Difference between revisions of "IPSec-VPN on Stock Kernel"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
 
(5 intermediate revisions by one user not shown)
Line 21: Line 21:
 
The bad news: The packages are configured to be used for a service called PocketU (only in Japan).
 
The bad news: The packages are configured to be used for a service called PocketU (only in Japan).
 
As a matter of fact all boxes outside of Japan are not using those things at all.
 
As a matter of fact all boxes outside of Japan are not using those things at all.
 +
 +
 +
As a general guidline for an IPSec-L2TP Server we need:
 +
IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration
 +
L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options
 +
 +
=How does it work=
 +
The VPN works as follows:
 +
 +
1) An IPSec tunnel will be opened (using a preshared-key or certificates)
 +
 +
2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there
 +
 +
=Configuration=
 +
 +
Needed files to be touched / modified:
 +
 +
/etc/init.d/xl2tpd.sh
 +
 +
/etc/ipsec.conf
 +
 +
/etc/ipsec.d/l2tp.conf
 +
 +
/etc/ipsec.d/l2tp.secrets
 +
 +
/etc/xl2tpd/xl2tpd.conf
 +
 +
/etc/ppp/options.xl2tpd
 +
 +
 +
As all these files are already there, make sure, you are backing them up.
 +
 +
Configuring IPSec:
 +
Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:
 +
 +
  # basic configuration
 +
  config setup
 +
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
 +
    # klipsdebug=none
 +
    # plutodebug=all
 +
    protostack=netkey
 +
    nat_traversal=yes
 +
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24
 +
    oe=off
 +
    # Enable this if you see "failed to find any available worker"
 +
    nhelpers=0
 +
    forwardcontrol=no
 +
  #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
 +
    include /etc/ipsec.d/l2tp.conf
 +
 +
Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:
 +
  conn L2TP-PSK
 +
        #type=tunnel
 +
        left=YOUR.LS.IP.ADDR      #Put the address of your linkstation here
 +
        #leftnexthop=              #Put your (NAT)gateway address here
 +
        leftprotoport=udp/l2tp
 +
        right=%any
 +
        rightsubnet=vhost:%no,%priv
 +
        rightprotoport=udp/l2tp
 +
        auto=add
 +
        authby=secret
 +
        ike=3des-sha1-modp2048,3des-sha1-modp1024
 +
        pfs=no
 +
        rekey=no
 +
        keyingtries=3
 +
 +
Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets
 +
  : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used
 +
 +
This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start
 +
 +
For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf
 +
  [global]
 +
    listen-addr = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here
 +
    ;
 +
    ; debug tunnel = yes
 +
    ; debug packet = yes
 +
  [lns default]
 +
    ip range = 192.168.XX.YYY-192.168.XX.ZZZ  # Address-range for clients
 +
    local ip = YOUR.LS:IP.ADDR  #Put your Linkstation-IP Address here
 +
    require chap = yes
 +
    refuse pap = yes
 +
    require authentication = yes
 +
    name = YOUR-VPN-SERVER NAME
 +
    pppoptfile = /etc/ppp/options.xl2tpd
 +
    length bit = yes
 +
    ppp debug = yes
 +
 +
Now let's tune the options for PPP in /etc/ppp/options.xl2tpd
 +
  ipcp-accept-local
 +
  ipcp-accept-remote
 +
  #ms-dns YOUR.DNS.SERVER.ADDR
 +
  #refuse-eap
 +
  require-mschap
 +
  noccp
 +
  #nopcomp
 +
  #noaccomp
 +
  #noauth
 +
  auth
 +
  crtscts
 +
  idle 1800
 +
  mtu 1410
 +
  mru 1410
 +
  defaultroute
 +
  debug
 +
  lock
 +
  connect-delay 5000
 +
  #record /root/pppd.log
 +
  #usepeerdns
 +
  proxyarp
 +
 +
You need to add chap-secrets for L2TP in /etc/ppp/chap-secrets. This can be done as you like (and as something is also there)
 +
 +
Now we need to modify the XL2TPD start-script as this one is specific for pocketU.
 +
So generate a new start-script for xl2tpd in /etc/init.d and put there:
 +
  VARRUNDIR=/var/run/xl2tpd
 +
  LOGTAG=xl2tpd.sh
 +
  LOGFACILITY=local0.info
 +
  CreateRunDir()
 +
  {
 +
        if [ -d "${VARRUNDIR}" ] ; then
 +
                return 0;
 +
        fi
 +
        mkdir "${VARRUNDIR}" -p
 +
        return $?
 +
  }
 +
  Start()
 +
  {
 +
        CreateRunDir
 +
        xl2tpd
 +
        logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Started!"
 +
        #sysctl -p    #Add this if you want to enable IP_FORWARDING in sysctl.conf
 +
  }
 +
  Stop()
 +
  {
 +
        killall xl2tpd
 +
        logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Stopped!"
 +
  }
 +
  case $1 in
 +
    start)
 +
        Start
 +
    ;;
 +
    stop)
 +
        Stop
 +
    ;;
 +
    restart)
 +
        Stop
 +
        sleep 1
 +
        Start
 +
    ;;
 +
  *)
 +
 +
OK, you're done. To start the story you need to do the following:
 +
 +
/etc/init.d/ipsec start
 +
 +
/etc/init.d/xl2tpd.sh start
 +
 +
Make sure that the start-script from pocketU didn't cross your way (/etc/rc.d/extensions.d).
 +
 +
=What is left to do for you?=
 +
On the client-side you have to put in the pre-shared key from l2tp.secrets and UName/PW from /etc/ppp/chap-sectrets.
 +
 +
That should do the job.
 +
 +
=Changes=
 +
2010.09.08: Initial Version
 +
 +
[[Category:LS-XHL]][[Category:LS-CHLv2]][[Category:LS-WXL]][[Category:TS-WX1.0TL/R1]]

Latest revision as of 08:09, 15 September 2010

Attention: What ever you do, you do it on your own risk

Contents

Prerequisite

You have to have firmware 1.34 already installed and opened for telnet access. If not, you can find a guide here: Open Stock Firmware LS-XHL

For Firmwares before 1.34 this also may work, but it's unknown if the IPSEC-XL2TP Packages are also in there.

What's the aim ?

The aim is to realize a VPN-Server that uses L2TP-IPSec as tunneling technology.


Why this, and not PPTP ? The issue with PPTP is, that it needs MPPE support within the kernel, which is simply not there.

Therefore we are going to use IPSec & L2TP, as they are more secury in most scenarios in any way.

What is needed ?

The good news are: everything is already on the box, you don't have to install any external software-package at all.

The bad news: The packages are configured to be used for a service called PocketU (only in Japan). As a matter of fact all boxes outside of Japan are not using those things at all.


As a general guidline for an IPSec-L2TP Server we need: IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options

How does it work

The VPN works as follows:

1) An IPSec tunnel will be opened (using a preshared-key or certificates)

2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there

Configuration

Needed files to be touched / modified:

/etc/init.d/xl2tpd.sh

/etc/ipsec.conf

/etc/ipsec.d/l2tp.conf

/etc/ipsec.d/l2tp.secrets

/etc/xl2tpd/xl2tpd.conf

/etc/ppp/options.xl2tpd


As all these files are already there, make sure, you are backing them up.

Configuring IPSec: Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:

 # basic configuration
 config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    # klipsdebug=none
    # plutodebug=all
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24
    oe=off
    # Enable this if you see "failed to find any available worker"
    nhelpers=0
    forwardcontrol=no
 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
    include /etc/ipsec.d/l2tp.conf

Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:

  conn L2TP-PSK
       #type=tunnel
       left=YOUR.LS.IP.ADDR       #Put the address of your linkstation here
       #leftnexthop=              #Put your (NAT)gateway address here
       leftprotoport=udp/l2tp
       right=%any
       rightsubnet=vhost:%no,%priv
       rightprotoport=udp/l2tp
       auto=add
       authby=secret
       ike=3des-sha1-modp2048,3des-sha1-modp1024
       pfs=no
       rekey=no
       keyingtries=3

Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets

  : PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used

This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start

For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf

  [global]
    listen-addr = YOUR.LS:IP.ADDR   #Put your Linkstation-IP Address here
    ;
    ; debug tunnel = yes
    ; debug packet = yes
  [lns default]
    ip range = 192.168.XX.YYY-192.168.XX.ZZZ  # Address-range for clients
    local ip = YOUR.LS:IP.ADDR   #Put your Linkstation-IP Address here
    require chap = yes
    refuse pap = yes
    require authentication = yes
    name = YOUR-VPN-SERVER NAME
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
    ppp debug = yes

Now let's tune the options for PPP in /etc/ppp/options.xl2tpd

  ipcp-accept-local
  ipcp-accept-remote
  #ms-dns YOUR.DNS.SERVER.ADDR
  #refuse-eap
  require-mschap
  noccp
  #nopcomp
  #noaccomp
  #noauth
  auth
  crtscts
  idle 1800
  mtu 1410
  mru 1410
  defaultroute
  debug
  lock
  connect-delay 5000
  #record /root/pppd.log
  #usepeerdns
  proxyarp

You need to add chap-secrets for L2TP in /etc/ppp/chap-secrets. This can be done as you like (and as something is also there)

Now we need to modify the XL2TPD start-script as this one is specific for pocketU. So generate a new start-script for xl2tpd in /etc/init.d and put there:

  VARRUNDIR=/var/run/xl2tpd
  LOGTAG=xl2tpd.sh
  LOGFACILITY=local0.info
  CreateRunDir()
  {
       if [ -d "${VARRUNDIR}" ] ; then
               return 0;
       fi
       mkdir "${VARRUNDIR}" -p
       return $?
  }
  Start()
  {
       CreateRunDir
       xl2tpd
       logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Started!"
       #sysctl -p    #Add this if you want to enable IP_FORWARDING in sysctl.conf
  }
  Stop()
  {
       killall xl2tpd
       logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Stopped!"
  }
  case $1 in
    start)
       Start
    ;;
    stop)
       Stop
    ;;
    restart)
       Stop
       sleep 1
       Start
    ;;
  *)

OK, you're done. To start the story you need to do the following:

/etc/init.d/ipsec start

/etc/init.d/xl2tpd.sh start

Make sure that the start-script from pocketU didn't cross your way (/etc/rc.d/extensions.d).

What is left to do for you?

On the client-side you have to put in the pre-shared key from l2tp.secrets and UName/PW from /etc/ppp/chap-sectrets.

That should do the job.

Changes

2010.09.08: Initial Version