Bug 240891

hi Răzvan,

can you provide the chapters and section number for each unclear point, please?
that way i can reassign this bug to the appropriate content author for processing. 

thanks!

Hello and thanks a lot,

Of course, here they are:

Point 1 and 2 above are in section 42.7.7 of the Deployment Guide;
Point 3, 4 and 5 above refers to chapter 42.7 as a whole (the required
information must be added to the guide);
Point 4 above refers to "ipsec-tools" as well as the "openswan" packages in
distro and are also related to Nate Carlson's documentation at
http://wiki.openswan.org/index.php/Openswan/Win2K

Regards,
Răzvan

Hello,


IMHO, here's another point of interest to underline about VPNs:


In most simple setups, network administrators usually put a single Linux box in
their LAN as a gateway. This gateway plays four roles simultaneously:


- default gateway, with NAT, to connect all LAN workstations to the Internet;

- firewall, to protect the LAN from attacks (usually with iptables & shorewall);

- tunnel final point for fixed tunnels (i.e. tunnels between company's branch
offices, which all have this type of gateway with fixed public IP addreses). The
setup is usually done using IPsec tunnels, GRE tunnels. The other gateway may be
a Linux machine, a Windows one or some other form of compatible device (Cisco
router ?)

- tunnel final point for road-warrior tunnels (i.e tunnels that connect this
(fixed) gateway from company's headquarters to various laptops that are "on the
road", allowing them to have access "inside" the LAN). These moving laptops
usually have dynamic IP addreses (in hotels, airports, Net-caffes and other
insecure places) and may run Windows or some form of Linux;

In the last situation ("road-warrior" laptops), despite security risks, users
often don't use digital certificates (mainly because the forget to purchase them
on time ;-) ) and prefer the IPsec solution with preshared key.


In the present Red Hat distro, "fixed tunnels" are usually done using the
"ipsec-tools" package, while "road-warrior tunnels" are usually handled via
"openswan". Documentation should keep in mind that these two packages must
coexist on the same gateway, without disturbing each other, also together with a
reasonably secure firewall.


I think the whole VPN chapter (42.7) in the Deployment Guide should focus on
describing this type of setup, to provide users a detailed, Red Hat supported
"recipe" about how to correctly integrate all components (NAT, firewall, fixed
and dynamic tunnels, etc.)


Regards,
Răzvan

thanks for your help, Răzvan.

queueing this bug for the next update.

CC'ing davido

sorry, i meant David O'Brien

Removing automation notification

Hello,

In Deployment Guide, at:

https://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/s1-ipsec-net2net.html

in the picture entitled "A network-to-network IPsec tunneled connection"

it is still not clear what machines ipsec0 and ipsec1 are and how they are
connected.

IMHO, only gateway0 and gateway1 must be present. For example, gateway0 should have:

- a physical Ethernet interface (eth1) to 192.168.1.0/24
- a physical Ethernet interface (eth0) to Internet
- a virtual interface (ipsec0) dirrectly connected to the other machine
(gateway1), via a tunnel.

Please take into consideration that:

- gateway0 must run a firewall (iptables, iptables+shorewall ?) in order to
protect from Internet. How should this firewall be configured in order to allow
unrestricted traffic from LAN to the tunnel and vice-versa?

- gateway0 is SELinux-enabled. Are there any restrictions ?


Regards,
Răzvan

Hello,

As of May 16, 2008, figure 43.11 in the Deployment Guide still presents two
supplemental machines, ipsec0 and ipsec1, the role of which is unclear.

Please see:

http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/images/n-t-n-ipsec-diagram.png

and the details in comment #7 above.

Any news about this, please ?

Regards,
Răzvan

Hello,

IMHO, this is a longstanding documentation "bug", which leads to chapter 43.7 from the Deployment Guide being "unusable".

Please refer to Figure 43.11 from paragraph 43.7.7, here:
https://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-ipsec-net2net.html

IMHO, it is not very clear, neither, what machines ipsec0 and ipsec1 really are, nor how IP addreses (public & private) are assigned to various interfaces.

Please provide a detailed piece of documentation about the *recommended* way of establishing IPSEC tunnels in a corporate VPN.

Many thanks,
Răzvan

Created attachment 320519 [details]
Network diagram

Please consider the situation presented in the attached network diagram (which is a simpler situation than the one in the guide) and explain how to set up an IPSec tunnel between the two LANs, including:

- how to set up the tunnel using graphical utilities;
- how to set up the tunnel by directly editing configuration files (command-line);
- how to set up firewalls (maybe shorewall ?) on the Red Hat gateways.

Hello,


Please, is this bug taken into consideration anymore ? Is is veeeery old... ;-)

After Red Hat Enterprise Linux's 5.3 announcement, the new version of the Deployment Guide was published, but the documentation problem is still unsolved.

Namely, in chapter 43.7.7 there are two pictures - IMHO, it is still unclear:

- what hosts ipsec0 and ipsec1 really are (along with the two NAT gateways);

- how such a scheme may be implemented using only two machines (gateway1 and gateway2), not four - since a very little number of networks will allow using two (physical) gateways instead of one;

- how firewalls are set up (to allow both Internet access for the workstations in the two LANs and secure private traffic through the tunnel).

Thank a lot,
Răzvan

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Hello,

Maybe a higher-level architectural decision is to be taken here.

Maybe we should consider OpenVPN as the „standard”, *officially supported* way of setting up a tunnel in Red Hat Enterprise Linux/Fedora/CentOS (instead of IPSec). Or both.

If so, the chapter about VPNs must contain a brief manual for the new tool (which is much simpler, BTW).

As a matter of fact, OpenVPN seems unavoidable when one has to set up a „road-warrior” configuration - a dynamic IP address laptop connecting to the headquarter's gateway/LAN...

Regards,
Răzvan

Hi

Yes, this is a very old bug, and updated content is now in the Security Guide. (Section 2.7). You can find it on redhat.com/docs for el6, so please review that. However, if I've understood your issue correctly...

* The ipsec0 and ipsec1 elements in the diagram *are* clearly described as IPsec routers underneath. The full details of these hosts and the gateway setup is largely implementation-specific and covering all scenarios is not possible in the scope of this document. 

* The VPN section assumes that infrastructure is already in place and the section is provided as a conceptual assistance to administrators which can be adapted to specific configurations. Unfortunately, not all situations can be fully described, however, a host-to-host connection (using only 2 machines) is already described in 2.7.6.

* From your suggestion, I have now added sections which remind the administrator that the firewall should be configured to allow required VPN data. The following section goes into further detail on how to run, change and apply firewall rules with system-config-firewall.


Thoughts?

Hello and thanks,

IMHO, the picture at:

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Security_Guide/sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration.html

(Figure 2.11, 2.12)

it's unclear by itself.


What I've meant by "using only 2 machines" is that too few administrators will configure *two* machines in each network (i.e. gateway0 and ipsec0 for LAN1, gateway1 and ipsec1 for LAN2).

IMHO, the guide should answer to the following questions:

1. It is possible to establish an IPSEC VPN between LAN1 and LAN2 using just *one* gateway per LAN (that will concentrate the functions of gatewayX and ipsecX in each LAN) ?


2. If the answer is yes, how we will configure that (IP addreses, where to put them)? How do we relate to Figure 2.13 in that situation


3. Are other types of VPNs officially supported (such as OpenVPN) ? How to configure them ?


4. Is it possible to use IPSec for road-warrior VPNs (such as a laptop with dynamic IP adddress connectint to the company's headquarter, fixed IP address) ?


5. Are these IPSEC VPNs interoperable with other manufacturer equipments, such as Cisco, or we will end up in needing two identical Red Hat Enterprise routers at each end of the VPN ? This would be a serious limitation...


Thanks a lot,
Razvan

Thanks for the update. I'm setting this bug to NEEDINFO as I can't answer these questions for you myself.

Re 1. It is definitely possible. For the detailed setup Avesh should give you answers as he is the maintainer of the OpenSWAN IPSEC package which is the only supported VPN technology currently in RHEL-6.

Re 2. and 3. - see above.

4. It is possible too, although the OpenSWAN is still quite hard to configure in this use-case - this should get better with the NetworkManager-openswan plugin.

5. It should be possible too, it depends on the actual settings of the Ciscos. I am also not sure whether the latest developments in the Cisco - OpenSWAN interoperability are already in the RHEL-6 package. Avesh should give you the details.

(In reply to comment #17)
> Hello and thanks,
> 
> IMHO, the picture at:
> 
> http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Security_Guide/sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration.html
> 
> (Figure 2.11, 2.12)
> 
> it's unclear by itself.
> 
> 
> What I've meant by "using only 2 machines" is that too few administrators will
> configure *two* machines in each network (i.e. gateway0 and ipsec0 for LAN1,
> gateway1 and ipsec1 for LAN2).
> 
> IMHO, the guide should answer to the following questions:
> 
> 1. It is possible to establish an IPSEC VPN between LAN1 and LAN2 using just
> *one* gateway per LAN (that will concentrate the functions of gatewayX and
> ipsecX in each LAN) ?
> 
> 
It is possible with Openswan (IPsec). For gateway-gateway (or net-to-net) connections, you just need one gateway per LAN.

> 2. If the answer is yes, how we will configure that (IP addreses, where to put
> them)? How do we relate to Figure 2.13 in that situation
> 
> 
Assume that the scenario is as follows:
LAN1---gw1-----internet---gw2---LAN2

An example IP address scheme is as follows:
LAN1(10.1.0.x/24)---(10.1.0.1)gw1(11.0.0.1)-----internet---(21.0.0.1)gw2(10.2.0.1)-(10.2.0.x/24)LAN2

On gw1, one needs to configure /etc/ipsec.d/ipsec.conf:

conn gw1-gw2
  left=11.0.0.1
  leftsubnet=10.1.0.0/24
  right=21.0.0.1
  rightsubnet=10.2.0.0/24 
  authby=secret  (assuming PSK is used)
  ike=aes-sha1   (assuming aes-sha1 is used with IKE)
  esp=aes-sha1   (assuming aes-sha1 is used with IPsec's quick mode)

on gw1, one needs to configure /etc/ipsec.d/ipsec.secrets:
11.0.0.1 21.0.0.1 : PSK "testsecret"

On gw2, these same files needs to be configured in a similar way.

For details, please "man ipsec.conf".

> 3. Are other types of VPNs officially supported (such as OpenVPN) ? How to
> configure them ?
> 
OpenVPN is not supported in RHEL6, Openswan is the only VPN solution in RHEL6.

> 
> 4. Is it possible to use IPSec for road-warrior VPNs (such as a laptop with
> dynamic IP adddress connectint to the company's headquarter, fixed IP address)
> ?
> 
Yes that is possible. I have tested this with Cisco VPN servers.

> 
> 5. Are these IPSEC VPNs interoperable with other manufacturer equipments, such
> as Cisco, or we will end up in needing two identical Red Hat Enterprise routers
> at each end of the VPN ? This would be a serious limitation...
> 

As far as I know, if the other manufacturer's equipment is following standard IPsec, then it is always possible to interoperate with Openswan. I have seen it working with Cisco, and Windows, not sure about others.

> 
> Thanks a lot,
> Razvan    

Thanks and Regards
Avesh

Thanks A LOT !


1. Since this scenario - linking two networks via a VPN, with just ONE gateway/network - is by far the most common case, could you please include Avesh's explanation in the official Security Guide, in the corresponding chapter about VPNs ?


2. Could you please add more details about setting a road-warrior configuration ?
Typical case here would be a *Windows* machine (say a laptop with dynamic IP address) connecting to fixed-IP Red Hat corporate gateway (to all computers behind that gateway).


Thanks again,
Răzvan

* This section from the Security Guide explains that the functions can be on a single host:

"The IPsec router and the gateway for the subnet can be a single system with two network devices: one with a public IP address that acts as the IPsec router; and one with a private IP address that acts as the gateway for the private subnet. This allows for a single gateway for each LAN, and each IPsec router can use the gateway for its private network or a public gateway to send the packets to the other IPsec router."

* I have added Avesh's VPN example:

"Suppose LAN A and LAN B connect to each other through an IPsec tunnel. The network address range for LAN A is 10.1.0.x/24 and its gateway (gw1) has an internal address of 10.1.0.1 and an external address of 11.0.0.1. LAN B uses 10.2.0.x/24 for its network address range. The gateway for LAN B (gw2) has an internal address of 10.2.0.1 and an external address of 21.0.0.1.
On gw1, one needs to configure /etc/ipsec.d/ipsec.conf as follows:

conn gw1-gw2
  left=11.0.0.1
  leftsubnet=10.1.0.0/24
  right=21.0.0.1
  rightsubnet=10.2.0.0/24 
  authby=secret  (assuming PSK is used)
  ike=aes-sha1   (assuming aes-sha1 is used with IKE)
  esp=aes-sha1   (assuming aes-sha1 is used with IPsec's quick mode)

Also on gw1, configure /etc/ipsec.d/ipsec.secrets with the following:

11.0.0.1 21.0.0.1 : PSK "testsecret"

On gw2, these same files should also be configured in a similar way to mirror the connection. For more details, please see the ipsec.conf manual page.""

--

These changes will appear on the next publish.

Răzvan, for further details, you will find VPN configuration for a "road-warrior" connecting through NetworkManager from GNOME, to a RHEL system, in the Deployment Guide, which is still under development.

We are unable to provide documentation for Windows systems, even as a client to a RHEL system.

Please review this content. I hope it resolves your requests?

Thanks, it is OK for me. :) I hope other people will provide future ideas.

I'll close this bug for now, if Bugzilla would let me to (permissions). :-)

closing bug