Thursday, August 30, 2007

Setup a L2TP over IPSec VPN Server on Linux

Test Environment:

L2TP Client ---------- L2TP Server

L2TP Client: Windows XP SP2
L2TP Server: CentOS 5.0

IP address of L2TP Client: 10.5.30.200
IP address of L2TP Server: 10.5.30.3

必要套件:
xl2tpd-1.1.09-1.fc5.src.rpm
openswan-2.4.9-31.el5.i386.rpm
ipsec-tools* (預設已安裝)
ppp* (預設已安裝)

Setup Procedure:

1.Install RPM:
# rpm –ivh openswan*
# rpm –ivh xl2tpd* (That’s source rpm you must rebuild it)

2.Configure L2TP Server:
2.1 設定帳號與密碼:
# vi /etc/ppp/chap-secrets
lawrence * “redhat” *

2.2 設定xl2tpd設定檔:
[global]
; listen-addr = 192.168.1.98
;
;requires openswan-3.1
;ipsec saref = yes
;
;debug tunnel = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

2.3 設定/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
ms-dns 192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
#mtu 1410
#mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log

2.4 啟動L2TP Server
# service xl2tpd start; chkconfig xl2tpd on

3. 設定IPSec
3.1 PSK setting:
# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.5.30.3 %any : PSK "1234567890"

10.5.30.3 -> Server IP address
%any -> allow all machines
格式要一模一樣,不然會出錯

3.2 設定l2tp-psk.conf
套用範例即可:
# cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/
# chmod 755 l2tp-psk.conf

3.3 啟動IPSec
# service ipsec start; chkconfig ipsec on

3.4 Check IPSec status
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-8.1.8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

這麼一來L2TP over IPSec就成功架設起來了,如果有問題的話可查看以下的log file
/var/log/message
/var/log/secure
/var/log/xl2tpd.log

4. L2TP Client setting:
4.1新增連線
1. 開始->設定->網路連線->新增連線精靈
2. 選擇連線到公司網路(使用指定撥號或是vpn)
3. 選擇虛擬私人網路連線
4. 輸入名稱(可以隨意選)
5. 輸入VPN server IP (10.5.30.3)

4.2 修改設定

1.在安全性的分頁中->選擇進階->只勾選CHAP->可省加密

2. 點選"ipsec 設定"選項,輸入PSK(pre-shared key)

22 comments:

Anonymous said...

瘋狂帽客兄,您好

想跟您請教一些問題
如果這個 VPN 要應用於 Internet 上
是否要在 VPN Server 上 bind 一個 public ip
然後使用者新增一個 vpn 連線時的 server ip 輸入該 public ip
請問是這樣嗎??

另外,192.168.1.x 那個網段是公司既有的 LAN Subnet 嗎??
還是只是一段虛擬的通道??

問題很多,還請見諒...^^"

瘋狂帽客 said...

Dear linux child,
是的,您說的沒錯,要在VPN Server上設定Public IP address,而L2TP Client在設定VPN連線時就是輸入這組IP address。
建議您default firewall policy對於INPUT都是Drop只allow TCP/UDP 1701(L2TP) 與 TCP/UDP 500(IPSec)會比較安全。

至於是不是應該跟公司內網同個subnet,可以是,也可以不是,當user撥接成功後會多出一個pppx的interface。

Anonymous said...

您好~拜讀您的文章後已經安裝好VPN了(萬分感謝),有問題想請要一下,我家環境是IP分享器連CENTOS 5(跑DNS、MAIL SERVER),想利用公司網路連回家裡,問題是:
1.那vi /etc/ipsec.secret裡的IP是要設定真實IP還是虛擬IP?
2.xl2tpd設定檔裡面的local ip是設定虛擬IP OR?
3.xl2tpd設定檔裡面的IP RANG是要和家裡的網段一樣才可以存取分享的資源嗎?
4.#ipsec verify出現了錯誤訊息:
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Two or more interfaces found, checking IP forwarding [FAILED]
可否幫忙指點一下

Anonymous said...

#ipsec verify
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Two or more interfaces found, checking IP forwarding [FAILED]

我也是這樣ㄝ 找了好久不知該如何解決

瘋狂帽客 said...

Hi Tony & Sineed,
解決這個問題的方法就是修改kernel的參數,至於是那些參數需要修改呢?Openswan有提供範例如下:

# cat /etc/ipsec.d/examples/sysctl.conf

# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1

# rp_filter is stupid and cannot deal decrypted packets "appearing out of
# nowhere"
net.ipv4.conf.default.rp_filter = 0

# when using 1 interface for two networks, and in some other cases with
# NETKEY, the kernel thinks it can be clever but breaks things.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

把這些參數加入到/etc/sysctl.conf並執行sysctl -p,這樣就可以了。

瘋狂帽客 said...

Hi Tony:
關於您所提問的問題,以下是我的回答希望對您有幫助:
1.那vi /etc/ipsec.secret裡的IP是要設定真實IP還是虛擬IP?
-> Public IP address

2.xl2tpd設定檔裡面的local ip是設定虛擬IP OR?
-> Private IP address

3.xl2tpd設定檔裡面的IP RANG是要和家裡的網段一樣才可以存取分享的資源嗎?
-> 就算不一樣也可以,端看你iptables rule怎麼設計,其中也包含了些routing的觀念。

Anonymous said...

NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

已解決
執行以下指令
[root@shtm ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-53.1.4.el5xen (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:

Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 254.200.9.192.in-addr.arpa. [MISSING]

想請教 l2tp-psk.conf 裡的意思
可否請瘋狂帽客兄講解一下
l2tp-psk.conf跟dns有何關聯

麻煩你了 謝謝

瘋狂帽客 said...

關於l2tp-psk.conf裡詳細的參數,請參考以下連結:
http://wiki.openswan.org/index.php/Openswan/ConfFiles
這是Openswan的wiki。

l2tp-psk.conf與DNS有什麼關係?就我的理解是沒有任何的直接關係,l2tp-psk.conf是用來設定L2TP over IPSec的設定檔。

Anonymous said...

我使用l2tp-psk.conf這個範例檔出現
Opportunistic Encryption DNS checks:

Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 254.200.9.192.in-addr.arpa. [MISSING]

我也想不出跟DNS有什麼關係
真傷腦筋 沒加密的VPN很恐怖吧??
我執行
/etc/init.d/ipsec start
SMB就馬上掛掉
然後就趕快執行
/etc/init.d/ipsec stop
SMB就好了
不知哪的原因

Anonymous said...

帽客兄你好,假如l2tp server 是在NAT裡面的話,那請問在ipsec.conf 或l2tp-psk.cong 該怎麼設定呢?

Mark said...

請問帽客兄,您好:
如果我要架設 lan to lan 的 vpn ,是不是只要看 ipsec 的設定部份就好了?

瘋狂帽客 said...

LAN to LAN IPSec設定請參考:
http://go-linux.blogspot.com/2007/09/setup-ipsec-host-to-host-tunnel.html
稍為修改一下就可以了.

或是參考:
http://wiki.openswan.org/index.php/Openswan/Configure
更為詳細

DAN said...

請問一下 Xl2tpd 如果無法啟動是哪一種問題 因為只要start 就直接失敗 想請問一下怎們解決

瘋狂帽客 said...

Dear Dan,
Please check xl2tpd logs first.

DAN said...

你好 我連log檔都還沒建立 因為rpm 安裝完成 service xl2tpd start 就失敗了
log檔還沒建立在/var 裡面

ken said...

請問 瘋狂帽客兄
您有試過 l2tpv3 嗎?
有研究過 l2tpv3 的 server/client 的設定嗎?

Unknown said...

請問一下
我用fedora 9安裝l2tp over ipsec vpn時,都無法架設成功,請問大大是否有用fedora9架設成功過

streitleak said...

l2tp-psk.conf沒找到中。
OS: FC9
xl2tpd-1.1.12-2.fc9.i386.rpm
openswan-2.6.09-2.fc9.i386.rpm

用find /|grep conf都沒有看到該檔案。
是要去哪裡找這個檔案呢?雖說有找到一個日本網站上有寫,但似乎也不能用阿。

Anonymous said...

您好~
想跟您請教一些問題~

我的配置如下
A----eth0 router eth1----B

A:192.168.1.100
eth0:192.168.1.1
eth1:192.168.2.1
B192.168.2.100


ipsec.conf:
config setup
nat_traversal=yes
plutowait=yes
nhelpers=0

conn %default

conn test
authby=secret
auto=add
keyingtries=3
left=192.168.2.1
pfs=no
rekey=no
right=192.168.2.100

include /etc/ipsec.d/examples/no_oe.conf


ipsec.secrets:

: PSK "1234567890"


A是win xp 用mmc 開ipsec的功能 B是裝openswan的linux

目前沒辦法連上(動作是 A ping B)

用wireshark 看
在exchange key 之後
A會送一個 identification 的 payload給 B
可是 B會回送一個 hash的 payload 給A
查看/var/log/message
有這一段

Oct 8 18:37:27 haha pluto[6387]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.100'
Oct 8 18:37:27 haha pluto[6387]: "test" #1: no suitable connection for peer '192.168.1.100'
Oct 8 18:37:27 haha pluto[6387]: "test" #1: sending encrypted notification IN
VALID_ID_INFORMATION to 192.168.2.1:


(太長了@_@...)

請問是我的conf有什麼地方寫錯嗎??~

Anonymous said...

瘋狂帽客兄,您好

大底跟著你所寫的程序並不能起動L2TP over IPSEC. 還有不完善的地方i.e.設定l2tp-psk.conf不能套用預設的文件於起動xl2tpd(希望你會教授l2tp-psk.conf配置). 在xl2tpd 1.2.4並沒有/example 的文件,只能在old version抽取.在connect時更有error789,應該是ipsec timeout. 還有甚麼不對?

Unknown said...
This comment has been removed by the author.
Anonymous said...

瘋狂帽客兄,您好

我依照以上步驟設定,ipsec verify正常,打ps指令也看的到xl2tpd有跑起來,但是從Client卻無法連線,從封包上來分析Server完全沒有反應

在/var/log中也沒產生xl2tpd.log這檔案,請問是否還需要做些什麼設定?如何在做進一部的檢查?