OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

Download and Install the OpenSwan from its respective sites.

IPSEC, OPENSWAN:

You can get the different versions of OpenSwan from the below URL:
http://www.openswan.org/code/
We highly reccomend to go for the version: 2.6.33 from the below loc:
http://www.openswan.org/download/openswan-2.6.33.tar.gz
Go for the normal mode of source code installation:
-untarring
-cd dir
-make programs install

Before proceeding to installing the ipsec, please make sure that gcc, make, iproute, flex, bison, libgmp3-dev (libgmp2-dev might also work)
These are all available in the yum repo(if you are using the RHEL based server)

Ina debian based server, you can get it done by running the apt-get-install

After installing the IPSEC restart the service from the init, then please try the below command to check the working:

/etc/init.d/ipsec start
ipsec verify

should give you something of the sort:

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.29/K2.6.18-164.el5xen (netkey)
Checking for IPsec support in kernel                            [OK]
Testing against enforced SElinux mode                           [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

In IPsec there are several ways to use different IPs from their end to connect to the VPN, we use the below mechanism in our explanation:

* One Preshared Key (PSK) shared by every user

Preshared Key

A Preshared Key is a secret password that is shared by both sides of the IPsec tunnel. All users with dynamic IP addresses will have to share the same PSK (“group secret”). This is of course a significant security risk: if one user leaves the company or loses his laptop, all the other users will have to get a new PSK. The alternative would be to give every user a different PSK, but this is only supported in IPsec if all users have fixed (= static) IP addresses.

After the installation of the IPSEC in the server, you may please specify the PSK in the server at: ‘/etc/ipsec.secrets’ in the following format:

SERVERIP CLIENTIP: PSK "<KEYWORD>"

Then adjust the config file according to your needs: /etc/ipsec.conf

#NOTE: Please specify the directive ‘pfs=no‘ THis is because,
This parameter is required because Apple’s and Microsoft’s L2TP/IPsec clients do not enable PFS. Openswan, on the other hand, enables PFS by default.

Now please configure IPSEC/L2TP client( please check URL to see ways to do it: at your local end and try to create and initiate a connection to the server
Please check the /var/log/secure, if you see the below log:

Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #7: responding to Main Mode
Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #7: Peer ID is ID_IPV4_ADDR: '234.234.234.234'
Nov 1 14:09:59 xxx Pluto[yyy]: "L2Thttp://admindiary.com/wp-admin/post.php?post=181&action=edit#P-PSK" #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established
Nov 1 14:09:59 xxx Pluto[yyy]: "L2TP-PSK" #8: responding to Quick Mode
Nov 1 14:10:00 xxx Pluto[yyy]: "L2TP-PSK" #8: STATE_QUICK_R2: IPsec SA established

 

If this log is obtained, then IPSEC is working fine in the server.

The IPsec connection you just configured is to be used for tunnelling the L2TP protocol,
So basically l2tp authenticates/initiates the connection and then IPSEC creates the encrypted tunnelling between the server and the clients

l2tpd configuration

Going on to the l2tpd section:

There are many l2tp daemons to work with like:

-l2tpd
-xl2tpd
-rp-l2tp
-openl2tp

for l2tp and rp-l2tp, the development has been stalled. openl2tp is an option. In our example, we will go for the xl2tpd as its ‘Xelerance'(xl2tpd) that has been sponsoring the continued development of Openswan since version 1.0
Xelerance Corporation currently also maintains a version of the Layer 2 Tunneling Protocol (L2TP) daemon: XL2TPD

XL2TPD:

You can get the latest version of the xl2tpd from the below location:

http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.2.7.tar.gz

installation as usual follows the common steps:
==
untarring the source code
make
make install
then copying the binary(formed at the pwd) from the current location to /usr/local/sbin(binary location)
==
the installation is pretty simple and straight forward

#NOTE: make sure to install the latest xl2tpd as per availability at xalerence site(http://www.xelerance.com/services/software/xl2tpd/) current version at the time of writing this is xl2tpd 1.2.7

you can do a dry run to check the xl2tpd installation by running the below command:

xl2tpd -D

Should give you an output in the similar lines as:

]# xl2tpd -D
xl2tpd[26202]: setsockopt recvref[22]: Protocol not available
xl2tpd[26202]: This binary does not support kernel L2TP.
xl2tpd[26202]: xl2tpd version xl2tpd-1.2.6 started on atl01-linvirt01-vpn01.cluster.servaxnet.com PID:26202
xl2tpd[26202]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[26202]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[26202]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[26202]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[26202]: Listening on IP address 63.247.77.156, port 1701

 

And if no errors are reported then cancel the above process and then start the xl2tpd by running the binary directly by executing the command:

xl2tpd Configuration

There are multiple config files included in the configuration. The main config file is: l2tpd.conf. The default example config file can be found with the sourcecode(if you are using the source code) in the docs directory: xl2tpd-1.2.7/doc/l2tpd.conf.sample
Edit the config file as per need

PPP installation and configuration

Once the L2TP connection is up, it hands over control to the PPP daemon
the authentication details are given in the ppp daemon conf file: /etc/ppp/chap-secrets in the below format:
==
client server secret IP addresses
<username> pptpd <passwd> *
==

the xl2tpd/ppp configurations(connection properties are specified at: /etc/ppp/options.xl2tpd

LOGGING:

The IPSEC logging are enabled in /var/log/secure by default
The xl2tpd logging are enabled in /var/log/messages

Once it is installed, please check the following configuration files.

/etc/ipsec.conf

version 2.0
config setup
protostack=netkey
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
#conn roadwarrior-net
#        leftsubnet=192.168.0.0/16
#        also=roadwarrior
#conn roadwarrior-all
#        leftsubnet=0.0.0.0/0
#        also=roadwarrior
#conn roadwarrior-l2tp
#        leftprotoport=17/0
#        rightprotoport=17/%any
#        also=roadwarrior
#conn roadwarrior-l2tp-updatedwin
#        leftprotoport=17/1701
#        rightprotoport=17/%any
#        also=roadwarrior
conn roadwarrior
pfs=no
left=y.y.y.y ########### The IP address of the VPN server
leftnexthop= j.j.j.j ### The IP address of the gateway of VPN server
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
auto=add

#Disable Opportunistic Encryption
# include /etc/ipsec.d/examples/no_oe.conf
vi /etc/ipsec.secrets

Input the below code into that file and then wq! to save it.

include /etc/ipsec.d/*.secrets
cd /etc/ipsec.d/
vi test.secrets

Input the following code  to the mentioned file ‘test.secrets’.

y.y.y.y  %any: PSK "password_of_VPN"

y.y.y.y – > The IP address of the VPN server.

Eg :
77.88.99.11 %any: PSK “support”
——————————————————–

Input the below values to the file /etc/ipsec.d/l2tp-psk.conf
——————————————————–

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=1
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/0

Install XL2TPD

The next step is to install the xl2tpd. Once the installation is over, open the file /etc/xl2tpd/xl2tpd.conf and input the below values in that file.

[global]
listen-addr = 172.172.172.172

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = CentosBase
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
exclusive = no
;challenge = yes

 

The next step is to open the file /etc/ppp/options.xl2tpd and input the below values in that file. Add the plug-in radius.so if you are going to use radius.

ms-dns  208.67.222.222
ms-dns  208.67.220.220
ms-wins 208.67.222.222
ms-wins 208.67.220.220
auth
idle 1800
mtu 1410
mru 1410
debug
lock
proxyarp
connect-delay 1000
plugin radius.so

The next step is to open the file /etc/xl2tpd/l2tp-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

VPN_user_name         *       "VPN_Password"               *

The next step is to open the file /etc/ppp/chap-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

user_name_of_VPN pptpd Password_of_VPN *

"user_name_of_VPN" * "Password_of_VPN" "*

The final step of configuring the VPN is to add the route in the iptables

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to y.y.y.y

 

Or

vi /etc/sysconfig/iptables
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source y.y.y.y

y.y.y.y – > The IP address of the VPN server
——————————————————–

RADIUS SERVER SIDE CONFIGURATION

Step :

Add the VPN server in the client.conf file of the radius server.

client localhost {

ipaddr = 127.0.0.1
secret          = secret_of_localhost
require_message_authenticator = no
nastype     = other     # localhost isn't usually a NAS...
}

client y.y.y.y {

secret      = secret_set_in_servers_file_at_VPN_side
shortname   = openswan
nastype     = other
login       = username # Optional
password    = password # Optional
}

Check the SQL.conf

sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
#port = 3306
login = "radius_db_user_name"
password = "radius_database_password"
radius_db = "radius_db_name"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
sergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.  For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
#readclients = yes

# Table to keep radius client info
nas_table = "nas"

$INCLUDE sql/${database}/dialup.conf
}

Step :

We need to add the new client(OpenSwan VPN) to the radius server for authenticating.

Format
——

insert into nas (nasname, shortname, secret) values "y.y.y.y","short_name_of_VPN_Server","secret_set_in_servers");

y.y.y.y -> The IP address of the VPN server.

short_name_of_VPN_Server -> short name of VPN Server

secret_set_in_servers -> secret set in both the servers.

Eg :

insert into nas (nasname, shortname, secret) values ("y.y.y.y","openswan","secret");

Step :

Verify the client is added properly to the database.

select * from nas;

Eg :

mysql> select * from nas;
+----+---------------+-------------+-------+-------+--------+-----------+---------------+
| id | nasname       | shortname   | type  | ports | secret | community | description   |
+----+---------------+-------------+-------+-------+--------+-----------+---------------+
|  1 | a.a.a.a       | VPNserver1a | other |  NULL | abcd   | NULL      | RADIUS Client |
|  2 | 127.0.0.1     | VPNserver1b | other |  NULL | abcd   | NULL      | RADIUS Client |
|  3 | y.y.y.y       | openswan    | other |  NULL | secret | NULL      | RADIUS Client |
+----+---------------+-------------+-------+-------+--------+-----------+---------------+
3 rows in set (0.00 sec)

Final Step :

Select the radius user from the radius database

mysql> SELECT * FROM radcheck;

Eg :
+-----+----------+---------------+----+----------------------------------+
|  Id |User Name |               |    | Password                         |
+-----+----------+---------------+----+----------------------------------+
|  1  | username | User-Password | := | password                         |
+-----+----------+---------------+----+----------------------------------+

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.