Saturday, February 27, 2010

IPSec + L2TP on Ubuntu

The requirements were to find a way to make secure VPN tunnel with the workplace, and dial-up VPN being not so secured, we opted for IPsec with L2TP, the built-in VPN client in Windows distributions – including my newly Windows Mobile 6.1, which i actually tested and works great with the VPN.
Basically, we’ll start with a fresh clean installation of Ubuntu Server, in my case, the lastest one 9.04. You start to apt-get everything you need:
apt-get update
apt-get install openswan xl2tpd
PPP is already installed so you won’t have any problems with it. This scenario will be a “road warrior”, because we want to be able to connect from every kind of internet connection to the company’s network – including home internet, 3G modem connected to the laptop, GPRS connection on the mobile phone, ..whatever.
Ok, so you’ll need to configure some files first. Let’s start with ipsec:

ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
left=99.99.99.99                  #your external IP address for the clients to enter in their VPN wizzard
leftnexthop=99.99.99.1    #your gateway
leftprotoport=17/1701
right=%any
rightprotoport=17/0
This is the default ipsec.conf configuration file that is installed together with openswan. Next, you’ll have to configure a secret for IPsec, and you’ll do that by configuring /etc/ipsec.secrets file:
99.99.99.99 %any : PSK “yourfavouritepresharedkey”
That should be all for IPsec to work. You just have to put it on startup with:
update-rc.d ipsec defaults
Ok, next, you’ll have to configure xl2tp to work. For that, there is a file called /etc/xl2tpd/xl2tpd.conf that needs to be edited:
[global]                                                                ; Global parameters:
ipsec saref = yes
listen-addr = 99.99.99.99
port = 1701                                                     ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets       ; * Where our challenge secrets are
rand source = dev                     ; Source for entropy for random
[lns default]                                                   ; Our fallthrough LNS definition
exclusive = no                                          ; * Only permit one tunnel per host
ip range = 88.88.88.50-88.88.88.150     ; * Allocate from this IP range
local ip = 88.88.88.1                           ; * Our local IP to use
length bit = yes                                                ; * Use length bit in payload?
refuse pap = yes                                                ; * Refuse PAP authentication
refuse chap = yes                                               ; * Refuse CHAP authentication
require authentication = yes                    ; * Require peer to authenticate
name = vpn-srv                                        ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd                     ; * ppp options file
I guess this is almost self explanatory, ..but if you need some help on this, just put a comment. 2 files to go. First is the pppoptfile – /etc/ppp/options.l2tpd

/etc/ppp/options.l2tpd
asyncmap 0
auth
crtscts
lock
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
After configuring ppp to work with xl2tp, there is one more step for things to work – authentication. You accomplish that by editing the auth file /etc/ppp/chap-secrets

/etc/ppp/chap-secrets
user1      l2tpd     user1password    88.88.88.5
#specify an IP from the range or out of it; whenever user1 is logging in, it will get the same IP
user2      l2tpd     user2password *
# user2 will always get an IP from the range specified in the range from xl2tpd.conf file.
That’s about it. When I’ll feel like doing print screens, I’ll show you how you add your VPN connection in a Windows XP, but i guess you can already find that out with google search.

[update]: i tried the configuration i posted on my blog, but vista client behind NAT didn’t work at all. There are 2 things you should do:

1. registry modification on windows xp/vista:
for windows xp:
in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec create a DWORDcalled AssumeUDPEncapsulationContextOnSendRule and assign the hex value of “2″. This should allow both client and server behind NAT.
for windows vista:

in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent create a 32-bit DWORD called AssumeUDPEncapsulationContextOnSendRule and assign the same value of “2″ for the same reasons.

2. you should define private networks in ipsec.conf by adding this into ipsec.conf in config setup section:
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
It should work after all this.

[update2]: here is the latest configuration that worked, with computers behind NAT or not, with Vista or XP..works with all combinations – of course, with the registry key inserted where it has to be.
conn ROADW-NAT
rightsubnet=vhost:%priv
authby=secret
pfs=no
rekey=no
keyingtries=3
left=80.80.80.80
leftnexthop=80.80.80.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=60
dpdaction=clear
type=transport
auto=add
conn ROADW
authby=secret
pfs=no
rekey=no
keyingtries=3
left=80.80.80.80
leftnexthop=80.80.80.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=60
dpdaction=clear
type=transport
auto=add
and of course, insert this line in ipsec.conf:
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
This should work in every type of road warrior. Have fun!! The rest of the configuration files are exactly the ones from above..

No comments:

Post a Comment