home
| installation | test-rig | results
|conclusion|
| contacts
Evaluation of SUSE Linux 9.3 as IPsec VPN-client
SUSE 9.3 is a current Linux distribution from the SuSE/Novel company. An-image of the boxed-professional version is shown in the next figure.
Figure 1:Image of the box of SuSE9.3 pro-edition.
SUSE Linux 9.3 is available from Novel SUSE Limited. The distribution is based on Linux kernel version 2.6.11.4. The professional version (for Intel-x86 related processors) is available on a 5 CDROM set as well as a DVDROM.
The SUSE 9.3 distribution was selected for testing as a VPN-client in a setup with multiple IPsec- (WAN) gateways. The two most popular variants of IPsec on Linux are 'openswan'
(http://www.openswan.org)
and 'strongswan'
( http://www.strongswan.org).
Both grew from the IPsec/freeSWAN project which by reports has effectively ceased. The variant-of the IPsec program used in our tests was strongswan. version 2.5.0. The latter is available from the strongswan.org website. The IPsec-program supports the IKE (internet-key-exchange) protocol; thus SSL/TLS certificate/key pair-usage are integral part of modern IPsec/WAN usage. ( At the time of writing version 2.5.5 of the strongswan is available supporting usb and serial dongles/smart cards, ssl and gnupg (2048 bit) private key/certificate pairs, NAT-traversal and tunneling of the more common network protocols.
top
Installation:
Linux: SUSE9.3 Linux was installed on a machine supplied by our main sponsor Basis Volume Limited. The machine had the following features:
- Main-board: based on ATI RS300 Radeon 9100
- Processor: Celeron2600
- Memory: 1GByte (PC3200 DDR RAM
- Disk-drives: 30 Gbyte Hard disk and DVD re-writer
IPsec/WAN-program: SUSE Linux does not yet carry the strongswan program. For our tests the latter was downloaded from the strongswan website. Installation of the program was very straight-forward. Provided the gcc compiler, make and flex are installed. the program can be installed with the following steps:
- un-tar the downloaded tar-ball with tar xzvf strongswan-2.5.x.tar.gz
- cd strongswan-2.5.x
- make
- make install (as su)
The program installs as:
- the executable in /usr /local/sbin/ipsec
- the starting script in /etc/init.d
- the configuration files and directories in in /etc/ipsec.d.
Excellent guidance is available from the documentation on the strongswan website on how to insert certificate/keys in strongswan and how to edit the needed configuration files. Thus these will not be covered here.
top
The test setup:
Our test setup consisted of two WAN-routing-machines provided by Basis Volume Limited and a samba server-machine also provided by Basis Volume Limited. A diagram of the setup is shown in the next figure:
Figure 2: An example of the the test-rig used.
Our IPsec client was the machine with SUSE9.3 and strongswan2.5.0 installed. The machine had a certificate and key pair (for IKE) usage. Smart-card usage was enabled though none were used. The setup also had an external web-server that housed the certificate revocation list.
top
Results
Figure 3 shows preliminary tests using ping (from the SuSE9.3 machine) on the machines on the test rig.
Figure 3: Use of ping (from the suse9.3-IPsec-client machine) to identify IPsec-gateway interfaces.
The next figure shows the start of the wan-program and the establishing of an encrypted ipsec tunnel
Figure 4: An instance of starting IPsec- on the SuSE9.3 machine and the establishing of an IPsec-tunnel to the IPsec-gateway
The next figure shows attempts to contact a remote samba server through the ipsec tunnel.
Figure 5: An instance of starting IPsec- on the SuSE9.3 machine and the establishing of an Ipsec-tunnel to the IPsec-gateway
The next figure shows attempts to mount samba over an IPsec tunnel.
Figure 6: An example of mounting/un-mounting a share from a remote samba-server on SuSE9.3 IPsec-client (through the encrypted tunnel)
The next figure shows the effect of the tunnel on access to the samba server.
Figure 7: A further example of mounting/un-mounting a share from a remote samba-server on SuSE9.3 IPsec-client (through the encrypted tunnel.) The latter part of the figure illustrates the importance of the tunnel
The foregoing illustrates that SuSE9.3 Linux has proved an excellent IPsec-client using strongswan2.5.0. A command-line interface was used for the IPsec tests and the mounting of samba. For samba, Konqueor (or an equivalent smb-GUI browser) could be used. For the IPsec-'dial-up' a number of GUI-VPN dialers are in development for Linux-based computers. The notable ones with respective web-address include:
kde vpn dialer, and
gnome-vpn dialer
top
Conclusion:
As internet usage expands, VPN usage is expected to grow. Tests with IPsec-strongswan on SuSE9.3 Linux have provided encouraging results. The most modern releases of strongswan/openswan use the IPsec implemented in the Linux 2.6 kernel. The open and collaborative mode of development ensures that the best ideas are incorporated in the Linux/IPsec project. The method also leads to rapid development. Thus native-IPsec-in-the-linux kernel is improving with each release of the Linux kernel. The same is true of Ipsec/ strongswan and openswan projects. Other programs such as gnupg are also under rapid development as replacement for SSL-based certificate/key pairs commonly used in the IKE protocol. It is hoped that soon GUI-based VPN clients will be commonly available in standard Linux distributions.
Many areas such as medical-records-transference, architectural -and-engineering-data transference, money transfer and improved electronic mail etc. and even schools-computing-access. are expected to be affected by 'secure'-VPN usage in the coming years. VPN-devices based IPsec/Linux are well-placed to play a major role in this area.
top
Contacts
SUSE Linux is available in Britain from Novel SUSE. Information about pricing of SuSE Linux can be obtained from
SuSE.
At the time of writing SUSE-10.0 is released. The results reported herein are expected to be reproducible on SUSE10. Improvements would also be expected with the newer kernel and a newer version of strongswan/IPsec.
Basis Volume Limited supplies high quality VPN/WAN routing-machines and integrated firewalls based on IPsec (strongswan or openswan) and ssl or gnupg key-certificates. The firm also supplies 'safer'-WAN-enabled file-servers (samba and NFS) for use with IPsec gateways. Please browse the
company's web-site
for details (including how to contact us). Our
training/consultancy group
provides Linux consultancy and training courses some of which cover VPN-design, firewall-design and are bundled with SUSE Linux. For information on courses, dates and pricing please browse the site or
email us
top
1999/2005
by © b-linuxusergroup
contact
us regarding this website
)
)
)
)
)