Server to Server setup Installing IPSEC (Openswan) Download and install “openswan-2.4.7-1.i686.rpm” as follows rpm -i openswan-2.4.7-1.i686.rpm Check the ipsec installation by verifying it with the “ipsec verify” command, this check should come back something like the following: —————————————————————————————————————————— [root@localhost /]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.4/K2.6.9-42.EL (netkey) Checking for IPsec support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [N/A] Checking for ‘ip’ command [OK] Checking for ‘iptables’ command [OK] Checking for ’setkey’ command for NETKEY IPsec stack support [OK] Opportunistic Encryption Support [DISABLED] [root@localhost /]# ———————————————————————————————————————— If “IP Forwarding” fails then you will need to enable IP Forwarding by editing the /etc/sysctl.conf file and make sure it reads “net/ipv4/ip_forward = 1″. This will make IP forwarding permanent. TIP If you only want IP forwarding to work until next reboot. then use the command “echo “1″ > /proc/sys/net/ipv4/ip_forward” at the command prompt. Starting IPSEC Set ipsec to start at boot with “chkconfig ipsec on”. Start the ipsec service with the “service ipsec start” command. Server to server diagram create a diagram of your server to server physical setup similar to the following:
This diagram will help you when setting up your ipsec.conf files on each server. You will actually need two such diagrams, One for each server as “left” is local and “right” is remote from the point of view of each server. Configuring ipsec.conf Based on the two diagrams of the server to server setup you will need to edit the “/etc/ipsec.conf” file for each server. Bear in mind that each server is “left” in relation to the other server which is “right” The following table will explain the parameters of the “/etc/ipsec.conf” file. ipsec.conf parameters are defined as follows: left Internet IP address of the left-hand side VPN device. leftsubnet The network protected by the left-hand side VPN device leftid Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an “@” sign. If DNS is set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail. leftrsasigkey The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey –left command. leftnexthop The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router. right Internet IP address of the right-hand side VPN device rightsubnet The network protected by the right-hand side VPN device. rightid Fully qualified domain name in DNS of the right-hand side VPN device, which is preceded by an @ sign. If DNS isn’t set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail. rightrsasigkey The entire right RSA sig public key for the right-hand side VPN device. This can be obtained by going to the other computer and using the ipsec showhostkey –left command there. rightnexthop The next hop router from the right-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router. auto = auto – This option tell the VPN tunnel to start automatically For other acceptable parrameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html If two servers were configured as follows:
The two ipsec.conf files, with a simple configuration, would look something like the following examples: Server A ipsec.conf ————————————————————————————————————————- conn net-to-net auto=start left=196.36.13.202 leftid=@196.36.13.202 leftrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++ OcqvaUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxC G8fCg4F3Yrkkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io 4I9DSbd//AiFoyXr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf16 26XknYvHZt5m7g6tpyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Em s0tnbxs7b2kVLQ82zxkoEJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4 vywDcg3ct leftsubnet=192.168.20.0/24 leftnexthop=%defaultroute right=196.36.13.204 rightid=@196.36.13.204 rightsubnet=10.0.0.0/24 rightnexthop=%defaultroute rightrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4 ULq1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw55 8ac3SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s4 8tvDYZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBx rjPHLGTJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHC sagoS+xyfF7FV7pi6achxctxAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDF DTd8Hn9r5zO2+Z9DwyF —————————————————————————————————————————— Server B ipsec.conf —————————————————————————————————————————— conn net-to-net auto=start left=196.36.13.204 leftid=@196.36.13.204 leftrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4ULq 1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw558ac3 SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s48tvD YZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBxrjPHLG TJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHCsagoS+xy txAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDFDTd8Hn9r5zO2+Z9DwyF fF7FV7pi6achxc leftsubnet=10.0.0.0/24 leftnexthop=%defaultroute right=196.36.13.202 rightid=@196.36.13.202
rightsubnet=192.168.20.0/24 rightnexthop=%defaultroute rightrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++Ocqv aUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxCG8fCg4F3Yr kkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io4I9DSbd//AiFoy Xr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf1626XknYvHZt5m7g6t pyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Ems0tnbxs7b2kVLQ82zxko EJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4vywDcg3ct —————————————————————————————————————————– You need to make sure that there are no blank lines for each “conn”. Also, you must indent each section as in the example. If you don’t do this then there will be errors when you try and start the VPN tunnel. Once you have made changes to the /etc/ipsec.conf file you will need to reload ipsec. Initializing the VPN tunnel and checking VPN status To initialize the VPN tunnel you need to type “ipsec auto –up net-to-net” at the command prompt. If you are returned to the command prompt without error then you have probable configured the VPN tunnel correctly. To make sure you can check the status of the VPN tunnel with the “ipsec auto –status” command. Other concerns Make sure that your routing on both servers have been set up correctly. You will need this if you want to pass traffic between the two networks. Client to server setup Server setup When setting up the server there are essentially three things that need to be setup: ipsec (provides encrypted tunnel) l2tp (manages connection) ppp (provided ppp connection and authentication) Once these have been setup you will need to restart all the relevant services. You will need to edit the /etc/ipsec.conf and /etc/ipsec.secrets files. ipsec.conf Edit the etc/ipsec.conf to include the following: —————————————————————————————————————————- conn L2TP-PSK authby=secret pfs=no rekey=no keyingtries=3 left=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any auto=add ————————————————————————————————————————– In the above example you have specified the following: conn is the name of the connection, in this case L2TP-PSK authby Tells IPSEC what authentication to use. In this case “secret” because we want to use ppp for authentication left Is the default route, you can use % defaultroute if the default gateway is to be used, otherwise specify an IP address. leftprotoport Defines the protocol and port. In this case 17/1701 means protocol 17 and port 1701 pfs whether Perfect Forward Secrecy of keys is desired on the connection’s keying channel (with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier); acceptable values are yes (the default) and no rekey whether a connection should be renegotiated when it is about to expire; acceptable values are yes (the default) and no keyingtries how many attempts (a whole number or %forever) should be made to negotiate a connection, or a replacement for one, before giving up (default %forever). The value %forever means right ip address of incoming connection for other acceptable parameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html ipsec.secrets You will need to add a PSK key to the end of the file. The following represents the last few lines of the /etc/ipsec.secrets file where : PSK “HPGWthisisakey” has been added: ————————————————————————————————————————— dca39469c5dd31ad50f9a58d147b178b99f24139a9bd359ede3adf832a2b562b87220d2a2e031 } # do not change the indenting of that “}”
: PSK “HPGWthisisakey” —————————————————————————————————————————– L2TP Next you will need to download and install L2TP. For the course we will use ” xl2tpd-1.1.06-4.i386.rpm’. This will install XL2TPD. Once you have installed this you will need to edit the /etc/xl2tpd/xl2tpd.conf file as follows: ——————————————————————————————————————————- ip range = 10.0.0.10-10.0.0.20 local ip = 10.0.0.3 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes ——————————————————————————————————————————- The parameters you need to check are as follows: ip range IP range of incoming connection. local ip IP Address of the server require chap “yes” tells server to use chap-secrets. chap-secrets can be used by Microsoft clients refuse pap “yes” server not to use PAP require authentication Tells server to require authentication pppoptfile Make sure that this path reflects the correct path to the options.xl2tpd file which is usually found in the /etc/ppp/ directory.
PPP There are two files in the /etc/ppp directory you need for PPP to work properly with L2TP: chap-secrets or pap-secrets (depending on your authentication method) options.xl2tpd (There is usually no need to edit this file) To edit the chap-secrets, browse to the /etc/ppp/chap-secrets and add in the VPN users as required. The following is an example of the format: ————————————————————————————————————————– # Secrets for authentication using CHAP # client server secret IP addresses peter * password * ————————————————————————————————————————– In the above example, the user name is “peter” and the password is “password” There is usually no need to edit the options.xl2tpd, but should you need to you should browse to browsing to /etc/ppp/. This file needs to be there even if you don’t need to edit it. By default the file will look like the following: ————————————————————————————————————————– ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.1 ms-dns 192.168.1.3 ms-wins 192.168.1.2 ms-wins 192.168.1.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 ————————————————————————————————————————-
