Improve Network Security with Open Source Monowall: Part 2 - Page 2

By Carla Schroder | Posted July 07, 2011

VPN Between Two Networks

Before you set this up there are some prerequisites. First, you cannot connect overlapping subnets. If your LAN is in the 192.168.1.0/24 range, then you cannot set up a VPN tunnel with another 192.168.1.0/24 network, because you must have unique subnets. Then there must be a VPN server on the other end of the connection. This can be another Monowall box or some other IPsec server.

In the Monowall webGUI, go to the VPN > IPsec > Tunnels tab. Check Enable IPsec. Then click on the little plus button to add a VPN connection, which opens a screen like Figure 1.

Monowall open source firewall; remote access VPN
Figure 1: Creating a new site-to-site VPN tunnel.
(Click for larger image)
.

The Mode is Tunnel, which we can't change. The Disable option is nice, an easy way to turn it off for troubleshooting. Obviously do not disable it now! Interface is WAN. Check Enable Nat Traversal. The Dead Peer Detection option automatically closes the tunnel when it is not being used; 60 seconds is a reasonable value. (The IPsec protocol passes "I am here" messages even when there is no user activity.) The Local Subnet defines how much of your LAN you want to be remotely accessible; the LAN subnet is your whole LAN, and you don't have to type in the address.

Remote Subnet, which is the network on the other end of the connection, must be exactly the same as the Local Subnet setting on the other end of the connection. The Description field is anything you want, like a nickname for this connection, or notes on its purpose.

Now move on to the Phase 1 proposal section (see Figure 2).

Monowall open source firewall; remote access VPN
Figure 2: Security settings for your new VPN tunnel.
(Click for larger image)
.

Set Negotiation Mode to Aggressive. My Identifier can be a number of things; the easiest is your WAN IP address. The Encryption Algorithm must match what the other endpoint uses, and 3DES is pretty much universal. The Hash algorithm should be SHA1 because it is stronger than MD5, though again this needs to agree with the other endpoint. Same for DH key group; 1024 bits (2) is a good balance between speed and security.

The Lifetime field controls (in seconds) how long your side of the tunnel will wait for Phase 1 to be completed. The Monowall manual recommends 28800.

The Pre-Shared key must be exactly the same on both sides of the connection. Make this strong, more than 10 characters and mixed-case, numbers, and punctuation.

Now move on to the "Phase 2 proposal" section (Figure 3).

Monowall open source firewall; remote access VPN
Figure 3: Configuring the VPN tunnel protocol and encryption types.
(Click for larger image)
.

For Protocol select ESP. In the Encryption Algorithms section it is safe to select everything, though it is better to select only what you're going to use. Use SHA1 in the Hash Algorithms section if possible, because it is stronger than MD5. Set PFS Key Group to option 2, or 1024 bits.

The Lifetime value, in seconds, controls the lifetime of your negotiated keys. 28800 is eight hours, which should get you through a workday. Don't go over 86400, which is 24 hours.

Click Save and Apply Changes, and your IPsec server is ready to connect to your other endpoint. How the connection is initiated depends on the IPsec server used on the other end; if it's another Monowall server then it will connect when you click Apply Changes, and you should be able to ping back and forth. The most important thing to remember is all those settings need to be the same.

Mobile VPN User

First go to the VPN > IPsec > Pre-Shared Keys tab and create a key for your user. Use their email address as the identifier, and create a long key (at least ten characters) using mixed-case, punctuation marks and numbers. Then go to the Mobile clients tab and set it up just like creating a site-to-site tunnel, using the identifier and pre-shared key you created.

The client setup depends on the software on the client machine; again remember to make everything the same where it needs to be. The Monowall handbook has a detailed example using the SafeNet SoftRemoteLT client software.

To learn more, consult the Monowall Handbook and my own Linux Networking Cookbook for detailed tutorials on all kinds of networking tasks.

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, hundreds of Linux how-tos, former managing editor of Linux Planet and Linux Today.

Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!



Page 2 of 2

Previous Page
1 2
 

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date