Configure L2TP/IPSec VPN on Debian/Ubuntu

At this time, I need a working VPN for my iPhone and other clients. I used to have PPTP VPN, because is’s easy to configure. However it suggest that PPTP maybe not available on certain mobile networks. But L2TP/IPSec can be used, and its security of IPSec is also nice.

We need several components in order to run L2TP/IPSec:

1.IPSec

Internet Protocol Security (IPsec) is a technology protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session. IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your server and client.
Openswan is the preferred daemon to run IPSec, install it on your Debian server:

# apt-get install openswan

There are several ways to handle encryption for IPSec. We use Pre-Shared Key since it is easy to tweak. Edit /etc/ipsec.conf like this:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

And then Edit /etc/ipsec.secrets to:

YOUR.SERVER.IP.ADDRESS   %any:  PSK "YourSharedSecret"

Note: Remember to change YOUR.SERVER.IP.ADDRESS and YourSharedSecret accordingly.

Run the following commands for openswan to stop complaining

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

Check if IPSec is correctly setup

# ipsec verify

Don’t worry about the disabled Opportunistic Encryption Support. Just make sure other checks are passed OK. Then restart openswan by running

# /etc/init.d/ipsec restart

Now you can add a L2TP/IPSec connection on your client and check IPSec is working. Use whatever account and password. We are not there yet. The only thing you need to make sure is that you connect to the right server with the right shared secret as specified in /etc/ipsec.secrets on your server.

Monitor /var/log/auth.log on your server by running:

tailf /var/log/auth.log

while OS X is trying to connect to your server via L2TP/IPSec. It will fail eventually because we haven’t configured L2TP yet, but if you see a line in the system log saying something like “IPSec connection established”.

OK, now IPSec is configure done.

2. L2TP

L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we need to use it together with IPSec. Interestingly, both Apple and Microsoft tend to refer L2TP as the secure VPN technology but totally ignore the fact that security is provided by IPSec.

The commonly used L2TP daemon is xl2tpd from the same buys behind openswan. Install it by running:

# apt-get install xl2tpd

Change /etc/xl2tpd/xl2tpd.conf to

[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

ip range is the set of internal IP addresses that will allocate to clients connected. Make sure it does not overlap with your exisiting IP addresses being used, and not in conflict with the ones on the client’s network. Since most home routers use 172.16.X.X and 192.168.X.X range, you might want to avoid that. local ip is the internal IP for the L2TP server. Make sure it is NOT in the ip range allocated to clients.

3. PPP

I also run PPTP service using PPP, so I would like to use the same daemon to handle user managenet. Install ppp by running

# apt-get install ppp

if you do not have it. Create this file /etc/ppp/options.xl2tpd with the following content

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Note I am using Google Public DNS in the ms-dns field. If you want to use other DNS servers, change the IP addresses accordingly.

Add a test user in /etc/ppp/chap-secrets to try out if L2TP works.

# user      server      password            ip
test        l2tpd       testpassword        *

Now restart xl2tpd by running

sudo /etc/init.d/xl2tpd restart

In addition, if you use iptables for firewalling, make sure it forwards packets so you can browse the Interent after connecting to VPN. Run the following command

iptables --table nat --append POSTROUTING --jump MASQUERADE

Edit /etc/sysctl.conf and uncomment following line:

net.ipv4.ip_forward=1

or just type:

echo 1 > /proc/sys/net/ipv4/ip_forward

Almost Done

Update the L2TP/IPSec VPN connection on your OS X with the test user account and try connect. If it can connect and authenticate successfully, congrats! You are done. Now go enjoy the better security.

参考资料:http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu/

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据