Networking

Tech Tip: Implement an IPSec VPN with OpenBSD


Jonathan Yarden

OpenBSD has a special place in my software toolbox. Although I use quite a few other open source software tools, OpenBSD is my Swiss Army Knife. It was one of the first free operating systems to include IP Security (IPSec).

OpenBSD can make short work of difficult networking problems, such as one I recently encountered. Two hospitals needed a way to connect to each other's networks in a secure, auditable manner--as soon as possible.

Communication problems

The two hospitals needed to exchange specific medical information and, due to the evolving HIPAA regulations, security was a primary concern. Although the hospitals didn't have a direct network circuit between them, they did have Internet access, so it made sense to use a VPN. They bought an application and attempted to implement their solution, but their efforts were unsuccessful. Adding insult to injury, management at both hospitals forbid changes to the firewall to support the application.

Another consultant contacted me about how to support the application and how to securely connect the two locations as quickly and as affordably as possible.

When I began, communication between the main and remote offices was limited to fax, phone, and e-mail. The new application required the use of a Web browser and that the offices be able to share printers over a LAN. Unfortunately, the hospitals didn't know about either of those requirements until after they'd purchased and installed the application.

OpenBSD's IPSec features provided the means to implement a VPN solution across the Internet quickly and affordably. Besides the open source operating system, all I needed were two spare PCs on which to run it.

Implementing the secure VPN

Using OpenBSD for a one-to-one IPSec VPN is quite simple. First, decide on your authentication keys and encryption method. I used manual keying, which specifies the encryption and authentication tokens used by IPSec directly. For a point-to-point VPN, this is all you need.

To set up the VPN, I edited the file "/usr/share/ipsec/rc.vpn" to contain the proper network information, created and stored a random encryption key in "/etc/esp-enc-key", wrote a random authentication key in "/etc/esp-auth-key", and executed "/usr/share/ipsec/rc.vpn" as root.

I used OpenBSD 2.9, but the same features are in version 3.3. The Manual Pages for "vpn" and "ipsec" on the OpenBSD Web site are quite informative; I suggest reading them. IPSec has a wealth of other features and components that allow it to interoperate with other IPSec equipment.

OpenBSD and IPSec

If you browse the Internet for IPSec information, you'll probably find more information than you can process. Basically, IPSec secures data at the IP packet level. Don't confuse IPSec with Secure Sockets Layer (SSL). IPSec implements its security at the network level, but SSL is an application-level protocol.

IPSec is typically referred to as "transparent," because anything you can do with regular IP also can be done over IPSec. This makes IPSec ideal as a VPN solution. IPSec can securely connect two remote offices at the network level, providing support for modern Web-based intranet applications. For the hospitals, OpenBSD was functional and good enough to share printers and use the Web-based application that they'd bought.

Space constraints in this article don't allow me to do justice to IPSec in OpenBSD. OpenBSD has a complete IPSec implementation, including a dynamic key management system that allows multiple VPN connections, instead of the simple point-to-point tunnel I used.

Since IPSec is an Internet standard, and OpenBSD's implementation is used as a reference testbed for many other IPSec implementations, you'll find that other IPSec-based VPN systems can interoperate with OpenBSD, using a variety of encryption methods. Sure, some hardware solutions may be better suited for implementing VPN's, but I bet they aren't as affordable.

Final thoughts

With OpenBSD, I was able to set up the hospitals' secure VPN connection and have it operational within a few hours. Although I suggested that this was only a temporary solution, more than six months later, the hospitals are still using the VPN operating on OpenBSD and using PCs that would otherwise have been collecting dust.

A lot of companies spend thousands on IPSec-based VPN gateways. If your company is one of them, you might want to consider OpenBSD as an affordable alternative to expensive commercial software.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

0 comments

Editor's Picks