L2TP/IPSec VPN client setup on debian family system

Server Norckon 5613℃ 0评论

1472518022-5877-JyxQrt

 

INTRODUCE

L2TP/IPsec is a secure Virtual Private Network solution that is well supported on many different platforms.

This article aims to describe in a HOWTO like fashion how to configure and use a L2TP/IPsec client on Debian family Linux. This article will cover the installation and setup of several software packages. One of the packages is only available in the DEB, so knowledge of how to build and install DEBpackages on your system is required.

This guide is primarily for clients connecting to a Windows Server machine. It uses some setting that are specific to the Microsoft implementation of L2TP/IPsec.

INSTALLATION

Install xl2tpd , lsof and openswan from DEB source by use apt-get command.

e.g. $ sudo apt-get install xl2tpd lsof openswan <cr>

CONFIGURATION

Example: Server IP Address: 192.168.16.1, Client IP Address: 192.168.16.45

OpenSwan

Edit /etc/ipsec.conf: It should contain the following lines:

version 2.0

config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey

conn L2TP-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=8h
    type=transport
    left=192.168.16.45      <--- Your Client IP Address
    leftprotoport=17/1701
    right=192.168.16.1      <--- Your Server IP Address
    rightprotoport=17/1701

This file contains the basic information to establish a secure IPsec tunnel to the VPN server. It enables NAT Traversal for if your machine is behind a NAT’ing router (most people are), and various other options that are necessary to connect correctly to the remote IPsec server. The next file contains your pre-shared key (PSK) for the server.

Create the file /etc/ipsec.secrets: It should contain the following line:

CLIENT_IP SERVER_IP: PSK "YOUR_PSK"

example 1: 192.168.16.45 192.168.16.1: PSK "vpn"
example 2: %any 192.168.16.1: PSK "vpn"

Kernel Configuration

Login as root user, execute the following script in shell:

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

Verify IPSec Status

Login as root user, execute the command # ipsec verify, press <cr> key. The program will print the following information:

root@Norckon-Pi:/# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.12.35+ (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

xl2tp (L2TP Client)

Edit /etc/xl2tpd/xl2tpd.conf: It should resemble the following:

[global]        
ipsec saref=yes

; Example Network
[lac example]
lns=192.168.16.1                            <--- Your Server IP Address       
ppp debug=yes
pppoptfile=/etc/ppp/options.example.client  <--- PPP Profile Storage Path
length bit=yes
require authentication = yes
refuse pap = yes        
refuse chap = yes

!IMPORTANT! The lastest line must be blank line!

This file configures xl2tpd with the connection name, server IP address(which again, please remember to change to your servers address) and various options that will be passed to pppd once the tunnel is set up.

Now modify /etc/ppp/options.example.client(This file path defined in xl2tpd.conf):

require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
lock
connect-delay 5000
name YOUR_USERNAME        <--- Your L2TP Username
password YOUR_PASSWORD    <--- Your L2TP Password

!IMPORTANT! The lastest line must be blank line!

Place your assigned username and password for the VPN server in this file. A lot of these options are for interoperability with Windows Server L2TP servers. If your VPN server uses PAP authentication, replace require-mschap-v2 with require-pap.

PREPARING FOR DIALUP

Create the control file for xl2tpd:

$ mkdir -p /var/run/xl2tpd
$ touch /var/run/xl2tpd/l2tp-control

This concludes the configuration of the applicable software suites to connect to a L2TP/IPsec server. To pre-start the connection do the following:

$ sudo service ipsec start
$ sudo service xl2tpd start
$ sudo ipsec auto --up L2TP-PSK

START / STOP THE CONNECTION

Connect:

# echo “c example” > /var/run/xl2tpd/l2tp-control

Disconnect:

# echo “d example” > /var/run/xl2tpd/l2tp-control

!IMPORTANT! MUST RUN IN ROOT USER!

REFERENCE

AUTHOR

Pekaikon Norckon
Apr, 12th, 2015 (Sun)

 

喜欢 (0)
COMMENT
Cancel Comment

EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website