VPN L2TP

From Wikichris
Jump to: navigation, search

Install

We need :

  • IPSec: Openswan
  • L2TP: xl2tpd
  • Router/Firewall: config Debian

IPSec / Openswan

apt-get install openswan ipsec-tools

We won't use Certificates for now, and keep the following command for later

dpkg-reconfigure openswan

Add at the end of /etc/ipsec.conf

conn L2TP-PSK
       #
       authby=secret
       #Perfect Forward Secrecy is not available by default on Win and Mac
       #But this option is still available if the client request it
       pfs=no
       rekey=no
       keyingtries=3
       #
       # ----------------------------------------------------------
       # The VPN server.
       #
       # Allow incoming connections on the external network interface.
       # If you want to use a different interface or if there is no
       # defaultroute, you can use:   left=your.ip.addr.ess
       #
       left=%defaultroute
       #
       leftprotoport=17/1701
       # If you insist on supporting non-updated Windows clients,
       # you can use:    leftprotoport=17/%any
       #
       # ----------------------------------------------------------
       # The remote user(s).
       #
       # Allow incoming connections only from this IP address.
       #right=234.234.234.234
       # If you want to allow multiple connections from any IP address,
       # you can use:    right=%any
       right=%any
       #
       #rightprotoport=17/%any
       rightprotoport=17/0
       #
       # ----------------------------------------------------------
       # Change 'ignore' to 'add' to enable this configuration.
       #
       auto=add

Still in /etc/ipsec.conf change this line

       #protostack=auto
       protostack=netkey

Add your keys in /etc/ipsec.secrets (replace 234.234.234.234 with your server's IP address)

# Preshared Keys for two clients with fixed IP addresses:
#234.234.234.234 111.222.111.221: PSK "keyforoneclient"
#234.234.234.234 111.222.111.222: PSK "keyforanotherclient"

# Preshared Key for clients connecting from any IP address:
234.234.234.234 %any: PSK "keysharedbyallclients"
2001:db8:1:5fb2::1 %any: PSK "keysharedbyallclients"

Restart the daemon

/etc/init.d/ipsec restart

L2TP

Next the L2TP daemon

apt-get install xl2tpd

create /etc/xl2tpd/xl2tpd.conf with the following content

[global]
#debug network = yes
#debug tunnel = yes
[lns default]
ip range = 192.168.79.101-192.168.79.109
local ip = 192.168.79.254
require chap = yes
refuse pap = yes
require authentication = yes
name = gonzofamily.com
#ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/chap-secrets

login1    *    password1    *
login2    *    password2    *

/etc/ppp/options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.79.254  #ICI le DNS (apt-get install dnsmasq)
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

The end

/etc/init.d/xl2tpd restart

Forward

in /etc/sysctl.conf

net.ipv4.ip_forward=1

Load the new settings made in /etc/sysctl.conf

sysctl -p

Firewall

Add to your iptables rules :

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.79.0/24 -o eth0 -j MASQUERADE
COMMIT

*filter
[...]
# IPSec
## PPTP, only via IPSec
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
## IKG
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
## NAT-T
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT
-A FORWARD -i ppp0 -j ACCEPT
-A FORWARD -o ppp0 -j ACCEPT
-A INPUT -i ppp1 -j ACCEPT
-A FORWARD -i ppp1 -j ACCEPT
-A FORWARD -o ppp1 -j ACCEPT
-A INPUT -i ppp2 -j ACCEPT
-A FORWARD -i ppp2 -j ACCEPT
-A FORWARD -o ppp2 -j ACCEPT
[...]

I must find a different way of allowing the Forward, pppX is not convenient

Issues

Automatic restart IPSec

IPSec didn't start automatically when the server restarted

cd /etc/init.d/
update-rc.d ipsec

IPv6

It seems xl2tpd has not been written with IPv6 support, a patch exists, written by a Chinese and documented in Mandarin... http://www.indarkness.net/blog/2010/04/23/vpnl2tp-over-ipv6-in-linux/

I applied this patch on the xl2tpd-1.2.7

apt-get install libpcap0.8-dev build-essential fakeroot dpkg-dev devscripts ipsec-tools ppp
mkdir ~/xl2tpd
cd ~/xl2tpd
apt-get source xl2tpd
cd xl2tpd-1.2.7+dfsg/
wget http://blog.lifetoy.org/wp-content/uploads/2009/09/xl2tpd-ipv6.diff
patch < xl2tpd-ipv6.diff
ls *.rej
[edit each rej to make them by hand]
vi control.c
vi linux/include/linux/if_pppol2tp.h
vi contrib/pppol2tp-linux-2.4.27.patch
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../xl2tpd_1.2.7+dfsg-1_amd64.deb

testing

I kept monitoring the results on the Server with

tcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh

aaa.bbb.ccc.ddd being the public IP address of my Clients

And on Mac with the Console to show System.log

One client per IP?

I'm using this VPN connection from a big university Network, and I cannot use it in the same time with 2 devices if there are both in this network. As soon as I switch to different networks I could connect up to 3 different devices (didn't try more, but until 9 it should be alright)

I tested together:

  • Macbook pro on Wifi or 3G Vodafone
  • iPad on 3G Telstra or Wifi
  • iPhone on 3G Virgin (Optus) or Wifi

When they share the same network it's a real mess, when the iPad and iPhone use their own 3G connection everything is fine.

References