IPSec-VPN on Stock Kernel

Attention: What ever you do, you do it on your own risk

=Prerequisite= You have to have firmware 1.34 already installed and opened for telnet access. If not, you can find a guide here: Open Stock Firmware LS-XHL

For Firmwares before 1.34 this also may work, but it's unknown if the IPSEC-XL2TP Packages are also in there.

=What's the aim ?= The aim is to realize a VPN-Server that uses L2TP-IPSec as tunneling technology.

Why this, and not PPTP ? The issue with PPTP is, that it needs MPPE support within the kernel, which is simply not there.

Therefore we are going to use IPSec & L2TP, as they are more secury in most scenarios in any way.

=What is needed ?= The good news are: everything is already on the box, you don't have to install any external software-package at all.

The bad news: The packages are configured to be used for a service called PocketU (only in Japan). As a matter of fact all boxes outside of Japan are not using those things at all.

As a general guidline for an IPSec-L2TP Server we need: IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options

=How does it work= The VPN works as follows:

1) An IPSec tunnel will be opened (using a preshared-key or certificates)

2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there

=Configuration=

Needed files to be touched / modified:

/etc/init.d/xl2tpd.sh

/etc/ipsec.conf

/etc/ipsec.d/l2tp.conf

/etc/ipsec.d/l2tp.secrets

/etc/xl2tpd/xl2tpd.conf

/etc/ppp/options.xl2tpd

As all these files are already there, make sure, you are backing them up.

Configuring IPSec: Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:

# basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug=all protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24 oe=off # Enable this if you see "failed to find any available worker" nhelpers=0 forwardcontrol=no #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/l2tp.conf

Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection: conn L2TP-PSK #type=tunnel left=YOUR.LS.IP.ADDR      #Put the address of your linkstation here #leftnexthop=             #Put your (NAT)gateway address here leftprotoport=udp/l2tp right=%any rightsubnet=vhost:%no,%priv rightprotoport=udp/l2tp auto=add authby=secret ike=3des-sha1-modp2048,3des-sha1-modp1024 pfs=no rekey=no keyingtries=3

Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used

This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start

For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf [global] listen-addr = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here ;    ; debug tunnel = yes ; debug packet = yes [lns default] ip range = 192.168.XX.YYY-192.168.XX.ZZZ # Address-range for clients local ip = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here require chap = yes refuse pap = yes require authentication = yes name = YOUR-VPN-SERVER NAME pppoptfile = /etc/ppp/options.xl2tpd length bit = yes ppp debug = yes

Now let's tune the options for PPP in /etc/ppp/options.xl2tpd ipcp-accept-local ipcp-accept-remote #ms-dns YOUR.DNS.SERVER.ADDR #refuse-eap require-mschap noccp #nopcomp #noaccomp #noauth auth crtscts idle 1800 mtu 1410 mru 1410 defaultroute debug lock connect-delay 5000 #record /root/pppd.log #usepeerdns proxyarp

You need to add chap-secrets for L2TP in /etc/ppp/chap-secrets. This can be done as you like (and as something is also there)

Now we need to modify the XL2TPD start-script as this one is specific for pocketU. So generate a new start-script for xl2tpd in /etc/init.d and put there: VARRUNDIR=/var/run/xl2tpd LOGTAG=xl2tpd.sh  LOGFACILITY=local0.info CreateRunDir {       if [ -d "${VARRUNDIR}" ] ; then return 0; fi       mkdir "${VARRUNDIR}" -p return $? }  Start {       CreateRunDir xl2tpd logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Started!" #sysctl -p   #Add this if you want to enable IP_FORWARDING in sysctl.conf }  Stop {       killall xl2tpd logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Stopped!" }  case $1 in     start)        Start     ;;     stop) Stop ;;    restart)        Stop        sleep 1        Start     ;;   *)

OK, you're done. To start the story you need to do the following:

/etc/init.d/ipsec start

/etc/init.d/xl2tpd.sh start

Make sure that the start-script from pocketU didn't cross your way (/etc/rc.d/extensions.d).

=What is left to do for you?= On the client-side you have to put in the pre-shared key from l2tp.secrets and UName/PW from /etc/ppp/chap-sectrets.

That should do the job.

=Changes= 2010.09.08: Initial Version