Advanced Features of Linux strongSwan - the OpenSource VPN Solution

von Andreas Steffen (Institute of Internet Technologies and Applications, Hochschule für Technik Rapperswil)

Donnerstag, 23.06.2005, UG1: Thoma, 16:00-17:00 Uhr

In 1999 I stumbled upon the recently started FreeS/WAN project that had the objective to create an OpenSource IPsec stack for the Linux operating system. Unfortunately FreeS/WAN's authentication mechanisms were at that time restricted to preshared secrets and raw RSA keys which made it very difficult to implement low-cost remote access VPN scenarios involving Windows and MacOS clients connecting to a Linux VPN gateway. Therefore with the help of a succession of diploma students we started the development of the X.509 patch at the Zurich University of Applied Sciences in Winterthur, with the goal of fully implementing certificate-based authentication.

When Ken Bantoft released Super FreeS/WAN in 2002, integrating among others the X.509 patch, his distribution quickly became very popular. After the demise of the FreeS/WAN project in March 2004 the powerful X.509 features went to live on both in Openswan maintained by Ken Bantoft, Michael Richardson and Paul Wouters, as well as in strongSwan (http://www.strongswan.org/) maintained by the author.

Advanced Features

In my presentation I'm going to talk about some of the advanced features of strongSwan that make it possible to manage hundreds or thousands of VPN connections:

* VPN access to specific subnets and resources can be based on wildcards in the distinguished name of the peer certificate as proposed by RFC 3586 “IPsec policy information model”. E.g. only users with an “OU=Sales” entry in their certificate will be able to access the Sales subnet.

* In a similar way IPsec policies can be based on multi-tier certificate hierarchies.

* The most powerful access control tool are X.509 attribute certificates (RFC 3281) which allow the assignment of roles and group memberships to users in a most flexible and dynamic way.

* In large scale VPN deployments the capability of revoking user certificates is of utmost importance. Two automated mechanisms based on Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP, RFC 2560) will be addressed.

* In remote access setups where roadwarrior using dynamic IP addresses want to connect to their home base, the possibility of assigning a virtual IP address for use within the VPN tunnel is a major requirement. Both static and dynamic virtual IP assignments methods will be discussed (iproute2-based source routing, DHCP-over-IPsec, IKE Mode Config).

* In order to minimize the risk of compromising their IPsec credentials in the case of theft or loss, roadwarrior clients should store their private RSA keys on a smartcard or USB cryptotoken. strongSwan has an integrated OpenSC (http://www.opensc.org/) smartcard interface.

* Dead Peer Detection (DPD, RFC 3706) is a relatively new feature that can be used to monitor the liveliness of an IPsec tunnel. DPD keep-alives in combination with the Linux High-Availability (http://www.linux-ha.org/) mechanisms make it possible to realize a redundant VPN gateway in a remote access environment.

User-Mode-Linux Testing Environment

Michael Richardson brought UML-based regression tests to the FreeS/WAN project when he took over the project management some years ago. Unfortunately the existing FreeS/WAN scripts are rather cryptic and not user-friendly at all. Therefore Eric Marchionni and Patric Rayo, both recent graduates from the Zurich University of Applied Sciences in Winterthur, started from scratch and created a new UML testing environment for strongSwan that can be used both for software regression tests in automated mode as well as for exploring and debugging complex network setups in manual mode. Among the more complex scenarios that can be tested in a virtual environment are e.g. single and double NAT-ed roadwarrior connections. My talk will include a short demo of the strongSwan UML testing environment (http://www.strongswan.org/uml/)

Über den Autor Andreas Steffen:

Andreas Steffen is currently professor for Security in Communications at the Rapperswil University of Applied Sciences in Switzerland where he is heading the Institute of Internet Technologies and Applications.

From 1998 to 2004 he was a professor at the Zurich University of Applied Sciences in Winterthur where he developed the popular X.509 patch for Linux FreeS/WAN in collaboration with his students. After the demise of the FreeS/WAN project in March 2004 he forked off the Linux strongSwan project which he is still actively maintaining.

Andreas Steffen received both his Master's degree in Electrical Engineering in 1982 and his Ph.D. in 1991 from the Swiss Federal Institute of Technology in Zurich (ETHZ). From 1982 until 1998 he was an R&D engineer with Siemens Switzerland where he worked in such diverse areas as RF circuit design for RADAR and medical Magnetic Resonance Imaging systems as well as Integrated Circuit design for broadband multiplexers. In his last position with Siemes he was head of the R&D department "Wireless Systems" where he was responsible for one of the first Wireless LAN products.

Andreas Steffen has a long-standing interest in computing and cryptology. He teaches and does active research and development in the area of network security. He was a speaker at the IPsec Global Summit 2002 in Paris and the DFN Arbeitstagung für Kommunikationsnetze 2003 and 2004 in Düsseldorf. He was also an invited speaker at several VPN events organized by NetworkWorld, LANline and the German Telekom. He has also published several articles in the popular c't computer magazine.