Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
71727374757677787980
How Does a VPN Work?
67
2.4.1. How Does a VPN Work?
When a packet is transmitted from a client, it sends it through the VPN router or gateway, which adds
an Authentication Header (AH) for routing and authentication. The data is then encrypted and, finally,
enclosed with an Encapsulating Security Payload (ESP). This latter constitutes the decryption and
handling instructions.
The receiving VPN router strips the header information, decrypts the data, and routes it to its intended
destination (either a workstation or other node on a network). Using a network-to-network connection,
the receiving node on the local network receives the packets already decrypted and ready for
processing. The encryption/decryption process in a network-to-network VPN connection is transparent
to a local node.
With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the
packet as well. Intruders who employ a man-in-the-middle attack between a server and client must
also have access to at least one of the private keys for authenticating sessions. Because they employ
several layers of authentication and encryption, VPNs are a secure and effective means of connecting
multiple remote nodes to act as a unified intranet.
2.4.2. Openswan
2.4.2.1. Overview
Overview
Openswan is an open source, kernel-level IPsec implementation available in Red Hat Enterprise
Linux. It employs key establishment protocols IKE (Internet Key Exchange) v1 and v2, implemented as
user-level daemons. Manual key establishment is also possible via ip xfrm commands, however this
is not recommended.
Cryptographic Support
Openswan has an in-built cryptographic library, however it also supports a NSS (Network Security
Services) library, which is fully supported, and required for FIPS security compliance. More information
on the FIPS (Federal Information Processing Standard) can be found in Section 7.2, “Federal
Information Processing Standard (FIPS)”.
Installation
Run the yum install openswan command to install Openswan.
2.4.2.2. Configuration
Locations
This section lists and explains important directories and files used for configuring Openswan.
/etc/ipsec.d - main directory. Stores Openswan related files.
/etc/ipsec.conf - master configuration file. Further *.conf configuration files can be created in
/etc/ipsec.d for individual configurations.
/etc/ipsec.secrets - master secrets file. Further *.secrets files can be created in /etc/
ipsec.d for individual configurations.