Wednesday, January 5, 2005

IPSEC VPN

I've been given the task of joining two separate companies through the internet over an IPSEC VPN. I have been working with PPTP VPNs and have been very impressed with IPSEC. Luckily, I don't have to work with the Microsoft standard L2TP. IPSEC is difficult and elegant enough without having to see how Microsoft broke with standards.

I've tried working with Debian to get IPSEC. I started working under the testing branch (Sarge) because I knew it was close to release. Unfortunately, the Openswan and Freeswan modules are broken. I then tried the new 2.6 kernel ipsec with racoon and racoon-tools which worked amazingly well. The only problem was that shorewall couldn't deal with the new pseudo interfaces (not ipsec0) in the stable version. In order to work with the beta version (again scheduled for release soon), I would need to start installing more beta software into the kernel which I wasn't comfortable doing.

My next step was to try a new distribution for me called IPCOP. The newest stable version installed like a champ and it seems to have regular updates. I also liked the idea that the minimum would be installed for a firewall system. Under Debian, there is always a chance I will install something unnecessary and decrease the security by human error. Setting up the VPN tunnel was even easier under this distribution. (Not as easy as other systems, IPSEC really takes some new knowledge and thinking)

Unfortunately, I quickly ran into the limitations in IPCOP. I wanted to set up a pretty complex network-to-network connection that only allowed for specific traffic between a semi-secure network and the private network. I also wanted to include some static NAT solutions that would allow for our other multiple networks access to the new machines. This was able to be done under Shorewall but IPCOP has a certain design under it's Green (private network), Blue(wireless network), Orange(DMZ network), and Red (public internet). I could insert the VPN into the BLUE network but I couldn't communicate from Blue to Green which is by design. But the design does allow for Green to normally communicate with Blue except for VPN connections.

Now I am going to save the IPCOP settings to floppy and install Debian Woody. Since I can trust that if Openswan and Freeswan are in stable, then Debian Developers have made sure that all the pieces work together. I will miss using Webmin to set up Shorewall but I think this is the best solution.