Monthly Archives: mars 2013

Debian Ipsec L2TP

Install packages:

aptitude install xl2tpd openswan

Configure file /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0 # conforms to second version of ipsec.conf specification

config setup
listen=xxx.xxx.xxx.xxx #put external ip address
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=xxx.xxx.xxx.xxx #put external ip here
leftprotoport=17/1701
right=%any
rightprotoport=17/1701

conn passthrough-for-non-l2tp
type=passthrough
left=xxx.xxx.xxx.xxx #put external ip here
leftnexthop=0.0.0.0
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route

Configure L2TP, file /etc/xl2tpd/xl2tpd.conf

[Global] ; Global parameters:
; ipsec saref = yes
; listen-addr = 178.33.41.88
port = 1701 ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are
access control = no ; * Refuse connections without IP match
rand source = dev ; Source for entropy for random

; debug options
;debug avp
;debug network
;debug packet
;debug state
;debut tunnel

[lns default] ; Our fallthrough LNS definition
exclusive = no ; * Only permit one tunnel per host
ip range = yyy.yyy.yyy.180 - yyy.yyy.yyy.190 ; IP range clients here
local ip = zzz.zzz.zzz.zzz ; address of the L2TP end of the tunnel

; refuse authentication = yes ; * Refuse authentication altogether
require authentication = yes
; unix authentication = yes ; means user will ALSO be authenticated with PAM
refuse pap = yes ; * Refuse PAP authentication
; refuse chap = yes
require chap = yes

ppp debug = no ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

PPP configuration, file /etc/ppp/options.l2tpd

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
# name *
name L2TPserver
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
# noauth
auth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns zzz.zzz.zzz.zzz # put your own DNS here
# ms-dns 8.8.8.8

mtu 1280
mru 1280

Create the preshared key file: /var/lib/openswan/ipsec.secrets.inc that is included from file /etc/ipsec.secrets. Secret « mysupersecret » will have to be indicated in VPN client.

xxx.xxx.xxx.xxx %any: "mysupersecret"

Edit file /etc/ppp/chap-secrets, first column is user name, second is server name defined in file /etc/ppp/options.l2tpd, then password and IP

# Secrets for authentication using CHAP
# client server secret IP addresses
jdoe L2TPserver mypass *
alice L2TPserver bigpass *

Restart services to get IPSEC L2TP VPN up and running:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

Add system configuration in file /etc/sysctl.conf and run sysctl -p to take it into account:

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

Make some checks to see if it is ok:

ipsec verify

Result, returned on Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.39-2 x86_64 GNU/Linux:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]