Understanding VPN | Apple Training Series: Mac OS X System Administration Reference, Volume 1

You have seen SSH in action, providing a secure, encrypted connection over an insecure, visible network. You can also take the next step and ensure that the entire network connection is secure and encrypted, thus allowing any type of access to be safe, even insecure protocols such as Telnet and standard FTP.

This process is known as creating a virtual private network (VPN). A VPN can consist of a single host connecting to a private network, or an entire remote site connecting into a private network, in both cases using VPN security protocols over an insecure network (such as the Internet). The following figure shows a VPN connection from a client computer to an internal corporate network using NAT for IP addressing (shown at the bottom). The client machine has both a public IP address 17.187.175.4 (provided by an ISP, either at home, or at a hotel, or at a remote site) and a private VPN address 10.1.1.100 on the internal network (provided by the VPN server after authentication). Note that transactions to the internal network go through the VPN pipe, but non-VPN connections get blocked at the VPN/firewall server and are not allowed internal access.

An attacker can snoop the non-VPN network transactions but will see only encrypted gibberish while observing the VPN connection. You will see later that when you create a VPN connection, you have full control over which packets get sent over the VPN and which get sent over the public network.

VPN comes in a variety of flavors and textures, featuring various authentication schemes and transport protocols.

VPN Transport Protocols

Mac OS X and Mac OS X Server support two transport protocols:

Layer 2 Tunneling Protocol (L2TP)
Point-to-Point Tunneling Protocol (PPTP)

A Mac OS X system may have multiple connection profiles to different VPN servers (which may or not be using Mac OS X Server), each using either one or the other of these transport protocol for connectivity.

Mac OS X Server can provide VPN services using one or both of these protocols.

Before you learn how to implement VPN connectivity in Mac OS X and Mac OS X Server, let's take a look at each transport protocol in detail.

L2TP

L2TP is the more secure of the two protocols. The default configuration is L2TP/IPSec, which supports a shared secret mechanism. You can also use certificates instead of shared secrets, which you will find out how to do later in this lesson.

PPTP

PPTP, which was developed by Microsoft, provides more compatibility with older Windows clients. It supports both 40-bit and 128-bit encryption, but unless you need to support older Windows clients, it is best to stick with 128-bit, because 40-bit is very susceptible to security breaches.

Note

Regardless of the protocol used to connect to the VPN server, you should enable all traffic to go over the VPN. In the Internet Connect application, choose Connect > Options and select the "Send all traffic over the VPN connection" checkbox.

Authentication Methods

Because different organizations require different levels of authentication security, VPN supports several authentication schemes. On Mac OS X Server, the default authentication protocol is MS-CHAPv2.

MS-CHAPv2

MS-CHAPv2 is a fairly simple user name/password authentication model using a password hash.

Kerberos

Beginning with Mac OS X 10.4, Kerberos VPN authentication is supported with L2TP.

Two-Factor

A two-factor authentication protocol utilizes a user name, but instead of a fixed password, a token (which can change) is combined with a password. The most common example is the RSA SecurID system, where the user carries a device that generates tokens dynamically. This SecurID device is either a keychain, or credit-card sized device (for easy placement in a wallet or planner). Each SecurID device is usually specifically coordinated to a userin other words, one SecurID device cannot be used by another person, even if he or she is in the same system.

Providing VPN Service With Mac OS X Server

Mac OS X Server provides a graphical interface for VPN configuration using the Server Admin program. Most popular VPN configuration options are easily configured through the GUI, but other configuration options are configurable only via the command line.

Mac OS X Server can provide both L2TP and PPTP VPN service concurrently, or you can enable just one of the types.

VPN configuration information for OS X Server is stored in /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist.

L2TP Configuration

After enabling L2TP, which you will do in the next exercise, you must first select a block of IP addresses that the VPN system will vend to clients as they attach, similar to what a DHCP server does. Speaking of DHCP servers, it is very important that the IP address range you select is not already assigned statically or allocated to a DHCP server.

Next, you must select PPP authentication type. Mac OS X Server defaults to MS-CHAPv2 authentication, but you can also choose to use Kerberos authentication instead (from the pop-up menu, new to Mac OS X Server v10.4). To enable two-factor protocols such as RSA SecurID, a trip to the command line is necessary.

Also new to the Mac OS X Server v10.4 Server Admin GUI is the ability to use a certificate instead of a shared secret for client-server host authentication. You must already have generated a certificate. You could do this from the command line in previous versions of Mac OS X Server, but it is now a welcome addition to the GUI.

Here, you will configure L2TP over IPSec to use MS-CHAPv2 PPP authentication and use a client/server host shared secret:

1.	On Mac OS X Server, launch Server Admin and authenticate.
2.	From the Computers & Services list, select VPN.
3.	Click the Settings button.
4.	Click the L2TP tab.
5.	Select the "Enable L2TP over IPSec" checkbox.
6.	Select Starting IP address and Ending IP address blocks.
7.	Make sure the PPP Authentication pop-up menu is set to MS-CHAPv2.
8.	Make sure the Shared Secret radio button is selected.
9.	Enter a shared secretthis should be an extremely-difficult-to-guess password. (It will be entered only once on the client side, as shown in a later exercise.)
10.	Click Save.

You are not done setting up VPN yet, but if this is the only configuration you want, skip ahead to the exercise on setting up client information.

In this exercise, you will configure L2TP over IPSec to instead use Kerberos for PPP authentication and use a certificate for IPSec authentication:

1.	Execute steps 1 through 6 from the previous exercise.
2.	For PPP Authentication, choose Kerberos.
3.	For IPSec Authentication, select the Certification radio button.
4.	Choose a pre-existing certificate from the pop-up menu.
5.	Click Save.

PPTP Configuration

PPTP configuration is straightforward in Mac OS X Server, because Server Admin offers only a few simple configuration options. As with L2TP, you must first select a block of IP addresses that the VPN system will vend to clients as they attach, similar to what a DHCP server does. Again, it is very important that the IP address range you select is not already assigned statically or allocated to a DHCP, VPN, or other type of server elsewhere.

1.	On Mac OS X Server, launch Server Admin and authenticate.
2.	From the Computers & Services list, select VPN.
3.	Click the Settings button.
4.	Click the PPTP tab.
5.	Select Enable PPTP.
6.	Enter a Starting IP address and Ending IP address block. Again, these addresses must not already be allocated elsewhere.
7.	Optionally, select the checkbox allowing for 40-bit encryption keys. This is a security breach, but it may be required for older VPN clients.
8.	Click Save.

Configuration for Two-Factor Authentication

As mentioned earlier, you can configure VPN on OS X Server to support two-factor authentication.

In this exercise, you will add support for SecurID:

1.	Launch a command-line shell on Mac OS X Server.
2.	Create the folder /var/ace: cd / sudo mkdir var/ace
3.	Copy the SecurID configuration file sdconf.rec from your SecurID server to the /var/ace folder.
4.	Enable EAP-SecurID authentication by typing in the following commands, one at a time, all on one line without paragraph breaks: [View full width] serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins :_array_index:0 = "EAP-RSA" serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP")
5.	Exit your command-line shell.

Client Information: "DHCP"-like

With Server Admin, you can configure your clients to receive not only an IP address, but also default DNS server and search domain info. If this sounds like the type of information a DHCP server would provide for non-VPN clients, you are correct.

To configure VPN to provide a default DNS server of 10.1.1.1 and a default search domain of pretendco.com, perform these steps:

1.	On Mac OS X Server, launch Server Admin and authenticate.
2.	From the Computers & Services list, select VPN.
3.	Click the Settings button.
4.	Click the Client Information tab.
5.	In the "DNS servers" text box, enter PretendCo's default VPN DNS server of 10.1.1.1.
6.	In the "Search domains" text box, enter pretendco.com.
7.	Click Save. This information will be provided to all clients who connect via VPN, whether through L2TP or PPTP.

Client Information: Public/Private Network Routing

With Server Admin, you can also configure public and private routing for VPN users. This ensures that public IP address routing, which does not require a VPN tunnel, does not waste VPN resources, and also that private network traffic is required to be on the private VPN network.

When packets are sent through a VPN tunnel, this results in a load on the VPN server for encrypting/decrypting packets. For connection to internal hosts, as shown in the connection from the client machine to the internal host 10.1.1.11, this is the exact behavior you want. However, if the client machine wants to contact a public Web server at 17.112.152.32, is it necessary to burden the VPN server with this request? If you don't think so you may configure public and private network routing within your VPN client information to control this behavior.

In this exercise, you will configure the network so that packets destined for 10.1.1/24 go through the VPN server, and packets destined for 17/8 do not:

1.	On Mac OS X Server, launch Server Admin and authenticate.
2.	From the Computers & Services list, select VPN.
3.	Click the Settings button.
4.	Click the Client Information tab.
5.	Click the plus sign under the Network Routing Definitions table.
6.	In the sheet that appears, enter 10.1.1.0 for the address and 255.255.255.0 for the subnet mask; then choose Private from the Type pop-up menu.
7.	Click OK.
8.	Again, click the plus sign under the Network Routing Definitions table.
9.	In the sheet that appears, enter 17.254.0.0 for the address and 255.255.0.0 for the subnet mask; then choose Public from the Type pop-up menu.
10.	Click OK.
11.	Click Save and start the VPN service.

Connecting to VPN Service

Mac OS X and Mac OS X Server users connect to VPN servers using the Internet Connect program located in /Applications.

In this exercise, you will connect to a VPN server:

1.	Launch Internet Connect (located in /Applications).
2.	Click the VPN icon.
3.	In the sheet that appears, select "L2TP over IPSec" and click Continue.
4.	In the sheet that appears, choose Edit Configurations from the Configuration pop-up menu.
5.	In the sheet that appears, enter a new description, something like L2TP host.pretendco.com.
6.	Enter the following: Server Address: host.pretendco.com Account Name: scott User Authentication: Password <scott's password> Machine Authentication: Shared Secret: <your shared secret>
7.	Click OK.
8.	Click Connect.