Bug 240891 - [DOCUMENTATION] Unclear settings in Deployment Guide about VPNs (chapter 42.7)
[DOCUMENTATION] Unclear settings in Deployment Guide about VPNs (chapter 42.7)
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Security_Guide (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Scott Radvan
ecs-bugs
https://bugzilla.redhat.com/bugzilla/...
: Documentation, Reopened
Depends On:
Blocks: 237606 547583
  Show dependency treegraph
 
Reported: 2007-05-22 13:42 EDT by Răzvan Sandu
Modified: 2015-04-06 23:19 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-12 07:49:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Network diagram (71.06 KB, image/png)
2008-10-16 02:58 EDT, Răzvan Sandu
no flags Details

  None (edit)
Description Răzvan Sandu 2007-05-22 13:42:42 EDT
Description of problem:

Hello,


IMHO, there are some unclear facts in the Deployment Guide about setting an
IPsec VPN.


1. Please refer to "Figure 42.11. A network-to-network IPsec tunneled connection".
It is not clear what machines ipsec0 and ipsec1 really are. The drawing should
present the simpler case where machines gateway0 and gateway1, the default
gateways for their respective LANs, are also used for setting a tunnel between
the two networks.


2. Please refer to "Figure 42.13. Local Network Information"
It is not clear what "Local Network Gateway" field must contain if only machines
gateway0 and gateway1 do exist in the network setup.

Correspondance between the fields in the graphical tool and parameters in the
coresponding configuration file should be clearly documented.


3. It is not clear how an Internet firewall should be set up on the default
gateways if only machines gateway0 and gateway1 do exist in the network setup
(what are the requirements for this firewall, open ports, etc.). Maybe 2-3
examples are necessary: a) setup with system-config-security b) setup with
shorewall c) setup directly in iptables, from scratch.


4. Despite Nate Carlson's writings about the subject, there is no step-by-step
procedure (detailed and Red Hat supported) about setting up a road-warrior
configuration: from a Linux box (default gateway for a LAN), fixed IP address,
to some dynamic (or fixed) IP address laptop running Windows.


5. There is no mention about other type of tunnels (for example, how to
establish a GRE tunnel).


Thanks a lot,
Răzvan


Version-Release number of selected component (if applicable):
Deployment Guide for Red Hat Linux 5.


How reproducible:
Always.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
The chapter about VPNs is unclear and incomplete under some aspects.

Expected results:
Please revise chapter 42.7 and clarify the aspects mentioned above.


Additional info:
Comment 1 Don Domingo 2007-05-22 18:25:20 EDT
hi Răzvan,

can you provide the chapters and section number for each unclear point, please?
that way i can reassign this bug to the appropriate content author for processing. 

thanks!
Comment 2 Răzvan Sandu 2007-05-23 01:19:11 EDT
Hello and thanks a lot,

Of course, here they are:

Point 1 and 2 above are in section 42.7.7 of the Deployment Guide;
Point 3, 4 and 5 above refers to chapter 42.7 as a whole (the required
information must be added to the guide);
Point 4 above refers to "ipsec-tools" as well as the "openswan" packages in
distro and are also related to Nate Carlson's documentation at
http://wiki.openswan.org/index.php/Openswan/Win2K

Regards,
Răzvan
Comment 3 Răzvan Sandu 2007-05-23 02:01:10 EDT
Hello,


IMHO, here's another point of interest to underline about VPNs:


In most simple setups, network administrators usually put a single Linux box in
their LAN as a gateway. This gateway plays four roles simultaneously:


- default gateway, with NAT, to connect all LAN workstations to the Internet;

- firewall, to protect the LAN from attacks (usually with iptables & shorewall);

- tunnel final point for fixed tunnels (i.e. tunnels between company's branch
offices, which all have this type of gateway with fixed public IP addreses). The
setup is usually done using IPsec tunnels, GRE tunnels. The other gateway may be
a Linux machine, a Windows one or some other form of compatible device (Cisco
router ?)

- tunnel final point for road-warrior tunnels (i.e tunnels that connect this
(fixed) gateway from company's headquarters to various laptops that are "on the
road", allowing them to have access "inside" the LAN). These moving laptops
usually have dynamic IP addreses (in hotels, airports, Net-caffes and other
insecure places) and may run Windows or some form of Linux;

In the last situation ("road-warrior" laptops), despite security risks, users
often don't use digital certificates (mainly because the forget to purchase them
on time ;-) ) and prefer the IPsec solution with preshared key.


In the present Red Hat distro, "fixed tunnels" are usually done using the
"ipsec-tools" package, while "road-warrior tunnels" are usually handled via
"openswan". Documentation should keep in mind that these two packages must
coexist on the same gateway, without disturbing each other, also together with a
reasonably secure firewall.


I think the whole VPN chapter (42.7) in the Deployment Guide should focus on
describing this type of setup, to provide users a detailed, Red Hat supported
"recipe" about how to correctly integrate all components (NAT, firewall, fixed
and dynamic tunnels, etc.)


Regards,
Răzvan
Comment 4 Don Domingo 2007-05-23 20:57:32 EDT
thanks for your help, Răzvan.

queueing this bug for the next update.

CC'ing davido@redhat.com
Comment 5 Don Domingo 2007-05-23 20:58:03 EDT
sorry, i meant David O'Brien
Comment 6 Michael Hideo 2007-10-22 22:44:35 EDT
Removing automation notification
Comment 7 Răzvan Sandu 2008-03-02 07:15:53 EST
Hello,

In Deployment Guide, at:

https://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/s1-ipsec-net2net.html

in the picture entitled "A network-to-network IPsec tunneled connection"

it is still not clear what machines ipsec0 and ipsec1 are and how they are
connected.

IMHO, only gateway0 and gateway1 must be present. For example, gateway0 should have:

- a physical Ethernet interface (eth1) to 192.168.1.0/24
- a physical Ethernet interface (eth0) to Internet
- a virtual interface (ipsec0) dirrectly connected to the other machine
(gateway1), via a tunnel.

Please take into consideration that:

- gateway0 must run a firewall (iptables, iptables+shorewall ?) in order to
protect from Internet. How should this firewall be configured in order to allow
unrestricted traffic from LAN to the tunnel and vice-versa?

- gateway0 is SELinux-enabled. Are there any restrictions ?


Regards,
Răzvan
Comment 8 Răzvan Sandu 2008-05-16 18:08:22 EDT
Hello,

As of May 16, 2008, figure 43.11 in the Deployment Guide still presents two
supplemental machines, ipsec0 and ipsec1, the role of which is unclear.

Please see:

http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/images/n-t-n-ipsec-diagram.png

and the details in comment #7 above.

Any news about this, please ?

Regards,
Răzvan


Comment 9 Răzvan Sandu 2008-09-12 08:56:50 EDT
Hello,

IMHO, this is a longstanding documentation "bug", which leads to chapter 43.7 from the Deployment Guide being "unusable".

Please refer to Figure 43.11 from paragraph 43.7.7, here:
https://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-ipsec-net2net.html

IMHO, it is not very clear, neither, what machines ipsec0 and ipsec1 really are, nor how IP addreses (public & private) are assigned to various interfaces.

Please provide a detailed piece of documentation about the *recommended* way of establishing IPSEC tunnels in a corporate VPN.

Many thanks,
Răzvan
Comment 10 Răzvan Sandu 2008-10-16 02:58:53 EDT
Created attachment 320519 [details]
Network diagram

Please consider the situation presented in the attached network diagram (which is a simpler situation than the one in the guide) and explain how to set up an IPSec tunnel between the two LANs, including:

- how to set up the tunnel using graphical utilities;
- how to set up the tunnel by directly editing configuration files (command-line);
- how to set up firewalls (maybe shorewall ?) on the Red Hat gateways.
Comment 11 Răzvan Sandu 2009-02-17 11:52:21 EST
Hello,


Please, is this bug taken into consideration anymore ? Is is veeeery old... ;-)

After Red Hat Enterprise Linux's 5.3 announcement, the new version of the Deployment Guide was published, but the documentation problem is still unsolved.

Namely, in chapter 43.7.7 there are two pictures - IMHO, it is still unclear:

- what hosts ipsec0 and ipsec1 really are (along with the two NAT gateways);

- how such a scheme may be implemented using only two machines (gateway1 and gateway2), not four - since a very little number of networks will allow using two (physical) gateways instead of one;

- how firewalls are set up (to allow both Internet access for the workstations in the two LANs and secure private traffic through the tunnel).

Thank a lot,
Răzvan
Comment 13 RHEL Product and Program Management 2009-07-28 13:49:22 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 14 Răzvan Sandu 2009-07-30 03:06:02 EDT
Hello,

Maybe a higher-level architectural decision is to be taken here.

Maybe we should consider OpenVPN as the „standard”, *officially supported* way of setting up a tunnel in Red Hat Enterprise Linux/Fedora/CentOS (instead of IPSec). Or both.

If so, the chapter about VPNs must contain a brief manual for the new tool (which is much simpler, BTW).

As a matter of fact, OpenVPN seems unavoidable when one has to set up a „road-warrior” configuration - a dynamic IP address laptop connecting to the headquarter's gateway/LAN...

Regards,
Răzvan
Comment 15 Scott Radvan 2010-06-15 18:15:42 EDT
Hi

Yes, this is a very old bug, and updated content is now in the Security Guide. (Section 2.7). You can find it on redhat.com/docs for el6, so please review that. However, if I've understood your issue correctly...

* The ipsec0 and ipsec1 elements in the diagram *are* clearly described as IPsec routers underneath. The full details of these hosts and the gateway setup is largely implementation-specific and covering all scenarios is not possible in the scope of this document. 

* The VPN section assumes that infrastructure is already in place and the section is provided as a conceptual assistance to administrators which can be adapted to specific configurations. Unfortunately, not all situations can be fully described, however, a host-to-host connection (using only 2 machines) is already described in 2.7.6.

* From your suggestion, I have now added sections which remind the administrator that the firewall should be configured to allow required VPN data. The following section goes into further detail on how to run, change and apply firewall rules with system-config-firewall.


Thoughts?
Comment 17 Răzvan Sandu 2010-06-21 05:46:15 EDT
Hello and thanks,

IMHO, the picture at:

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Security_Guide/sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration.html

(Figure 2.11, 2.12)

it's unclear by itself.


What I've meant by "using only 2 machines" is that too few administrators will configure *two* machines in each network (i.e. gateway0 and ipsec0 for LAN1, gateway1 and ipsec1 for LAN2).

IMHO, the guide should answer to the following questions:

1. It is possible to establish an IPSEC VPN between LAN1 and LAN2 using just *one* gateway per LAN (that will concentrate the functions of gatewayX and ipsecX in each LAN) ?


2. If the answer is yes, how we will configure that (IP addreses, where to put them)? How do we relate to Figure 2.13 in that situation


3. Are other types of VPNs officially supported (such as OpenVPN) ? How to configure them ?


4. Is it possible to use IPSec for road-warrior VPNs (such as a laptop with dynamic IP adddress connectint to the company's headquarter, fixed IP address) ?


5. Are these IPSEC VPNs interoperable with other manufacturer equipments, such as Cisco, or we will end up in needing two identical Red Hat Enterprise routers at each end of the VPN ? This would be a serious limitation...


Thanks a lot,
Razvan
Comment 18 Scott Radvan 2010-06-21 17:12:54 EDT
Thanks for the update. I'm setting this bug to NEEDINFO as I can't answer these questions for you myself.
Comment 19 Tomas Mraz 2010-06-23 15:43:01 EDT
Re 1. It is definitely possible. For the detailed setup Avesh should give you answers as he is the maintainer of the OpenSWAN IPSEC package which is the only supported VPN technology currently in RHEL-6.

Re 2. and 3. - see above.

4. It is possible too, although the OpenSWAN is still quite hard to configure in this use-case - this should get better with the NetworkManager-openswan plugin.

5. It should be possible too, it depends on the actual settings of the Ciscos. I am also not sure whether the latest developments in the Cisco - OpenSWAN interoperability are already in the RHEL-6 package. Avesh should give you the details.
Comment 20 Avesh Agarwal 2010-06-23 16:07:35 EDT
(In reply to comment #17)
> Hello and thanks,
> 
> IMHO, the picture at:
> 
> http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Security_Guide/sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration.html
> 
> (Figure 2.11, 2.12)
> 
> it's unclear by itself.
> 
> 
> What I've meant by "using only 2 machines" is that too few administrators will
> configure *two* machines in each network (i.e. gateway0 and ipsec0 for LAN1,
> gateway1 and ipsec1 for LAN2).
> 
> IMHO, the guide should answer to the following questions:
> 
> 1. It is possible to establish an IPSEC VPN between LAN1 and LAN2 using just
> *one* gateway per LAN (that will concentrate the functions of gatewayX and
> ipsecX in each LAN) ?
> 
> 
It is possible with Openswan (IPsec). For gateway-gateway (or net-to-net) connections, you just need one gateway per LAN.

> 2. If the answer is yes, how we will configure that (IP addreses, where to put
> them)? How do we relate to Figure 2.13 in that situation
> 
> 
Assume that the scenario is as follows:
LAN1---gw1-----internet---gw2---LAN2

An example IP address scheme is as follows:
LAN1(10.1.0.x/24)---(10.1.0.1)gw1(11.0.0.1)-----internet---(21.0.0.1)gw2(10.2.0.1)-(10.2.0.x/24)LAN2

On gw1, one needs to configure /etc/ipsec.d/ipsec.conf:

conn gw1-gw2
  left=11.0.0.1
  leftsubnet=10.1.0.0/24
  right=21.0.0.1
  rightsubnet=10.2.0.0/24 
  authby=secret  (assuming PSK is used)
  ike=aes-sha1   (assuming aes-sha1 is used with IKE)
  esp=aes-sha1   (assuming aes-sha1 is used with IPsec's quick mode)

on gw1, one needs to configure /etc/ipsec.d/ipsec.secrets:
11.0.0.1 21.0.0.1 : PSK "testsecret"

On gw2, these same files needs to be configured in a similar way.

For details, please "man ipsec.conf".

> 3. Are other types of VPNs officially supported (such as OpenVPN) ? How to
> configure them ?
> 
OpenVPN is not supported in RHEL6, Openswan is the only VPN solution in RHEL6.

> 
> 4. Is it possible to use IPSec for road-warrior VPNs (such as a laptop with
> dynamic IP adddress connectint to the company's headquarter, fixed IP address)
> ?
> 
Yes that is possible. I have tested this with Cisco VPN servers.

> 
> 5. Are these IPSEC VPNs interoperable with other manufacturer equipments, such
> as Cisco, or we will end up in needing two identical Red Hat Enterprise routers
> at each end of the VPN ? This would be a serious limitation...
> 

As far as I know, if the other manufacturer's equipment is following standard IPsec, then it is always possible to interoperate with Openswan. I have seen it working with Cisco, and Windows, not sure about others.

> 
> Thanks a lot,
> Razvan    

Thanks and Regards
Avesh
Comment 21 Răzvan Sandu 2010-06-24 07:49:03 EDT
Thanks A LOT !


1. Since this scenario - linking two networks via a VPN, with just ONE gateway/network - is by far the most common case, could you please include Avesh's explanation in the official Security Guide, in the corresponding chapter about VPNs ?


2. Could you please add more details about setting a road-warrior configuration ?
Typical case here would be a *Windows* machine (say a laptop with dynamic IP address) connecting to fixed-IP Red Hat corporate gateway (to all computers behind that gateway).


Thanks again,
Răzvan
Comment 23 Scott Radvan 2010-07-06 20:04:17 EDT
* This section from the Security Guide explains that the functions can be on a single host:

"The IPsec router and the gateway for the subnet can be a single system with two network devices: one with a public IP address that acts as the IPsec router; and one with a private IP address that acts as the gateway for the private subnet. This allows for a single gateway for each LAN, and each IPsec router can use the gateway for its private network or a public gateway to send the packets to the other IPsec router."

* I have added Avesh's VPN example:

"Suppose LAN A and LAN B connect to each other through an IPsec tunnel. The network address range for LAN A is 10.1.0.x/24 and its gateway (gw1) has an internal address of 10.1.0.1 and an external address of 11.0.0.1. LAN B uses 10.2.0.x/24 for its network address range. The gateway for LAN B (gw2) has an internal address of 10.2.0.1 and an external address of 21.0.0.1.
On gw1, one needs to configure /etc/ipsec.d/ipsec.conf as follows:

conn gw1-gw2
  left=11.0.0.1
  leftsubnet=10.1.0.0/24
  right=21.0.0.1
  rightsubnet=10.2.0.0/24 
  authby=secret  (assuming PSK is used)
  ike=aes-sha1   (assuming aes-sha1 is used with IKE)
  esp=aes-sha1   (assuming aes-sha1 is used with IPsec's quick mode)

Also on gw1, configure /etc/ipsec.d/ipsec.secrets with the following:

11.0.0.1 21.0.0.1 : PSK "testsecret"

On gw2, these same files should also be configured in a similar way to mirror the connection. For more details, please see the ipsec.conf manual page.""

--

These changes will appear on the next publish.

Răzvan, for further details, you will find VPN configuration for a "road-warrior" connecting through NetworkManager from GNOME, to a RHEL system, in the Deployment Guide, which is still under development.

We are unable to provide documentation for Windows systems, even as a client to a RHEL system.

Please review this content. I hope it resolves your requests?
Comment 24 Răzvan Sandu 2010-07-12 04:39:20 EDT
Thanks, it is OK for me. :) I hope other people will provide future ideas.

I'll close this bug for now, if Bugzilla would let me to (permissions). :-)
Comment 25 Scott Radvan 2010-07-12 07:49:33 EDT
closing bug

Note You need to log in before you can comment on or make changes to this bug.