IPSec

From Wikichris
Jump to: navigation, search

This guide is still under construction


Goal

  • My computers and servers will exchange IPSec encrypted data only
  • My devices (Mac, iOS, Win) will connect to VPN L2TP/IPSec with their built-in clients

Installation Server

OS

  • Linux Debian 6 - Squeeze
  • Kernel already includes NETKey, we'll use ipsec-tools on the user part.
  • IKE Daemon is Racoon
  • Openswan will be prefered to strongswan, since more documented by other users.
  • xl2tpd or l2tpns are delivered by Debian. The first is the easiest, but doesn't support IPv6

Openswan

apt-get install openswan ipsec-tools

We won't use Certificates for now, and keep the follow command for later

dpkg-reconfigure openswan

Add at the end of /etc/ipsec.conf

conn L2TP-PSK
       #
       authby=secret
       #Perfect Forward Secrecy is not available by default on Win and Mac
       #But this option is still available if the client request it
       pfs=no
       rekey=no
       keyingtries=3
       #
       # ----------------------------------------------------------
       # The VPN server.
       #
       # Allow incoming connections on the external network interface.
       # If you want to use a different interface or if there is no
       # defaultroute, you can use:   left=your.ip.addr.ess
       #
       left=%defaultroute
       #
       leftprotoport=17/1701
       # If you insist on supporting non-updated Windows clients,
       # you can use:    leftprotoport=17/%any
       #
       # ----------------------------------------------------------
       # The remote user(s).
       #
       # Allow incoming connections only from this IP address.
       #right=234.234.234.234
       # If you want to allow multiple connections from any IP address,
       # you can use:    right=%any
       right=%any
       #
       #rightprotoport=17/%any
       rightprotoport=17/0
       #
       # ----------------------------------------------------------
       # Change 'ignore' to 'add' to enable this configuration.
       #
       auto=add

Still in /etc/ipsec.conf change this line

       #protostack=auto
       protostack=netkey

Add your keys in /etc/ipsec.secrets

# Preshared Keys for two clients with fixed IP addresses:
#234.234.234.234 111.222.111.221: PSK "keyforoneclient"
#234.234.234.234 111.222.111.222: PSK "keyforanotherclient"

# Preshared Key for clients connecting from any IP address:
234.234.234.234 %any: PSK "keysharedbyallclients"
2001:db8:1:5fb2::1 %any: PSK "keysharedbyallclients"

Restart the daemon

/etc/init.d/ipsec restart

L2TP

I'm testing XL2TPD or l2tpns to make a choice. This part is still under construction

Choice 1: XL2TPD

for a serious deployment with a considerable number of clients, you will probably want to use l2tpns (support or external auth like Radius)

But for a start, Xl2tpd is simpler to setup and doesn't need an additional DHCP

If you don't want any IPv6 support :

apt-get install xl2tpd

If you want IPv6 support, it's a patch developed for previous version, I installed it but Windows and Mac OS X doesn't accept any IPv6 serveur anyway : http://www.indarkness.net/blog/2010/04/23/vpnl2tp-over-ipv6-in-linux/

apt-get install libpcap0.8-dev build-essential fakeroot dpkg-dev devscripts ipsec-tools ppp
mkdir ~/xl2tpd
cd ~/xl2tpd
apt-get source xl2tpd
cd xl2tpd-1.2.7+dfsg/
wget http://blog.lifetoy.org/wp-content/uploads/2009/09/xl2tpd-ipv6.diff
patch < xl2tpd-ipv6.diff
ls *.rej
[edit each rej to make them by hand]
vi control.c
vi linux/include/linux/if_pppol2tp.h
vi contrib/pppol2tp-linux-2.4.27.patch
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../xl2tpd_1.2.7+dfsg-1_amd64.deb

/etc/xl2tpd/xl2tpd.conf

[global]
#debug network = yes
#debug tunnel = yes
[lns default]
ip range = 192.168.79.101-192.168.79.109
local ip = 192.168.79.254
require chap = yes
refuse pap = yes
require authentication = yes
name = gonzofamily.com
#ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/chap-secrets

login1    *    password1    *
login2    *    password2    *

/etc/ppp/options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.79.254  #ICI le DNS (apt-get install dnsmasq)
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

NB: A vous de décider si vous voulez que votre serveur DNS soit le routeur ou indiquer une autre adresse IP pour "ms-dns", dnsmasq peut assurer la redirection des requetes DNS de façon transparente

apt-get install dnsmasq

CHAP is enabled and PAP is disabled because otherwise the Microsoft clients will complain that the password is not encrypted (which is of course nonsense because the connection is already encrypted by IPsec). 'length bit' is set to yes, the connection was unstable without this parameter.

The end

/etc/init.d/xl2tpd restart

Choice 2: l2tpns

l2tpns send a Hello message to the client, Mac OS X doesn't like it and stop the connection. To avoid that, we must download the sources dans comment the HELLO part :

apt-get install l2tpns libcli-dev
mkdir ~/l2tpns
cd ~/l2tpns
apt-get source l2tpns
cd l2tpns-2.1.21
vi l2tpns.c
2837                 // Send hello
2838                 /*if (tunnel[t].state == TUNNELOPEN && !tunnel[t].controlc && \
(time_now - tunnel[t].lastrec) > 60)
2839                 {
2840                         controlt *c = controlnew(6); // sending HELLO
2841                         controladd(c, 0, t); // send the message
2842                         LOG(3, 0, t, "Sending HELLO message\n");
2843                         t_actions++;
2844                 } */
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../l2tpns_2.1.21-1.1_amd64.deb



change some lines in the default /etc/l2tpns/startup-config

set l2tp_secret "secret"
set primary_dns 192.168.79.254
set primary_dns 213.186.33.99

Change de content of /etc/l2tpns/ip_pool

192.168.79.0/24


Change de content of /etc/l2tpns/users

# List username:password combinations here for cli users
chris:MyAwesomePassword

Network

Forward

Your server must act as a Router from now in /etc/sysctl.conf uncomment

net.ipv4.ip_forward=1

Load the new settings made in /etc/sysctl.conf

sysctl -p

Firewall

Add to your iptables rules :

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.79.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
[...]
# IPSec
## PPTP, only via IPSec
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
## IKG
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
## NAT-T
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT
-A FORWARD -i ppp0 -j ACCEPT
-A FORWARD -o ppp0 -j ACCEPT
-A INPUT -i ppp1 -j ACCEPT
-A FORWARD -i ppp1 -j ACCEPT
-A FORWARD -o ppp1 -j ACCEPT
-A INPUT -i ppp2 -j ACCEPT
-A FORWARD -i ppp2 -j ACCEPT
-A FORWARD -o ppp2 -j ACCEPT
[...]

I must find a different way of allowing the Forward, pppX is not convenient

Clients

Tested with Windows7, Mac OS X 10.6, iOS4.4 (iPhone, iPad, iPod)

You must add a new VPN of the Following type

IPSec/L2TP

The preshared key must be manually entered, it's indicated in

/etc/ipsec.secrets

The credentials (login / password) can be found here :

/etc/ppp/chap-secrets

I always choose to redirect all the traffic via VPN on Mac, but on Windows it's by default.

Issues

Perfect Forward Secrecy

PFS is disabled because Apple's and Microsoft's L2TP/IPsec clients do not enable it.


Fortunately, even if you set pfs=no in your Openswan configuration, Openswan will still use PFS if the client supports PFS. So with pfs=no you support clients with and without PFS.

References