Hide Forgot
Description of problem: Please provide a configuration example for setting up a VPN between two private LANs (say 192.168.1.0/24 and 192.168.2.0/24) via Internet, when their NAT routers/default gateways/firewalls are Red Hat Enterprise Linux 6.x boxes. Please see Chapter 2.4 in the Security Guide. Version-Release number of selected component (if applicable): Security Guide for Red Hat Enterprise Linux 6.2 Beta (as of October 14th, 2011) Best regards, Răzvan
Hello Răzvan Just to let you know we decided to use this bug to track the work in documenting Openswan to implement your, and other, examples. Thank you for raising the bug. Regards Stephen
Hello, Stephen, ... and thanks for your interest in the matter! :) IMHO, since many people use Red Hat-based machines as routers and gateways, the VPN part tends to become a guide of its own (please see an external example http://docs.fortinet.com/fgt/handbook/50/fortigate-ipsec-50.pdf) Here's a rough schema (draft), in order to treat things in an organised manner: 1. Overview on VPN networks (definition, generalities) 2. Types of VPNs 2a. PPTP tunnels (dial-up) 2b. GRE tunnels 2c. IPSec tunnels 2c.1 tunnel mode 2c.2 transport mode 2d. SSL tunnels (OpenVPN type) 2e. Recommendations on types of VPNs, depending on actual application (supported, unsupported by Red Hat, typical bandwidth performance, reliability) 3. VPN's interaction with firewalls 3a. standard ports to be opened (for each VPN type) 3b. interaction with Red Hat's default firewall system 3c. interaction with other popular firewall systems (such as Shorewall) 4. VPN's interaction with Red Hat's network subsystem 4a. the „network” service (manual editing of files under /etc/sysconfig) 4b. the „NetworkManager” service (Network Manager plugins and various RPM packages for them) 4c. starting tunnels automatically (at boot) 5. Configuring PPTP tunnels 5a. Needed RPM packages for PPTP tunnels 5b. Red Hat acting as PPTP server in site-to-site 5c. Red Hat acting as PPTP client in site-to-site 5d. Red Hat acting as PPTP server to GNU/Linux roadwarrior 5e. Red Hat acting as PPTP server to Windows roadwarrior 5f. PPTP tunnels traversing gateways (NAT+firewall) 5g. Testing and troubleshooting PPTP tunnels 6. Configuring GRE tunnels 6a. Needed RPM packages for GRE tunnels 6b. site-to-site GRE tunnels 6c. GRE tunnels traversing gateways (NAT+firewall) 6d. Testing and troubleshooting GRE tunnels 7. Configuring IPSec tunnels 7a. Necessary packages from Red Hat repos: ipsec-tools, Openswan, Strongswan 7b. IKEv1 scenario (when the remote party imposes IKEv1, such as Windows XP) 7c. IKEv2 scenario 7d. Red Hat as IPSec server to GNU/Linux roadwarriors 7e. Red Hat as IPSec server to Windows roadwarriors (Windows XP - IKEv1, Windows Vista or newer – IKEv2) 7f. Testing and troubleshooting IPSec tunnels 8. Configuring SSL tunnels 8a. Needed RPM packages for SSL tunnels 8b. Red Hat gateways, site-to-site, using OpenVPN 8c. roadwarrior-to-site using OpenVPN on Red Hat as server 8c.1 GNU/Linux clients 8c.2 Windows clients 8d. roadwarrior-to-site using OpenVPN on Red Hat as client and other platform as server (Windows, Cisco, FortiGate, Vyatta, etc.) 8e. SSL tunnels traversing gateways (NAT+firewall) 8f. Testing and troubleshooting SSL tunnels 9. Routing through tunnels (various types) 9a. using static routes on gateways 9b. using Quagga on gateways 10. Practical, real-world examples of VPNs (inclusing routing, firewalls, etc.) 10.1 site-to-site with both Red Hat gateways 10.2 roadwarrior-to site using Red Hat as server 10.3 roadwarrior-to site using Red Hat as client 10.4. hub-and-spokes corporate VPN 10.5 site-to-site with Red Hat and other platform gateway (such as Cisco, Vyatta or FortiGate) Best regards, Răzvan
Please remove PPTP from the list of VPN software. It has been completely and utterly broken, and the recent PRISM revelations have shown the NSA simply decrypts all PPTP traffic. PPTP should _only_ be used when needed for connecting to an ISP. It should never _ever_ be used for encryption/VPN.
Hello, @Paul Wouters: While I TOTALLY agree with you regarding privacy matters, the lack of documentation won't stop people of using PPTP. The lack of proper documentation only create obscurity, uncertainity and bad days for admins. While undesirable, PPTP *is* required in some situations. For example, a few governmental sites and banks in my country still use PPTP tunnels (mainly designed and supported for Windows XP clients) that remotely access some private facility of the site. These are client-initiated tunnels, passing through the corporate firewall to the bank's website. It's likely that this state of facts won't change very soon, so having good support for PPTP will allow a Red Hat client to compete (i.e. be usable) in such a conservative corporate environment. Another scenario involves Windows XP laptops (roadwarriors) that wish to access the corporate HQ. While the use of a good IPSec client would be highly advisable, some roadwarrior laptops are not previously prepared by the sysadmin (and the endusers are totally unable to install an IPSec client themselves). So the only possible way is to use the PPTP client integrated in Windows XP. BTW, including in the guide a few recomendations for good VPN clients for roadwarriors using other platforms (such as Windows XP, Windows 7&8, MacOS, Android, iOS, Blackberry, etc.) would be highly advisable. @Stephen Wadeley Thanks :) Should the final users use Strongswan or Openswan on RHEL 6.x ? It's mainly IKEv1 vs. IKEv2... Best regards, Răzvan
Hello Răzvan For Red Hat Enterprise Linux 6.5, you should use Openswan for IPsec VPN. As per #c6 this bug is about documenting Openswan. We decided that because you had raised another bug about documenting OpenVPN. That bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=746173 Thank you
Hello Răzvan As per comment 6, this bug is just to track the work in documenting the use of Openswan to set up a VPN. See: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Virtual_Private_Networks_VPNs.html This was released previously, but because of Paul's comment 8 about pptp, and your response to it in comment 11, this bug was not closed. I decided to investigate to see if and where pptp was documented. I found that the use of pptp was not previously documented in the RHEL6 guides and so it is not easy to figure out how to warn users not to use pptp. I then issued this command: man pptp It said : SEE ALSO pppd(8) Documentation in /usr/share/doc/pptp I looked in /usr/share/doc/pptp-1.7.2 {note path is incorrect, or incomplete, in man page.} I saw a file PROTOCOL-SECURITY that file describes that ppptp is insecure. I found a Red Hat Knowledgebase solution about pptp and have updated that now to say users should, among other things, read the discussion in /usr/share/doc/pptp-<version>/PROTOCOL-SECURITY before using pptp. See: https://access.redhat.com/solutions/27969 I have also added a warning to the RHEL6 Security Guide, on the VPN section, to only use IPsec for VPNs in RHEL6. I will now close this bug as we have met the original goals of this BZ and warned users not to use other methods without considering the risks. Thank you