The first article in this series, which appeared in the December 2011 issue of discussed the basic installation and configuration of IPCOP 1.4.21. Subsequent articles in the January, February and March 2012 issues of covered six important add-ons: Advance
LFY LFY,
Imagine a company with two offices at different locations, connected via the Internet. Here, organisational traffic travels over an ‘open’ channel, risking confidentiality (unauthorised snooping of data) and integrity (unauthorised tampering of data). To overcome these risks, one of the best ways is to encrypt traffic over the Internet, which is what a VPN does. Refer to Diagram 1. The two private networks, Office1 and Office2, are connected using inexpensive Internet bandwidth. For data security, VPN Gateway1 and VPN Gateway2 establish a tunnel—all traffic flowing through it is encrypted, to ensure confidentiality and integrity.
To avoid firewalls at either end blocking this encrypted traffic as malicious, VPN functionality is incorporated into the firewall itself (or by using a separate gateway, and bypassing the firewall for VPN traffic). IPCOP readily supports IPSEC site-to-site (also called net-to-net) VPN.
The actual transfer involves the following steps: Gateway1 and Gateway2 establish a VPN tunnel. When a host in Office1 sends data to a host in Office2, VPN Gateway1 encrypts the data, encapsulates the encrypted data in an IP packet, and sends this packet to VPN Gateway2. VPN Gateway2 de-encapsulates the packet, decrypts the data, and delivers it to the desired host in Office2. This mechanism ensures confidentiality of data travelling over the Internet. Also note that internal IP addresses of Office1 and Office2 are not disclosed to the Internet. The IPCOP green addresses are 192.168.20.254 and 192.168.51.1 The set-up is carried out from Office1. For identifying IPCOP boxes easily, Office1 = the left side, and Office2 = the right side Configure the boxes as follows: IPCOP GUI > VPNS > VPNS menu, Configure Public IP or FQDN or red interface, and select the Enabled check-box (see Figure 1). Select ADD under Connection status and control. Select Net-to-net Virtual Private Network, and fill in the following parameters:
Scroll down, then click on Save to complete both configurations. Successful completion will open the tunnels immediately, as seen in Figures 2 and 3. Now, all hosts from either office can access hosts from the other office, using their IP address.
The security of Psk-based VPNS depends on the strength and confidentiality of the key. The key is also required to be distributed securely to the remote gateway location(s). If the PSK is compromised, the whole network may be under threat. To overcome this problem, certificate-based VPNS can be employed, using the inbuilt certificate generator provided with the IPCOP distro, as follows:
Generate a Root/host certificate on both the IPCOP boxes—scroll to the bottom of VPNS > VPNS, give a CA