[Top] [Prev] [Next] [Bottom]

Using IP Tunnels With SKIP

This chapter shows how to form different types of VPNs using IP Tunnels and SKIP. It also has examples of how to set up the VPN software in configurations where you are also running Network Address Translation (NAT). It includes the following sections:

Adding IP Tunnels With SKIP and Creating Certificates

Running VPN Between Router and SunScreen SKIP Client

Running VPN Between Two Routers

Adding IP Tunnels With SKIP and Creating Certificates

Each of the examples in this chapter assumes you have already added an IP tunnel with SKIP and created a certificate as described in the next two sections.

Creating an IP Tunnel With SKIP

Add a tunnel interface for the VPN link to the remote client, router, or server, and enable SKIP on the tunnel interface.

Config>ADD INTERFACE IP-TUNNEL
Adding IP Tunnel as interface 4.
Config>ENABLE SKIP 
Interface number [0]? 4

Creating Certificates

Since systems that communicate with the router need the signature of the router's UDH certificate, it is best to create a certificate for the router before configuring the equipment that communicates with the router. To create a certificate,

1. Display the SKIP configuration prompt for the IP Tunnel interface.

Config>NETWORK 
What is the network number [0]? 4
Circuit Configuration
Circuit Config <NET-4> SKIP
SKIP Configuration
SKIP Config <NET-4>

2. Add a certificate that has the same modulus length as the remote systems that connect to the router. Certificates can use 512-, 1024-, or 2048-bit modulus length, depending on the length your software supports. See Exporting Algorithms from the United States.

This example uses a 1024-bit certificate.

SKIP Config <NET-4> ADD CERTIFICATE 1024

New certificate's MD5/UDH signature is 8033-CCC1-87DB-8367-FAAB-52A2-03A2-1BAB

Every remote client, router, or server that connects to the local router needs the signature of this new certificate, 8033-CCC1-87DB-8367-FAAB-52A2-03A2-1BAB. Relay the signature to the administrators of remote SKIP peers. This value is only an example. Signatures are different for every certificate and for every router.

Running VPN Between Router and SunScreen SKIP Client

SunScreen SKIP for Windows 95 and Windows NT is Sun Microsystems software that provides secure communication between a PC and another system. In Figure 1, a remote PC can securely access the protected network using SunScreen SKIP for Windows on the PC and an OpenROUTE Networks router with VPN software.

Figure 1 VPN with SunScreen SKIP for Windows

This configuration is ideal for remote users connecting to a central office using their nearest ISP. The remote user runs SunScreen for Windows to access the protected LAN (at 128.185.0.0) over a tunnel that ends at 38.1.5.4.

IP addressing in this setup works as follows:

38.1.5.4 is the IP address of the router's physical WAN interface that acts as the gateway to the Internet. The router must have a fixed IP address that is configured in SunScreen SKIP for Windows as the Tunnel endpoint address.
The address of the PC can vary as long as the PC always initiates traffic to the central site. The PC can have any IP address because the MD5/UDH name in each SKIP packet identifies the PC. Once the PC sends a packet, the router learns the PC's current IP address and sends traffic back to the PC via that address.
The protected LAN (128.185.0.0) can use any valid, or reserved, IP addresses. (If you enable Network Address Translation (NAT) on the router, the protected LAN can use IP addresses that are not valid on the Internet.)
The PC cannot be on the subnet to which it is tunneling, 128.185.0.0 in this example.
Note: You can also set up the router to dynamically assume the address of the PC. See IP Addressing on Interfaces That Connect to a SunScreen SKIP for Windows Client.

The figure also shows two MD5/UDH values, one for the PC and one for the router. The following section on configuring SunScreen SKIP for Windows covers the use of the MD5/UDH values.

Configuring SunScreen SKIP for Windows

Follow the instructions that Sun Microsystems provides to install and set up SunScreen SKIP for Windows. In particular, make sure you configure the following using the SunScreen SKIP software.

You must use SunScreen SKIP in its Tunnel Mode.

1. Set the password required to enable SKIP on the PC.

2. Create a private key and its associated public certificate.

The software displays the MD5 signature of the certificate. In Figure 1, the example value SunScreen SKIP displays is 0011-2233-4455-6677-8899-AABB-CCDD-EEFF. You enter this number in the router configuration later.

3. In the SKIP Access Manager, do the following:

a. Select the interface (LAN or WAN) that needs SKIP.

b. Enable SKIP on the interface and add the remote network that SKIP accesses. In Figure 1, this network is 128.185.0.0.

c. Select the type Network. This is important. OpenROUTE does not support the Host type. Fill in the following:

-Network accessed via SKIP, 128.185.0.0 in this example
-Security type, SKIP
-Tunnel endpoint address, 38.1.5.4 in this example
-NetMask, 255.255.0.0 in this example

4. Enter the router's MD5/UDH signature as the certificate the Sun SunScreen software requires. (In the example, the router's MD5/UDH signature is 8033-CCC1-87DB-8367-FAAB-52A2-03A2-1BAE.)

5. Select MD5/UDH as the local key type. This is required because the router identifies the PC by the MD5 signature of the PC's certificate.

6. SunScreen SKIP fetches the router's certificate immediately after you are done configuring the client PC, so the PC must have access to the router over the network.

Configuring the Router

Now that you have configured the PC, configure the router. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

1. Display the SKIP configuration prompt for the IP Tunnel interface.

Config>NETWORK 7

Circuit Configuration
Circuit Config <NET-7> SKIP

SKIP Configuration
SKIP Config <NET-7>

2. Add the name of the remote user, jimmy in this example, as a destination in SKIP.

SKIP Config <NET-7> add remote jimmy

3. Enter the signature of jimmy's certificate as the remote name the router uses when sending packets to jimmy. The administrator of the destination jimmy, supplies the signature.

SKIP Config <NET-5> set remote-name jimmy md5/udh
Peer's MD5/UDH Signature? 0011-2233-4455-6677-8899-AABB-CCDD-EEFF

4. Set the local name of the router as the signature of the router's 512-bit UDH certificate. (The router uses the MD5 signature of the certificate as the router's local name.)

SKIP Config <NET-7> set local-name jimmy local/udh 512

You can set up additional remote SKIP clients by repeating the previous three steps.

5. Exit the SKIP configuration and display IP configuration prompt.

SKIP Config <NET-7> exit
Circuit Config <NET-7> exit

Config>protocol ip
Internet protocol user configuration

IP config>

6. Assign an IP address to the SKIP tunnel interface. You assign the address of the remote client so that the router sends packets to that client through the tunnel rather than directly over the Internet.

Since the SKIP client in this example uses a dynamically-assigned IP address, add a dynamic IP address to the SKIP tunnel interface. To do so, use 0.0.0.n, where n is the interface number. Answer Yes to the prompt, "Is this interface a tunnel to a single SKIP PC or workstation." (See IP Addressing on Interfaces That Connect to a SunScreen SKIP for Windows Client.)

IP config>add address
Which net is this address for [0]? 7
New address [0.0.0.0]? 0.0.0.7
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): yes

7. Restart the router to activate the new configuration so that the PC user can connect.

Running VPN Between Two Routers

This section shows how to configure a VPN that attaches two LANs using a SKIP tunnel between two routers. Figure 2 shows a sample topology where a SKIP tunnel connects LANs 128.185.10.0 and 128.185.20.0.

Figure 2 VPN With Two Routers

Each router in Figure 2 has the following interfaces:

Interface 0 is the Ethernet (LAN) interface.
Interface 1 is the physical WAN interface to the Internet. Each router uses a fixed address on this interface (48.10.2.8 and 38.1.5.4).
Interface 2 is a SKIP tunnel interface. Each router treats the SKIP tunnel interface as an unnumbered point-to-point link (shown as IP address 0.0.0.2).

Setting Up the Router Remote

The following steps show how to configure the router Remote in Figure 2. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

1. Display the SKIP configuration prompt for the IP Tunnel interface.

Config>network 2

Circuit Configuration

Circuit Config <NET-2> skip
SKIP Configuration
SKIP Config <NET->

2. Set a destination name for router Central. All SKIP and IP tunnel configurations use this name.

Circuit Config <NET-2> set destination
Assign destination address name [] central

3. At the IP Tunnel prompt, assign an IP address to the destination Central.

Circuit Config <NET-2> iptnl
IP Tunnel Configuration
IP Tunnel <NET-2> set destination-address central
IP Tunnel Destination Address? 48.10.2.8
IP Tunnel <NET-2> exit

Note: You do not have to explicitly add the destination Central at the IP Tunnel prompt because you already set the destination at the Circuit Config> prompt. If you configure the IP Tunnel before you set the destination, you must add the destination at the IP Tunnel prompt using the add remote command.

4. Configure SKIP to use Central's MD5/UDH signature as the remote name included in packets sent to Central. Remote also uses the signature to request Central's UDH certificate.

The MD5/UDH signature you enter in this step is the signature that Central displayed when you created a certificate on that router.

Circuit Config <NET-2> skip
SKIP Configuration

SKIP Config <NET-2> set remote-name central md5/udh
Peer's MD5/UDH Signature? 2233-4455-6677-8899-AABB-CCDD-EEFF

Note: In this case, you do not have to add the destination Central because you already added that destination in the IP Tunnel configuration. If you configure SKIP first, you must add the destination before you can configure it.

5. Add an IP address for the IP tunnel interface at the IP configuration prompt.

Answer No to the prompt "Is this interface a tunnel to a single SKIP PC or workstation" because a router at the far end of the tunnel is providing access for a LAN, not a single PC.

SKIP Config <NET-2> exit
Circuit Config <NET-2> exit
Config> protocol ip
IP config>add address
Which net is this address for [0]? 2
New address [0.0.0.0]? 0.0.0.2
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): no

6. Add a static route to the LAN attached to the other router, Central. Designate the local SKIP interface IP address as the gateway to that LAN.

IP config>add route
IP Destination? 128.185.10.0
Address Mask? 255.255.255.0
Via gateway at? 0.0.0.2

7. Restart the router to activate the new configuration.

Setting Up the Router Central

To configure the router Central in Figure 2, use the same steps as in Setting Up the Router Remote, except substitute the other router name, addresses, and MD5/UDH signature. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

Perimeter Networks

As shown in Figure 3, large networks are sometimes segregated into two segments, a perimeter network of public servers and an interior network of protected hosts.

Figure 3 Perimeter Network

You can place VPN routers at any of three places in this type of network.

Exterior VPN Router

The external router secures the boundary between the organization's network and the Internet. This router should have firewall capabilities to protect the interior network from unwanted and possibly malicious traffic from the Internet. This router can also act as the VPN router as shown in Figure 4.

Figure 4 VPN Router as External Router

You configure the VPN router in Figure 4 the same way you configured the routers in the Running VPN Between Two Routers example.

However, this configuration is not optimal because the VPN router is also the first line of defense for the organization's network. If an external attacker compromises this router, the attacker could see traffic flowing from the VPN router to stations in the perimeter and interior networks. Since this traffic is not encrypted, the attacker can see the traffic without cracking SKIP's encryption.

Interior VPN Router

Figure 5 shows a similar topology, except the interior router is the VPN router. This solution is superior to VPN running on the exterior router because traffic within the perimeter network, which is the network most susceptible to attack, is encrypted. Sensitive data never leaves the interior network without being encrypted. Even if the exterior router is compromised, SKIP encryption and authentication protects data that originates from the interior network.

Figure 5 VPN Router as Interior Router

The topology in Figure 5 also has the advantage of splitting the routing load between two routers.

The exterior router can run routing protocols such as BGP (Border Gateway Protocol) and provide the first line of packet filtering defense.
The interior router can encrypt and authenticate VPN packets.

In this topology, you need to set up the interior VPN router to reach subnets in the Internet over encrypted IP tunnels. You also need to set up the exterior router so that it does not learn of the IP tunnel routes. You can do this in either of two ways:

Configure the exterior router to ignore all routing table updates that arrive from inside the organization. Just configure one static route on the exterior router that directs all traffic to the subnet(s) behind the interior router.
Configure the interior router to not export any IP Tunnel routes to the perimeter network. If you do this, you also need to configure one static route on the exterior router that directs all traffic to the subnet(s) behind the interior router.

Single-Interface VPN Router

The topology in Figure 6 adds a VPN router to an existing network that already has an exterior and interior router. This is a topology that is simple to install, but not as secure as running VPN on the interior router. It is less secure because traffic addressed to networks accessed through the VPN router is not encrypted between the interior router and the VPN router. Like the Exterior VPN Router example, if the exterior router is compromised, data could be captured.

The interior router must learn routes to the subnets over encrypted tunnels so that stations on the internal network can reach the remote VPN subnets. You can add these routes as static routes on the interior router, or the VPN router can use RIP or OSPF to advertise the subnets it can reach. If the VPN router advertises routes, you must configure the exterior router to ignore those advertisements.

Figure 6 Single-Interface VPN Router

Firewall Configuration

If you are using SKIP and you have a firewall that protects your network, you need to allow SKIP traffic through the firewall. See Creating Openings in a Firewall for SKIP Traffic.

[Top] [Prev] [Next] [Bottom]

docs@openroute.com