OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration
OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration
Download and Install the OpenSwan from its respective sites.
IPSEC, OPENSWAN:
You can get the different versions of OpenSwan from the below URL:
http://www.openswan.org/code/
We highly reccomend to go for the version: 2.6.33 from the below loc:
http://www.openswan.org/download/openswan-2.6.33.tar.gz
Go for the normal mode of source code installation:
-untarring
-cd dir
-make programs install
Before proceeding to installing the ipsec, please make sure that gcc, make, iproute, flex, bison, libgmp3-dev (libgmp2-dev might also work)
These are all available in the yum repo(if you are using the RHEL based server)
Ina debian based server, you can get it done by running the apt-get-install
After installing the IPSEC restart the service from the init, then please try the below command to check the working:
/etc/init.d/ipsec start ipsec verify
should give you something of the sort:
ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.29/K2.6.18-164.el5xen (netkey) Checking for IPsec support in kernel [OK] Testing against enforced SElinux mode [OK] NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK]
In IPsec there are several ways to use different IPs from their end to connect to the VPN, we use the below mechanism in our explanation:
* One Preshared Key (PSK) shared by every user
Preshared Key
A Preshared Key is a secret password that is shared by both sides of the IPsec tunnel. All users with dynamic IP addresses will have to share the same PSK (“group secret”). This is of course a significant security risk: if one user leaves the company or loses his laptop, all the other users will have to get a new PSK. The alternative would be to give every user a different PSK, but this is only supported in IPsec if all users have fixed (= static) IP addresses.
After the installation of the IPSEC in the server, you may please specify the PSK in the server at: ‘/etc/ipsec.secrets’ in the following format:
SERVERIP CLIENTIP: PSK "<KEYWORD>"
Then adjust the config file according to your needs: /etc/ipsec.conf
#NOTE: Please specify the directive ‘pfs=no‘ THis is because,
This parameter is required because Apple’s and Microsoft’s L2TP/IPsec clients do not enable PFS. Openswan, on the other hand, enables PFS by default.
Now please configure IPSEC/L2TP client( please check URL to see ways to do it: at your local end and try to create and initiate a connection to the server
Please check the /var/log/secure, if you see the below log:
Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #7: responding to Main Mode Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #7: Peer ID is ID_IPV4_ADDR: '234.234.234.234' Nov 1 14:09:59 xxx Pluto[yyy]: "L2Thttp://admindiary.com/wp-admin/post.php?post=181&action=edit#P-PSK" #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #8: responding to Quick Mode Nov 1 14:10:00 xxx Pluto[yyy]: "L2TP-PSK" #8: STATE_QUICK_R2: IPsec SA established
If this log is obtained, then IPSEC is working fine in the server.
The IPsec connection you just configured is to be used for tunnelling the L2TP protocol,
So basically l2tp authenticates/initiates the connection and then IPSEC creates the encrypted tunnelling between the server and the clients
l2tpd configuration
Going on to the l2tpd section:
There are many l2tp daemons to work with like:
-l2tpd
-xl2tpd
-rp-l2tp
-openl2tp
for l2tp and rp-l2tp, the development has been stalled. openl2tp is an option. In our example, we will go for the xl2tpd as its ‘Xelerance'(xl2tpd) that has been sponsoring the continued development of Openswan since version 1.0
Xelerance Corporation currently also maintains a version of the Layer 2 Tunneling Protocol (L2TP) daemon: XL2TPD
XL2TPD:
You can get the latest version of the xl2tpd from the below location:
http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.2.7.tar.gz
installation as usual follows the common steps:
==
untarring the source code
make
make install
then copying the binary(formed at the pwd) from the current location to /usr/local/sbin(binary location)
==
the installation is pretty simple and straight forward
#NOTE: make sure to install the latest xl2tpd as per availability at xalerence site(http://www.xelerance.com/services/software/xl2tpd/) current version at the time of writing this is xl2tpd 1.2.7
you can do a dry run to check the xl2tpd installation by running the below command:
xl2tpd -D
Should give you an output in the similar lines as:
]# xl2tpd -D xl2tpd[26202]: setsockopt recvref[22]: Protocol not available xl2tpd[26202]: This binary does not support kernel L2TP. xl2tpd[26202]: xl2tpd version xl2tpd-1.2.6 started on atl01-linvirt01-vpn01.cluster.servaxnet.com PID:26202 xl2tpd[26202]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[26202]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[26202]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[26202]: Forked again by Xelerance (www.xelerance.com) (C) 2006 xl2tpd[26202]: Listening on IP address 63.247.77.156, port 1701
And if no errors are reported then cancel the above process and then start the xl2tpd by running the binary directly by executing the command:
xl2tpd Configuration
There are multiple config files included in the configuration. The main config file is: l2tpd.conf. The default example config file can be found with the sourcecode(if you are using the source code) in the docs directory: xl2tpd-1.2.7/doc/l2tpd.conf.sample
Edit the config file as per need
PPP installation and configuration
Once the L2TP connection is up, it hands over control to the PPP daemon
the authentication details are given in the ppp daemon conf file: /etc/ppp/chap-secrets in the below format:
==
client server secret IP addresses
<username> pptpd <passwd> *
==
the xl2tpd/ppp configurations(connection properties are specified at: /etc/ppp/options.xl2tpd
LOGGING:
The IPSEC logging are enabled in /var/log/secure by default
The xl2tpd logging are enabled in /var/log/messages
Once it is installed, please check the following configuration files.
/etc/ipsec.conf
version 2.0 config setup protostack=netkey interfaces=%defaultroute klipsdebug=none plutodebug=none nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 conn %default keyingtries=3 compress=yes disablearrivalcheck=no authby=secret type=tunnel keyexchange=ike ikelifetime=240m keylife=60m #conn roadwarrior-net # leftsubnet=192.168.0.0/16 # also=roadwarrior #conn roadwarrior-all # leftsubnet=0.0.0.0/0 # also=roadwarrior #conn roadwarrior-l2tp # leftprotoport=17/0 # rightprotoport=17/%any # also=roadwarrior #conn roadwarrior-l2tp-updatedwin # leftprotoport=17/1701 # rightprotoport=17/%any # also=roadwarrior conn roadwarrior pfs=no left=y.y.y.y ########### The IP address of the VPN server leftnexthop= j.j.j.j ### The IP address of the gateway of VPN server leftprotoport=17/1701 right=%any rightprotoport=17/1701 rightsubnet=vhost:%priv,%no,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 auto=add #Disable Opportunistic Encryption # include /etc/ipsec.d/examples/no_oe.conf
vi /etc/ipsec.secrets
Input the below code into that file and then wq! to save it.
include /etc/ipsec.d/*.secrets cd /etc/ipsec.d/ vi test.secrets
Input the following code to the mentioned file ‘test.secrets’.
y.y.y.y %any: PSK "password_of_VPN"
y.y.y.y – > The IP address of the VPN server.
Eg :
77.88.99.11 %any: PSK “support”
——————————————————–
Input the below values to the file /etc/ipsec.d/l2tp-psk.conf
——————————————————–
conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=1 rekey=no ikelifetime=8h keylife=1h type=transport left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/0
Install XL2TPD
The next step is to install the xl2tpd. Once the installation is over, open the file /etc/xl2tpd/xl2tpd.conf and input the below values in that file.
[global] listen-addr = 172.172.172.172 [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = CentosBase ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes exclusive = no ;challenge = yes
The next step is to open the file /etc/ppp/options.xl2tpd and input the below values in that file. Add the plug-in radius.so if you are going to use radius.
ms-dns 208.67.222.222 ms-dns 208.67.220.220 ms-wins 208.67.222.222 ms-wins 208.67.220.220 auth idle 1800 mtu 1410 mru 1410 debug lock proxyarp connect-delay 1000 plugin radius.so
The next step is to open the file /etc/xl2tpd/l2tp-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication
VPN_user_name * "VPN_Password" *
The next step is to open the file /etc/ppp/chap-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication
user_name_of_VPN pptpd Password_of_VPN *
"user_name_of_VPN" * "Password_of_VPN" "*
The final step of configuring the VPN is to add the route in the iptables
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to y.y.y.y
Or
vi /etc/sysconfig/iptables -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source y.y.y.y
y.y.y.y – > The IP address of the VPN server
——————————————————–
RADIUS SERVER SIDE CONFIGURATION
Step :
Add the VPN server in the client.conf file of the radius server.
client localhost { ipaddr = 127.0.0.1 secret = secret_of_localhost require_message_authenticator = no nastype = other # localhost isn't usually a NAS... } client y.y.y.y { secret = secret_set_in_servers_file_at_VPN_side shortname = openswan nastype = other login = username # Optional password = password # Optional }
Check the SQL.conf
sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" #port = 3306 login = "radius_db_user_name" password = "radius_database_password" radius_db = "radius_db_name" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" sergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. For performance # and security reasons, finding clients via SQL queries CANNOT # be done "live" while the server is running. # #readclients = yes # Table to keep radius client info nas_table = "nas" $INCLUDE sql/${database}/dialup.conf }
Step :
We need to add the new client(OpenSwan VPN) to the radius server for authenticating.
Format
——
insert into nas (nasname, shortname, secret) values "y.y.y.y","short_name_of_VPN_Server","secret_set_in_servers");
y.y.y.y -> The IP address of the VPN server.
short_name_of_VPN_Server -> short name of VPN Server
secret_set_in_servers -> secret set in both the servers.
Eg :
insert into nas (nasname, shortname, secret) values ("y.y.y.y","openswan","secret");
Step :
Verify the client is added properly to the database.
select * from nas;
Eg :
mysql> select * from nas; +----+---------------+-------------+-------+-------+--------+-----------+---------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+---------------+-------------+-------+-------+--------+-----------+---------------+ | 1 | a.a.a.a | VPNserver1a | other | NULL | abcd | NULL | RADIUS Client | | 2 | 127.0.0.1 | VPNserver1b | other | NULL | abcd | NULL | RADIUS Client | | 3 | y.y.y.y | openswan | other | NULL | secret | NULL | RADIUS Client | +----+---------------+-------------+-------+-------+--------+-----------+---------------+ 3 rows in set (0.00 sec)
Final Step :
Select the radius user from the radius database
mysql> SELECT * FROM radcheck; Eg : +-----+----------+---------------+----+----------------------------------+ | Id |User Name | | | Password | +-----+----------+---------------+----+----------------------------------+ | 1 | username | User-Password | := | password | +-----+----------+---------------+----+----------------------------------+