Building and Installing Openswan
Linux 'Router' Distributions
There are many mini Linux distributions that focus on just offering router and firewall functionality. Examples of these are Smoothwall, LEAF, IPCOP, vpnX, and Astaro. Some offer add-on packages for existing Linux distributions, such as Webmin. Sites such as freshmeat.net provide dozens of these firewall add-on packages and mini distributions to choose from.
The free mini distributions tend to lack in features and often fail to keep up to date with IPsec (and other important firewall features in general). A lot of them never made the transition from the 2.2 to the 2.4 Linux kernel. Some are still using ipchains instead of iptables, and their user interface often leaves much to be desired.
Commercial Linux firewalls, such as Astaro, have the advantages that come with a support department. If you have the budget, these distributions can be worth it.
If you are going to pick a mini-router distribution, we still recommend you to first experiment with a full-blown Linux distribution and IPsec, so that when you switch to the mini-distribution, you can tell the difference between IPsec configuration errors, and errors caused by the GUIs of the mini distribution.
Deciding on the Userland
Openswan has the most versatile and feature-rich IKE daemon called Pluto. It has been written from the ground up with security in mind. Even though people are easily confused when reading the log messages, they are nonetheless extremely precise. Pluto is very pedantic and will refuse to process or accept anything malformed. It has even been used as a reference implementation when testing commercial IKE daemons.
Pluto
Every night, the Openswan project runs a nightly regression test suite on all of the code, including Pluto. If a code change breaks any functionality, it is automatically reported the next day on the nightly mailing list. There are also tests that check whether packets that should have been dropped have actually been dropped. Other tests check for bogus X.509 certificates, insecure CA chains, NAT traversal functionality, Dead Peer Detection, and many more tests. The test suite is shipped with the source code in the testing subdirectory.
Anyone can run the test suite on their own systems, and it is a very useful tool if you are writing your own patches or extensions for Openswan. See Chapter 12 for more information about the regression test suite.
Pluto features robust restarting in case of unexpected failure. This way, a single bug that would crash Pluto won't bring down your entire VPN.
These are all very critical issues. Having access to a VPN means having access to the innermost sanctum of an organization. Not having access to remote places can be very annoying, especially if someone has to drive for a few hours to repair or restart a VPN server.
48
Chapter 3
Pluto has an impressive list of features:
•Simple yet advanced methods for the configuration of tunnels
•Fully RFC-compliant (AH, ESP, transport and tunnel mode)
•Full NAT-Traversal support
•Opportunistic Encryption (based on public keys in DNS/DNSSEC) with DHCP integration
•Advanced roadwarrior support (clients on dynamic IP)
•The ability to execute customized scripts on a per-user or per-tunnel basis
•Raw RSAsig keys (public keys are specified directly)
•Advanced X.509 certificate usage, CAs, and intermediate CA processing
•Dynamic Certificate Revocation List (CRL) fetching using FTP, HTTP, or LDAP
•Dead Peer Detection
•XAUTH server and client support
•Aggressive Mode support for compatibility
•ModeConfig support
•Pluggable Authentication Module (PAM) support
•Windows L2TP over IPsec Transport mode support
•Interop with many non-standard commercial implementations (hardand software)
•Implementation of all publicly known VENDOR-ID options
•Smartcard and other hardware token support (SecureID, eToken, and others)
•Support for large scale deployment (thousands of simultaneous tunnels on simple PC hardware)
•Very portable source code, ported to many Linux platforms (MIPS, ARM, Sparc, Alpha) ranging from Linux 2.0 to the latest, 2.6, and Windows 2000/XP; ports to BSD and MacOSX planned
•Works with multiple IPsec stacks (currently KLIPS and NETKEY)
Racoon
Racoon is much harder to configure than Pluto. For Pluto, you only need to know and specify the high-level information to enable the VPN, such as IP addresses of the endpoints and subnets, and the authentication method used. Pluto will take care of converting those into low-level kernel data structures. You do not even need to know what they are. With Racoon, you will need to configure most of these low level data structures, such as SPDs and SPIs, yourself.
Another major drawback of Racoon is that it needs to be completely restarted if you want to add or remove a tunnel definition, making it unsuitable for large-scale deployment. Imagine adding a tunnel and then restarting a thousand IKE connections when you restart Racoon. This will quite likely overload the VPN server to the point of failure. Racoon seems to be mostly used for simple host-to-host static VPN tunnels.
49