[Show/Hide Left Column]


Appendix



A. Instructions for replaying IPSec and OpenVPN Examples

All examples with their running environments in the book are packed into VMware images. All what you have to do is to install the VMware player on your own systems. Once the images distributed, you can start simply replaying or testing by modifying the default config files to your own needs. You can also just reload the images in the VMware player to recover to the initial working status in case of the unexpected damages on the examples.

A.1 Hardware and OS Requirements


The requirements for the VMware player environment for replaying the example images is as follows:
Hardware
  Quantity of PCs: 1
    all the images are designed to run under one host.
  Memory: At least 4G
  Hard Disk: 20G more
  CPU: Better if with multiprocessor or more power

OS
Though the examples are fully tested in windows 2003, they should be working under VMware player in any operating systems.

VMware player
  Download and install VMware player
  http://www.vmware.com/products/player/. (external link)

A.2 Where to find the images


The catalogs of the examples in VMware images.
Chapter 5: IPSec
1.IPSec (including three images)
  SSL-IPSec/
    gateway/vpn-gateway.vmx      (for IPSec gateway)
    server/intranet-server.vmx   (for server behind the gateway)
    roadwarrior/roadwarrior.vmx  (for IPSec remote client)
2.IPSec NAT-T(including four images)
  OpenVPN-IPSecNAT/
    gateway/vpn-gateway-nat.vmx  (for NAT based IPSec gateway)
    server/intranet-server-nat.vmx (for server behind the gateway)
    nat-device/nat-device.vmx    (for NAT device based on iptables)
    client/vpn-client-nat.vmx    (for IPSec remote client)

Chapter 6: OpenVPN
OpenVPN program shares the same VMware image with IPSec NAT-T example.
  OpenVPN-IPSecNAT/
    gateway/vpn-gateway-nat.vmx   (for OpenVPN Server)
    server/intranet-server-nat.vmx(for server behind the OpenVPN Server)
    nat-device/nat-device.vmx     (for NAT device based on iptables)
    client/vpn-client-nat.vmx     (for remote OpenVPN client )

Notes:
There are many images, three respectively representing the client, gateway, and server behind the gateway in IPSec and an additional one representing for NAT device in IPSec NAT-T and OpenVPN examples. While replaying or testing the examples, all the images in one example must be loaded into VMware player to run simultaneously.

A.3 The admittance of the examples and operating systems

1.Authentications in the examples
The PKI based certifications are used as the key auth mode in both IPSec and OpenVPN. All the certificates which are stored under the config directory are generated with the OpenSSL and dedicated for the examples. In addition to the certificates, there are also some other auth modes such as PSK (preshared key) or Xauth used in conjunction with RSA or PSK. The following tables list such kind of private keys used in the IPSec examples. As you expected, these keys also are stored in the config files ipsec.secrets in the IPSec gateway side.
Auth mode Username/passwd
PSK ipsec
Xauth vpn/ipsec

2.Authentications of the operating systems
Operating System username/passwd
Windows administrator/ipsec
Fedora root/ipsec

A.4 Configurations and commands

A.4.1 Examples for IPSec and IPSec NAT-T
For the daemon at the gateway side
Working paths:
  Root directory:
    /usr/local/strongswan/
  Config files:
    etc/ipsec.conf                //  default config file //
    etc/ipsec.secrets             //  private key file //
  Certification directory and files:
    etc/ipsec.d/                  //  certification searching path //
      cacerts/cacert.pem          //  root CA  certification //
      certs/fugaCert.pem          //  IPSec gateway certification  //
      private/cakey.pem           //  root CA private key //
      private/fugaKey.pem         //  IPSec gateway private key //
 Exec program:
   sbin/ipsec                     // ipsec demo program //
Running demo:
There are already some sample config files for other auth modes under the Config
directory. Just as the followings:
  Auth mode                 config file
    PSK:                 etc/ipsec.conf.psk
    RSA:                 etc/ipsec.conf.cert
    Xauth+PSK:           etc/ipsec.conf.xauthpsk
    Xauth+RSA:           etc/ipsec.conf.xauthrsasig
If you switch to another auth mode, the corresponding sample config file must be
renamed to “ipsec.conf” and one needs to start or restart demo as shown in the
followings.
  # ipsec start                 // start demo //
  # ipsec stop                  // stop demo //
  # ipsec restart               // restart demo //
Notes:
If there is an error “command not found” while executing the commands, please add
the following prefix before the commands.

  # /usr/local/strongswan/sbin/

All above commands are executed either on local linux host or from the remote windows
client. You can use the ssh login terminal “Putty” in the following windows client to
access the remote linux gateway and don’t need to switch environments hardly between
the multiple VMWare images.

For the roadwarrior demos at the client side
The Shrew Soft IPSec VPN client is installed under the default directory:
  C:\Program Files\ShrewSoft\VPN Client\
There is a key subdirectory “debug” storing all dumped files for insights on IPSec inside.
  debug/
    dump-ike-decrypt.cap:
      a binary packet dump of the decrypted IKE conversation
    dump-ike-encrypt.cap:
      a binary packet dump of the encrypted IKE conversation
    dump-ipsec-pub.cap:
      a binary packet dump of IPsec conversation
    dump-ipsec-prv.cap:
      a binary packet dump of the traffic before outbound or after inbound IPsec processing.
You can find the Shrew Soft IPSec program “Access Manager” and its trace tool “Trace Utility”
either in program groups or desktop of Windows system. Select the config entry paired with
one in the gateway side in the “Acess Manager” to start your testing.
A.4.2 For OpenVPN example
For gateway side The OpenVPN stuffs are compiled under the directory: # /usr/local/openvpn File “openvpn” is the exec program and “server.ovpn” is the config file. To run the OpenVPN daemon in the following way: # cd /usr/local/openvpn/ # ./openvpn ./server.ovpn All above commands also can be executed either on the local linux host or from a remote windows client by using the ssh login terminal “Putty”. For client side The OpenVPN is installed under the directory: c:\Program Files\OpenVPN The config file “client.ovpn” and authentication certifications are stored under the subdirectory “config”. Because OpenVPN provides a GUI interface for windows user, it’s convenient to switch on/off OpenVPN just by mouse clickings.


B. Instructions for replaying OpenSSL Example

configuration file
The following file was used when generating the certificates used in the examples.


Menu [toggle]