VPN Setup

Quick Installation

1. Install Fedora Core 2.
2. Send us your IP address and optionally a GPG public key to protect the authentication key in transit.
3. Install the configuration files we send back to /etc/racoon/racoon.conf, /etc/racoon/psk.txt, and /etc/ipsec.conf.
4. Test racoon with:

   # /sbin/setkey -f /etc/ipsec.conf
   # /usr/sbin/racoon -f /etc/racoon/racoon.conf -4
   

5. Ping the scorebot at 10.0.0.1 from a private team address and enjoy the IPSEC goodness.
6. Add previous commands to /etc/rc.local.

Details

The UCSB CTF VPN machine is tested with the KAME IPSEC implementation as ported to the Linux 2.6 kernel series. These instructions will describe the process of setting up a similar system to create an encrypted, authenticated tunnel between your local network and the rest of the UCSB CTF overlay network. The software stack and configuration described below is the only supported setup; other IPSEC implementations and/or configurations may work, but if you want to go down that route, you are on your own.

The required software components for the VPN are:

• a Linux 2.6-series kernel
• iptables
• ipsec-tools

You will need to install, either from source or the appropriate vendor's packages, each of these components.

NOTE: If you install Fedora Core 2, you can skip over the kernel configuration and package installation to the networking configuration.

Kernel Configuration

If your kernel already has all the IPSEC and firewalling options available, then compiling your own kernel will not be necessary and you can skip to the next section. However, if that is not the case, you can follow the instructions in this section to build a suitable kernel.

Aside from the normal configuration options to the kernel build process, you will need to enable the following:

• Device Drivers/Networking Support/Networking options
• • PF_KEY sockets
  • IP: AH transformation
  • IP: ESP transformation
  • IP: IPComp transformation
  • Network packet filtering
  • Network packet filtering/IP Netfilter/* (for good measure)
  • IPsec user configuration interface
• Cryptographic options/*

You can then build and install the kernel with the usual commands:

# make
# make modules_install
# cp arch/i386/boot/bzImage /boot/<kernel-image-name>

You will also need to modify your LILO or grub configuration to use the new kernel and reboot.

Networking and Firewall Configuration

Aside from the normal networking and firewall configuration for a host providing NAT for the private CTF network, you will want to enable access for the following in your firewall configuration:

• udp port 500 for isakmp on the external interface
  # iptables -A INPUT -i <external-interface> -p udp --dport 500 -j ACCEPT
• esp on the external interface
  # iptables -A INPUT -i <external-interface> -p esp -j ACCEPT

The example rules above allow traffic in; to allow traffic from the private network out, use something like the following:

# iptables -A FORWARD -i <internal-interface> -j ACCEPT

Generation of Configuration Files

For the best possible user experience, we will generate the necessary config files for you. In order to do this we need two things from you: the public IP of your site box, and (optionally) a PGP public key to encrypt the config files when we send them back. If you think that it is not likely that someone from one of the other teams would be able to read your email and steal your config files, then don't send us a PGP key. The config files contains a secret password which could be used to impersonate your team box.

IPSEC Configuration

Now that a compatible kernel, firewall access, and config file generation have been taken care of, you are ready to configure IPSEC.

The configuration is really just a matter of copying the generated configuration files to the right place and restarting racoon (the key exchange daemon). We supply three different config files. racoon.conf is the main config file for the key exchange daemon. This file goes in /etc/racoon/. psk.txt contains the pre-shared keys. This file also goes in /etc/racoon/, but make sure to make this file readable by root only, it contains secret passwords and racoon will not start up unless it has the proper permissions. The third file ipsec.conf goes in /etc/. This file contains policies (basically tells the kernel which packets should be sent over the VPN, sort of a VPN routing table).

At this point, you should be ready to fire up racoon. The commands to do this are:

# /sbin/setkey -f /etc/ipsec.conf
# /usr/sbin/racoon -f /etc/racoon/racoon.conf -4

Once you have verified that your IPSEC flows are correctly created, you should add these two lines to your /etc/rc.local to ensure that IPSEC is initialized across system reboots.