Difference between revisions of "IPSec-VPN on Stock Kernel"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
Line 35: Line 35:
  
 
=Configuration=
 
=Configuration=
 +
 +
Needed files to be touched / modified:
 +
 +
/etc/init.d/xl2tpd.sh
 +
 +
/etc/ipsec.conf
 +
 +
/etc/ipsec.d/l2tp.conf
 +
 +
/etc/ipsec.d/l2tp.secrets
 +
 +
/etc/xl2tpd/xl2tpd.conf
 +
 +
/etc/ppp/options.xl2tpd
 +
 +
 +
As all these files are already there, make sure, you are backing them up.
 +
 +
Configuring IPSec:
 +
Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:
 +
 +
  # basic configuration
 +
  config setup
 +
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
 +
    # klipsdebug=none
 +
    # plutodebug=all
 +
    protostack=netkey
 +
    nat_traversal=yes
 +
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24
 +
    oe=off
 +
    # Enable this if you see "failed to find any available worker"
 +
    nhelpers=0
 +
    forwardcontrol=no
 +
  #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
 +
    include /etc/ipsec.d/l2tp.conf
 +
 +
Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:
 +
  conn L2TP-PSK
 +
        #type=tunnel
 +
        left=YOUR.LS.IP.ADDR      #Put the address of your linkstation here
 +
        #leftnexthop=              #Put your (NAT)gateway address here
 +
        leftprotoport=udp/l2tp
 +
        right=%any
 +
        rightsubnet=vhost:%no,%priv
 +
        rightprotoport=udp/l2tp
 +
        auto=add
 +
        authby=secret
 +
        ike=3des-sha1-modp2048,3des-sha1-modp1024
 +
        pfs=no
 +
        rekey=no
 +
        keyingtries=3
 +
 +
Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets
 +
  : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used
 +
 +
This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start
 +
 +
For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf
 +
  [global]
 +
    listen-addr = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here
 +
    ;
 +
    ; debug tunnel = yes
 +
    ; debug packet = yes
 +
  [lns default]
 +
    ip range = 192.168.XX.YYY-192.168.XX.ZZZ  # Address-range for clients
 +
    local ip = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here
 +
    require chap = yes
 +
    refuse pap = yes
 +
    require authentication = yes
 +
    name = YOUR-VPN-SERVER NAME
 +
    pppoptfile = /etc/ppp/options.xl2tpd
 +
    length bit = yes
 +
    ppp debug = yes

Revision as of 11:52, 8 September 2010

Attention: What ever you do, you do it on your own risk

Prerequisite

You have to have firmware 1.34 already installed and opened for telnet access. If not, you can find a guide here: Open Stock Firmware LS-XHL

For Firmwares before 1.34 this also may work, but it's unknown if the IPSEC-XL2TP Packages are also in there.

What's the aim ?

The aim is to realize a VPN-Server that uses L2TP-IPSec as tunneling technology.


Why this, and not PPTP ? The issue with PPTP is, that it needs MPPE support within the kernel, which is simply not there.

Therefore we are going to use IPSec & L2TP, as they are more secury in most scenarios in any way.

What is needed ?

The good news are: everything is already on the box, you don't have to install any external software-package at all.

The bad news: The packages are configured to be used for a service called PocketU (only in Japan). As a matter of fact all boxes outside of Japan are not using those things at all.


As a general guidline for an IPSec-L2TP Server we need: IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options

How does it work

The VPN works as follows:

1) An IPSec tunnel will be opened (using a preshared-key or certificates)

2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there

Configuration

Needed files to be touched / modified:

/etc/init.d/xl2tpd.sh

/etc/ipsec.conf

/etc/ipsec.d/l2tp.conf

/etc/ipsec.d/l2tp.secrets

/etc/xl2tpd/xl2tpd.conf

/etc/ppp/options.xl2tpd


As all these files are already there, make sure, you are backing them up.

Configuring IPSec: Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:

 # basic configuration
 config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    # klipsdebug=none
    # plutodebug=all
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24
    oe=off
    # Enable this if you see "failed to find any available worker"
    nhelpers=0
    forwardcontrol=no
 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
    include /etc/ipsec.d/l2tp.conf

Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:

  conn L2TP-PSK
       #type=tunnel
       left=YOUR.LS.IP.ADDR       #Put the address of your linkstation here
       #leftnexthop=              #Put your (NAT)gateway address here
       leftprotoport=udp/l2tp
       right=%any
       rightsubnet=vhost:%no,%priv
       rightprotoport=udp/l2tp
       auto=add
       authby=secret
       ike=3des-sha1-modp2048,3des-sha1-modp1024
       pfs=no
       rekey=no
       keyingtries=3

Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets

  : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used

This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start

For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf

  [global]
    listen-addr = YOUR.LS:IP.ADDR   #Put your Linkstation-IP Address here
    ;
    ; debug tunnel = yes
    ; debug packet = yes
  [lns default]
    ip range = 192.168.XX.YYY-192.168.XX.ZZZ  # Address-range for clients
    local ip = YOUR.LS:IP.ADDR   #Put your Linkstation-IP Address here
    require chap = yes
    refuse pap = yes
    require authentication = yes
    name = YOUR-VPN-SERVER NAME
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
    ppp debug = yes