This document intends to describe how to build a scalable VPN based using (IPv4) IPSec tunnels, GRE tunnels and dynamic routing protocols like OSPF and BGP. Not only does this document provide a guideline for (new) members seeking how to connect to the Undernet #ipsec VPN, but it also tries to provide configuration examples and a little design philosophy for those seeking to implement a similar VPN of their own.
This document is intended for people who are interrested in joining the VLAN project, or in general people who are interested in building a similar VPN. Knowledge on basic Unix system administration (including compiling custom kernels for your preferred flavour of Unix like operating system), routing and routing protocols and VPN technology is assumed, together with some experience in setting up a basic IPSec tunnel in your OS of choice.
The experiences and configurations used in this document are currently (at date of writing) used in a wide area VPN, spanning from New Zealand to Canada to Europe. The goal of this WAVPN (we call it “VLAN”, and that's the term which will be used when referring to this functional implementation) is to function as a testbed for its members to try out new (to us) technology, and teach ourselves in the art of designing, building, configuring, managing and troubleshooting a larger scale network than would be possible with more conventional means.
Everything which is described in this document has come to be as a group effort. Without most of the people in the Undernet #ipsec IRC channel, various people in the Undernet #linux IRC channel, various people in the Undernet #linuxhelp IRC channel, people on various mailing lists and of course the numerous people who have been writing documentation on the web or in books, all this wouldn't have been possible. Credit where credit is due, without the entire FLOSS community which provides such a massive amount of software, documentation and support for free, mere mortals would be unable to undertake projects like these. Special mention deserves the people behind the Linux Advanced Routing & Traffic Control Howto (generally known as LARTC, see references). Without the work you guys put into this invaluable resource
After you finish this, this document continues with a small explanation on how the VLAN is put together. It's short, and will leave out most details as to continue as fast as possible with the more interresting technical details. This starts with providing a list of prerequisites (“stuff you need”), only to continue with a description of how to connect your favourite IPSec implementation to the VLAN. Configuration examples and all. Not assuming everything will work in one stroke, a section on troubleshooting your connection(s) is provided, which brings you to the obligatory document endings like a list of references, literature and a glossary.
Configuration snippets are formatted as follows:
configuration snippet
Furthermore, it's assumed that your local IP address is w.x.y.z, and the IP address of the IPSec peer you're connecting to is a.b.c.d with e.f.g.h as its nexthop.
License
| Next | ||
| How it all fits together |