|Read about Lisa|
by Lisa Phifer, Core Competence
Previous columns in this series have explored remote access VPN clients for tunneling to gateways that support PPTP or L2TP. Although PPTP and L2TP can be used elsewhere, these methods are most often used by Win32 hosts. As discussed last month, PPTP is easier to use but less robust than L2TP. L2TP is only secure when sent over an encrypted channel like an IPsec transport connection. This begs the question: Why not just use IPsec by itself?
In fact, there are many "vanilla" IPsec VPN clients available today, including open source clients, native clients embedded in operating systems, clients sold with VPN gateways, and third-party VPN client software. In this column, I will provide a brief list of IPsec clients that run on many operating systems. I will discuss (in general) what IPsec clients have to offer and what they are often missing. When you reach the end of this column, you should have a good foundation for finding an IPsec client that will meet your own needs.
Making IP secure
IPsec refers to a set of extensions to the IP protocol defined by RFC 1825 and related IETF standards. There are two components -- the Authentication Header (AH) and the Encapsulating Security Payload (ESP). Most IPsec VPNs only use ESP, which protects IP packets from eavesdropping, forgery, or replay.
IPsec can be used in tunnel or transport mode. Transport mode protects IP from host to host. Tunnel mode protects IP between gateways or gateway-to-host. Transport mode is only commonly used to secure L2TP. "Vanilla" IPsec VPNs use tunnel mode between a remote access client and a security gateway at the private network edge.
ESP can be used with several data integrity and encryption algorithms. To interoperate, common algorithms are required at both ends. Today, most IPsec VPNs use 3DES encryption and SHA-1 hashed message authentication. Newer products are beginning to support a stronger alternative: the Advanced Encryption Standard (AES).
So, although there are multiple IPsec protocols and mode and algorithms to choose from, it is easy to narrow these options down to a small subnet. When selecting an IPsec client, make sure that it supports the subset required by your IPsec gateway -- for example, ESP in tunnel mode with 3DES/SHA1. Unless your security needs are unusual, product compatibility and mismatches at this level should be not be difficult to identify.
Almost every IPsec VPN client uses the Internet Key Exchange (IKE) standard to automatically establish tunnels. IKE authenticates peers, negotiates algorithms to protect IP packets, and generates keys used by those algorithms. IKE is where you will find the greatest diversity between IPsec clients and gateways.
- Most IPsec clients can be authenticated with shared secrets; some also support digital certificates. If you need certificate authentication, be sure to select an IPsec client works with your chosen certificate authority.
- IKE authenticates peer systems. For remote access, you may prefer to authenticate the human user. PPTP and L2TP provide user authentication but IKE does not. Therefore, many IPsec clients implement extensions that enable user authentication based on passwords or SecurID tokens. If you need user authentication, make sure your client and gateway support the same extensions (e.g., XAUTH, Hybrid, CRACK).
- Dial-up clients used PPP to obtain IP addresses. PPTP and L2TP clients leverage PPP to obtain virtual IP addresses (VIPs), but IKE does not provide for this. Some IPsec clients let you configure static VIPs. Some implement an Internet Draft called Mode-Config to pass dynamic VIPs during tunnel establishment. Others use DHCP to lease client VIPs over a bootstrap tunnel. For best results, your client and gateway should implement compatible address assignment methods.
- To create session keys that drive symmetric encryption, IKE uses the Diffie-Hellman (DH) secure key exchange algorithm. IPsec clients may support different DH "groups," with or without an option called Perfect Forward Secrecy (PFS). Verify that your client and gateway support a common subset of DH and PFS options.
- As many road warriors have discovered, network and port address translation (NAT/PAT) tend to break IPsec tunnels. Fortunately, many IPsec products now support NAT traversal based on UDP encapsulation. Because this capability is relatively new, support is not yet universal or "plug and play" in multi-vendor VPNs.
- The most challenging aspect of remote access deployment can be configuration and distribution of security policies. Some IPsec clients make the end user configure many cryptic parameters. Others hide parameters in a policy file that can be generated by the gateway or a central policy manager. Policies can be bundled with client software or pushed over a bootstrap tunnel. These enhancements are usually only available when using the IPsec client recommended by your gateway vendor.
The bottom line: carefully examine the IKE options supported by each open source, embedded, vendor-supplied, or third-party IPsec client. Start with the make and model of your company's VPN gateway and defined security policy. Then do your homework to find a good match. There is no "one size fits all" answer. If you don't want to purchase the VPN client sold by your gateway vendor, you may have to sacrifice a few vendor-specific extensions.
More than free
Now let's look at a sampling of IPsec VPN clients that are currently available from a variety of sources, for use with a variety of operating systems and VPN gateways.
When you purchase an OS with embedded IPsec, the VPN client is included in the OS license. When you purchase a VPN gateway that includes unlimited software downloads, you have paid for those clients. Many vendors make 30-day trial software freely available for download -- these too are commercial products.
Strictly speaking, these are not "free" VPN clients. But my list includes software in all of these categories. Why? Some people ask about "free" clients because they are concerned about total cost; a gateway/client bundle might fit this bill. Others may be hoping to avoid per-user licensing; a free download might be just the ticket. Still others may want to avoid desktop software installation; this requires an embedded client.
Open source IPsec
Only open source clients are really free of charge. The cost here is typically the elbow grease required to "roll your own" – compiling code or adding binary packages to client systems running open source operating systems. For many end users, open source isn't an option -- they just want to run setup on their Win32 PC. If that describes you, skip to the next section.
For many others, a do-it-yourself solution sounds like a fun way to save some bucks. If that's you, then take a look at FreeS/WAN for Linux. Although FreeS/WAN often plays the VPN gateway role, it can also be used on Linux-based hosts to provide VPN client features. For a good example of FreeS/WAN-to-FreeS/WAN IPsec configuration, visit this how-to page by Jean-Francois Nadeau.
Another open source solution is KAME. KAME runs under BSD/OS, FreeBSD 4.7, NetBSD 1.6, and OpenBSD 3.2. KAME usually plays the VPN gateway role, but if you run BSD on your laptop, you can try using KAME to tunnel to your company's VPN gateway. One nice thing about KAME is that it is used by the VPN Consortium as a conformance test platform. Published test results can help you combine KAME with your favorite VPN gateway. Check the VPNC website for details.
In the early days of IPsec, after-market VPN clients were the norm. Today, many operating systems ship IPsec as part of the native IPv4 (and sometimes IPv6) TCP/IP protocol stack. These clients are "free" in that you may not have to purchase an extra license to use them. However, embedded clients may still be separately installable packages. Verify that your IPsec is already installed on your desktop/workstation OS. If not, use the OS CD to add the IPsec feature/package.
Microsoft ships IPsec as part of Windows 2000 and Windows XP operating systems. As discussed last month, Microsoft recommends using L2TP-over-IPsec for remote access. However, you can also use "vanilla" IPsec on Windows 2000/XP hosts if you're willing to configure some detailed policy parameters. When using DHCP, you may have to update your client's IP address in your IPsec policy every time you want to tunnel. Many VPN gateway vendors provide how-to instructions for configuring the native Windows IPsec client. Microsoft also provides plenty of documentation on this subject, including alternatives for enterprise-scale configuration of Windows IPsec policies. A good place to start is Microsoft's IPsec resources page.
Apple now ships Mac OS X with embedded FreeBSD/KAME IPsec, including Racoon (the KAME IPsec daemon). To learn more about using the command line interface to this IPsec client, read "Flying Racoons: Host to host, coast to coast" by Joel Rennich.
Smart phones and PDAs that run Symbian OS Version 7.0 also have embedded IPsec support. In this case, Symbian used the SSH Communications IPSEC ExpressT development environment to add an IPsec plug-in to its native TCP/IP stack.
If you're running *NIX on your workstation, you will find embedded IPsec in native TCP/IP stacks like Sun Solaris 8, HP IPSec/9000 on HP-UX 11.0, and IBM AIX. Open source KAME is also shipped as part of OpenBSD, NetBSD, and FreeBSD. Most *NIX IPsec documentation is focused on gateway-to-gateway (server-to-server) tunneling, but you may still be able to tunnel from remote *NIX workstations using embedded IPsec protocols.
There are many commercial third-party IPsec clients. Some third-party clients glue a remote access-oriented graphical interface over the native IPsec stack. Some add IPsec support to OS platforms that lack embedded IPsec. Some provide a consistent VPN client across several OS platforms so that companies don't have to worry about coverage gaps. Some add IPsec-related features for use with a given VPN gateway.
These are licensed, commercial products that you must purchase. However, several are available as free downloads for trial use. This can be a good way to determine whether an IPsec client meets your needs, or to understand differences between using an embedded IPsec stack and a GUI IPsec client/dialer. I mention a few here to get your started, but please keep in mind this is NOT an exhaustive list:
- SafeNet SoftRemote runs on Win32 platforms. SoftRemotePDA runs on PocketPC 2002 and PalmOS. When last I checked, these were not available for trial download. But many vendors OEM SoftRemote, so you may already have purchased at least one licensed copy with your VPN gateway.
- The SSH Communications Sentinel IPsec client runs on all Win32 platforms and is available for free trial download.
- Certicom's movianVPN is available for PDAs running PalmOS, Windows CE (including Pocket PC 2002), and Symbian OS. You may find a trial copy of movianVPN on the companion CD shipped with your PDA, or download the trial from Certicom.
- Funk Software's AdmitOne VPN Client runs on Pocket PC 2002; a downloadable demo copy is available from Funk's website.
- You can obtain trial copies of Netlock's IPsec VPN Clients for Nortel Contivity (runs on Macintosh, Linux, Solaris, HP-UX and IBM-AIX) and Cisco 3000 (runs on MacOS 8.6 through 9.2.2). These are not general purpose clients; they pair with specific VPN gateways.
- Many Mac users have heard about or used the McAfee VPN Client, formerly PGPvpn. This IPsec client used to be freely available. When the PGP Corporation acquired PGP Desktop from Network Associates earlier this year, NAI held onto the McAfee VPN Client. Meanwhile, the PGP Corporation started shipping PGP Enterprise and Desktop Bundles for Macintosh 7.2 with VPN client support. Frankly, I cannot tell whether PGP Freeware 8.0 (4Q02) will include a free VPN client for Mac, so follow the link to learn more.
- As previously mentioned, Mac OS X now includes an IPsec stack in the form of KAME; it must be configured with a CLI. If you prefer a GUI to configure and launch your IPsec tunnels for Mac OS X, try Equinux, available for download as a 30-day trial.
- Finally, check out the InJoy Dialer 30-day trial for IPsec client support on hosts running the IBM OS/2 operating system.
Vendor-specific IPsec clients
Earlier this year, a reader suggested that I check out Cisco's free VPN client. This got me thinking about what it means to be "free." Customers need a login/password to Cisco's support site, but can download this client as often as they want. Does that really make it free? As mentioned earlier, customers who purchased Cisco VPN hardware actually purchased this unlimited download license. But, having done so, they can now make this client "freely available" to employees and Extranet partners whom they want to connect to their VPN gateway.
So I've decided to list a few vendor-specific IPsec clients here. Some readers will find this information useful, even if these clients are not "free." Bear in mind that these clients are not general purpose. They are intended for use with specific VPN gateways:
- The Cisco VPN Client runs on Win32, Solaris (SPARC), Max OS X, Linux. If you follow this link, you will see that Cisco also provides other IPsec clients, including the Cisco Secure VPN Client (CSVPN), VPN 3000 Client, and VPN 5000 Client.
- CheckPoint VPN-1 SecuRemote runs on Win32. VPN-1 SecureClient runs on Win32 and Pocket PC 2002; a version is also available for Mac OS 8.x and 9.x. An unlimited SecuRemote license is included with the purchase of VPN-1 Gateways; according to the posted price list, other clients are licensed based on number of users.
- Nortel's Contivity Extranet Access Client runs on Win32 (unlimited license included with Contivity switches) and IBM-AIX, Solaris, HP-UX, Linux, and Mac (optional licenses available for purchase). A 30-day evaluation copy of the Win32 client can be downloaded from Nortel's website.
- Avaya's VPNremote Client runs on Win32 platforms. A downloadable copy of the this IPsec client is included with the purchase of any Avaya VSU VPN Gateway that supports remote access services.
- The Aurorean VPN Client from Enterasys runs on Win32 platforms and is bundled with every Aurorean Virtual Network system.
- Symantec's Enterprise VPN client (formerly AXENT RaptorMobile) runs on Win32 platforms and is available for trial download from Symantec's website.
- V-ONE's SmartPass Client runs on Win32, CE/PocketPC, Solaris, Red Hat Linux, MacOS, and PalmOS devices, for use with V-ONE SmartGate VPN servers.
This is just a sample list, intended to give you a feel for what's out there. If I didn't mention your vendor, they might OEM a third-party VPN client like SoftRemote. Always check your VPN gateway vendor's website to start your search for compatible IPsec clients. You might find an open source or third-party or embedded client that will work, but integration and support is usually easier with the IPsec client recommended by your gateway vendor.
Hopefully, this four-part series provided a good foundation to answer to that popular question: "Where can I find a free IPsec client for [my operating system] or [my VPN gateway]?"
Start by thoroughly understanding and documenting your requirements. Then consider the client alternatives available for the tunneling protocol used by your VPN gateway. This series has included many URLs to help you begin your search, but new products are popping up all the time, and I am certain to have missed plenty of products when giving examples.
Once you have identified possible candidates, look very closely at authentication, encryption, addressing, and policy management options. I highly recommend downloading trial software to see for yourself – a combination that looks like it might work from the spec sheet does not always work in real life. Kick the tires and see what happens.
If nothing else, I hope this series makes it very clear: You have many, many, many VPN client options available to you. Do some research and you're bound to find a client somewhere that will get you connected, somehow, to that VPN gateway you're trying to reach.
Do you have comments about this article, or suggestions for Lisa to write about in future
columns? Let us know!
This was first published in December 2002