel between both end
gateways. Its value ranges from 300 seconds to 172,800 seconds. If the
value of unit is KB, the value of life time represents the maximum
allowable amount of transmitted packets through the dedicated VPN
tunnel between both end gateways. Its value ranges from 20,480 KBs to
2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
Proposal ID :The identifier of IKE proposal can be chosen for
adding corresponding proposal to the dedicated tunnel. There are total
ten proposals can be set in the proposal pool. At most only four
proposals from the pool can be applied to the dedicated tunnel as
shown in the proposal index list.
Add to button : Click it to add the chosen proposal indicated by
proposal ID to IKE Proposal index list. The proposals in the index
list will be used in phase 1 of IKE negotiation for getting the IKSAMP
SA of dedicated tunnel.
VPN Settings - Set IPSec Proposal
IPSec Proposal index :A list of selected proposal indexes from
the IPSec proposal pool listed below. The selecting activity is
performed by selecting a proposal ID and clicking "add to" button in
the bottom of the page. There are only four indexes can be chosen for
the dedicated tunnel. Remove button beside the index list can remove
selected proposal index before.
Proposal name :It indicates which IPSec proposal to be focused.
First char of the name with 0x00 value stands for the proposal is not
available.
DH group :There are three groups can be selected: group 1
(MODP768), group 2 (MODP1024), group 5 (MODP1536). But none also can
be selected here for IPSec proposal.
Encapsulation protocol :There are two protocols can be selected:
ESP and AH.
Encryption algorithm :There are two algorithms can be selected:
3DES and DES. But when the encapsulation protocol is AH, encryption
algorithm is unnecessarily set.
Authentication algorithm :There are two algorithms can be
selected: SHA1 and MD5. But none also can be selected here for IPSec
proposal.
Life time :The unit of life time is based on the value of Life
Time Unit. If the value of unit is second, the value of life time
represents the life time of dedicated VPN tunnel between both end
gateways. Its value ranges from 300 seconds to 172,800 seconds. If the
value of unit is KB, the value of life time represents the maximum
allowable amount of transmitted packets through the dedicated VPN
tunnel between both end gateways for. Its value ranges from 20,480 KBs
to 2,147,483,647 KBs.
Life time unit :There are two units can be selected: second and KB.
Proposal ID :The identifier of IPSec proposal can be chosen for
adding the proposal to the dedicated tunnel. There are total ten
proposals can be set in the proposal pool. At most only four proposals
from the pool can be applied to the dedicated tunnel as shown in the
proposal index list.
Add to button : Click it to add the chosen proposal indicated by
proposal ID to IPSec Proposal index list. The proposals in the index
list will be used in phase 2 of IKE negotiation for getting the IPSec
SA of dedicated tunnel.
2008/6/25 Jerry Yu <jjj863 at gmail.com>:
> can you list what types of VPN servers the D-link router can serve as ?
> Other factors may affect the choice of VPN type as well,
>
> size of the user pool
> granularity of user access control
>
> On Wed, Jun 25, 2008 at 1:21 PM, Greg Freemyer <greg.freemyer at gmail.com>
> wrote:
>>
>> All,
>>
>> Is there a good VPN overview site that discusses current
>> implementations and helps decide which one is right for our needs?
>>
>> ===> background
>>
>> We have various remote users running Linux and Windows. Some from
>> permanent locations like their houses, but we also would like to
>> support people connecting in from random remote spots.
>>
>> I'm trying to research what my VPN options are. I have a basic
>> understanding of the technology, but I'm not current on the various
>> implementations.
>>
>> I'd like to come up with a solution that leverages the D-Link router
>> we have. It supports various VPN technologies, but I don't know
>> enough to know if I can get clients for any of them, or if I have to
>> have another D-Link router at the other end to establish the VPN.
>>
>> Thanks
>> Greg
>> --
>> Greg Freemyer
>> Litigation Triage Solutions Specialist
>> http://www.linkedin.com/in/gregfreemyer
>> First 99 Days Litigation White Paper -
>> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>>
>> The Norcross Group
>> The Intersection of Evidence & Technology
>> http://www.norcrossgroup.com
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
--
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
More information about the Ale
mailing list