This is a case study where we worked with our client, to migrate their proprietary IPSec VPN Solution on Linux to Windows. The customer is a business setup in US developing and fielding highly secure communication for the U.S. Government. Customer has a set of products providing security solutions that are delivered in an easily accessible public platform by encrypting communications over public internet. Its security solutions are focussed to U.S. Federal Agencies, Law Enforcement and First Responders, SMART Manufacturing Industries, Cybersecurity for IoT, Secure Social Media and Financial Industries.
Customer uses one of the proprietary IPSec stack for VPN connectivity. The stack has been written in ‘C’ programming language and runs in user space on Linux Ubuntu platform. The need was to make the IPSec stack work in Windows environment (Server and Workstation) and should run as a Service in Windows.
Develop a TUN diver in Windows to create a virtual interface that can be used by the IPSec stack for secure data communication.
IPSec stack supports the CLI which is to be substituted with a Manager interface providing functionalities to support communication with IPSec service from Client (Windows based application UI).
The entire source to be made compatible with 32bit & 64bit Windows environment and separate binaries to be produced to run in 32bit & 64bit OS.
The final expected delivery was a Windows Based Installer(.msi) that takes care of complete installation of Device Driver for the Virtual Interface, IPSec service and dependent visual studio libraries.
The Business Case Challenge
Linux supports a virtual TUN interface which is used by the IPSec stack, but Windows does not have any virtual TUN Interface support.
Need to make the IPSec stack run as a Windows Service and develop a Manager interface that takes care of any communication between the IPSec service and the Client (i.e User Interface).
The existing code base was written and tested for Linux only. The code base needed to be ported to Windows by supporting Windows System calls(Win32 API) in place POSIX calls as alternative to Windows Mode. The entire source should be buildable from Make file in both Linux and Windows Platform.
Oditek’s Team did some R&D and found Windows TAP interface could be replaced with TUN interface. TAP interface is preferable to bridge two Ethernet segments in two different locations. in such setup you can have computers in the same IP subnet (eg 10.0.0.0/24) on both ends of vpn, and they’ll be able to ‘talk’ to each other directly without any changes in their routing tables. vpn will act like Ethernet switch.
Team, choose to use the TAP Interface provided by OpenVPN (which is an open-source VPN protocol). As, TAP interface receives more packets (broadcast packets) than TUN interface, the changes in the source code were made to filter out unnecessary broadcast packets).
The existing ‘C’ source code were imported and organised as multiple modules in Visual Studio and replaced with Windows specific API/library calls to make the complete code compiled successfully for Windows. A set of Make files were created to support Windows build from root folder of the source code.
A library(DLL) was developed that acts as a Manager Interface, which communicates with the IPSec service for performing various functionalities such as Create new connection, Get all active server associations, Get details of server associations, Remove existing connections etc. Any client application can use this library to interact with the IPSec service.
Windows Installer was developed using Visual Studio Installer. This produces a single .MSI file that takes care of installing the dependent Visual Studio Redistributable package, OpenSSL libraries, Windows TAP driver, custom IPSec Service with default configuration files. Uninstallation and shutdown of TAP interface and complete removal of TAP driver and installed files were taken care of.
The complete solution was tested successfully with customer’s intended test setup. The functionality also compared and benchmarked against the native linux source. The source code of Windows ported IPSec stack, Manager Interface, Windows Service, TAP driver (with custom scripts for install /start /stop /remove) and Windows installer were delivered to customer. Customer is very much satisfied and integrated these modules into their security solutions.
- OS: Linux (Ubuntu 16.04), Windows10(64 Bit), Windows7(32/64Bit)
Protocol : IPSec, IKE, UDP/IP
Language: C, C++
Compiler : Microsoft Visual Studio 2017, gcc
Others: Visual Studio Installer
To know more about OdiTek’s IPSec based VPN Solutions, please drop an email at – firstname.lastname@example.org