IPSec-VPN on Stock Kernel
From NAS-Central Buffalo - The Linkstation Wiki
Nobody0472 (Talk | contribs) |
Nobody0472 (Talk | contribs) |
||
| Line 35: | Line 35: | ||
=Configuration= | =Configuration= | ||
| + | |||
| + | Needed files to be touched / modified: | ||
| + | |||
| + | /etc/init.d/xl2tpd.sh | ||
| + | |||
| + | /etc/ipsec.conf | ||
| + | |||
| + | /etc/ipsec.d/l2tp.conf | ||
| + | |||
| + | /etc/ipsec.d/l2tp.secrets | ||
| + | |||
| + | /etc/xl2tpd/xl2tpd.conf | ||
| + | |||
| + | /etc/ppp/options.xl2tpd | ||
| + | |||
| + | |||
| + | As all these files are already there, make sure, you are backing them up. | ||
| + | |||
| + | Configuring IPSec: | ||
| + | Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks: | ||
| + | |||
| + | # basic configuration | ||
| + | config setup | ||
| + | # Debug-logging controls: "none" for (almost) none, "all" for lots. | ||
| + | # klipsdebug=none | ||
| + | # plutodebug=all | ||
| + | protostack=netkey | ||
| + | nat_traversal=yes | ||
| + | virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24 | ||
| + | oe=off | ||
| + | # Enable this if you see "failed to find any available worker" | ||
| + | nhelpers=0 | ||
| + | forwardcontrol=no | ||
| + | #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. | ||
| + | include /etc/ipsec.d/l2tp.conf | ||
| + | |||
| + | Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection: | ||
| + | conn L2TP-PSK | ||
| + | #type=tunnel | ||
| + | left=YOUR.LS.IP.ADDR #Put the address of your linkstation here | ||
| + | #leftnexthop= #Put your (NAT)gateway address here | ||
| + | leftprotoport=udp/l2tp | ||
| + | right=%any | ||
| + | rightsubnet=vhost:%no,%priv | ||
| + | rightprotoport=udp/l2tp | ||
| + | auto=add | ||
| + | authby=secret | ||
| + | ike=3des-sha1-modp2048,3des-sha1-modp1024 | ||
| + | pfs=no | ||
| + | rekey=no | ||
| + | keyingtries=3 | ||
| + | |||
| + | Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets | ||
| + | : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used | ||
| + | |||
| + | This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start | ||
| + | |||
| + | For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf | ||
| + | [global] | ||
| + | listen-addr = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here | ||
| + | ; | ||
| + | ; debug tunnel = yes | ||
| + | ; debug packet = yes | ||
| + | [lns default] | ||
| + | ip range = 192.168.XX.YYY-192.168.XX.ZZZ # Address-range for clients | ||
| + | local ip = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here | ||
| + | require chap = yes | ||
| + | refuse pap = yes | ||
| + | require authentication = yes | ||
| + | name = YOUR-VPN-SERVER NAME | ||
| + | pppoptfile = /etc/ppp/options.xl2tpd | ||
| + | length bit = yes | ||
| + | ppp debug = yes | ||
Revision as of 11:52, 8 September 2010
Attention: What ever you do, you do it on your own risk
Contents |
Prerequisite
You have to have firmware 1.34 already installed and opened for telnet access. If not, you can find a guide here: Open Stock Firmware LS-XHL
For Firmwares before 1.34 this also may work, but it's unknown if the IPSEC-XL2TP Packages are also in there.
What's the aim ?
The aim is to realize a VPN-Server that uses L2TP-IPSec as tunneling technology.
Why this, and not PPTP ?
The issue with PPTP is, that it needs MPPE support within the kernel, which is simply not there.
Therefore we are going to use IPSec & L2TP, as they are more secury in most scenarios in any way.
What is needed ?
The good news are: everything is already on the box, you don't have to install any external software-package at all.
The bad news: The packages are configured to be used for a service called PocketU (only in Japan). As a matter of fact all boxes outside of Japan are not using those things at all.
As a general guidline for an IPSec-L2TP Server we need:
IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration
L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options
How does it work
The VPN works as follows:
1) An IPSec tunnel will be opened (using a preshared-key or certificates)
2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there
Configuration
Needed files to be touched / modified:
/etc/init.d/xl2tpd.sh
/etc/ipsec.conf
/etc/ipsec.d/l2tp.conf
/etc/ipsec.d/l2tp.secrets
/etc/xl2tpd/xl2tpd.conf
/etc/ppp/options.xl2tpd
As all these files are already there, make sure, you are backing them up.
Configuring IPSec: Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug=all
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
forwardcontrol=no
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/l2tp.conf
Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:
conn L2TP-PSK
#type=tunnel
left=YOUR.LS.IP.ADDR #Put the address of your linkstation here
#leftnexthop= #Put your (NAT)gateway address here
leftprotoport=udp/l2tp
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=udp/l2tp
auto=add
authby=secret
ike=3des-sha1-modp2048,3des-sha1-modp1024
pfs=no
rekey=no
keyingtries=3
Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets
: PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used
This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start
For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here
;
; debug tunnel = yes
; debug packet = yes
[lns default]
ip range = 192.168.XX.YYY-192.168.XX.ZZZ # Address-range for clients
local ip = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here
require chap = yes
refuse pap = yes
require authentication = yes
name = YOUR-VPN-SERVER NAME
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
ppp debug = yes
