IPSec-VPN on Stock Kernel
Attention: What ever you do, you do it on your own risk
Contents
Prerequisite
You have to have firmware 1.34 already installed and opened for telnet access. If not, you can find a guide here: Open Stock Firmware LS-XHL
For Firmwares before 1.34 this also may work, but it's unknown if the IPSEC-XL2TP Packages are also in there.
What's the aim ?
The aim is to realize a VPN-Server that uses L2TP-IPSec as tunneling technology.
Why this, and not PPTP ?
The issue with PPTP is, that it needs MPPE support within the kernel, which is simply not there.
Therefore we are going to use IPSec & L2TP, as they are more secury in most scenarios in any way.
What is needed ?
The good news are: everything is already on the box, you don't have to install any external software-package at all.
The bad news: The packages are configured to be used for a service called PocketU (only in Japan). As a matter of fact all boxes outside of Japan are not using those things at all.
As a general guidline for an IPSec-L2TP Server we need:
IPSec - Package (here OpenSwan with pluto), an IPSec-Configuration and a tunnel-configuration
L2TP - Package (here xl2tp), and xl2tp-Configuration and ppp.xl2tp options
How does it work
The VPN works as follows:
1) An IPSec tunnel will be opened (using a preshared-key or certificates)
2) Within the tunnel L2TP is used to authenticate a user and do IP-adressing with PPP in there
Configuration
Needed files to be touched / modified:
/etc/init.d/xl2tpd.sh
/etc/ipsec.conf
/etc/ipsec.d/l2tp.conf
/etc/ipsec.d/l2tp.secrets
/etc/xl2tpd/xl2tpd.conf
/etc/ppp/options.xl2tpd
As all these files are already there, make sure, you are backing them up.
Configuring IPSec: Modify /etc/ipsec.conf to enable NAT-Traversal (NAT-T) and to define private networks:
# basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug=all protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!YOUR.PRIVATE:NETWORK:ADD/24 oe=off # Enable this if you see "failed to find any available worker" nhelpers=0 forwardcontrol=no #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/l2tp.conf
Based on this we are adding in /etc/ipsec.d/ a file called l2tp.conf to configure our connection:
conn L2TP-PSK #type=tunnel left=YOUR.LS.IP.ADDR #Put the address of your linkstation here #leftnexthop= #Put your (NAT)gateway address here leftprotoport=udp/l2tp right=%any rightsubnet=vhost:%no,%priv rightprotoport=udp/l2tp auto=add authby=secret ike=3des-sha1-modp2048,3des-sha1-modp1024 pfs=no rekey=no keyingtries=3
Now let's define secrets (preshared-key in this case) for the tunnel in /etc/ipsec.d/l2tp.secrets
: PSK "PRESHARED-KEY" # you can add addresses before the ":" to define for which addresses this key is used
This should be sufficient for IPSec itself. You could try to start this with /etc/init.d/ipsec start
For L2TP we need to modify the file /etc/xl2tpd/xl2tpd.conf
[global] listen-addr = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here ; ; debug tunnel = yes ; debug packet = yes [lns default] ip range = 192.168.XX.YYY-192.168.XX.ZZZ # Address-range for clients local ip = YOUR.LS:IP.ADDR #Put your Linkstation-IP Address here require chap = yes refuse pap = yes require authentication = yes name = YOUR-VPN-SERVER NAME pppoptfile = /etc/ppp/options.xl2tpd length bit = yes ppp debug = yes
Now let's tune the options for PPP in /etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote #ms-dns YOUR.DNS.SERVER.ADDR #refuse-eap require-mschap noccp #nopcomp #noaccomp #noauth auth crtscts idle 1800 mtu 1410 mru 1410 defaultroute debug lock connect-delay 5000 #record /root/pppd.log #usepeerdns proxyarp
You need to add chap-secrets for L2TP in /etc/ppp/chap-secrets. This can be done as you like (and as something is also there)
Now we need to modify the XL2TPD start-script as this one is specific for pocketU. So generate a new start-script for xl2tpd in /etc/init.d and put there:
VARRUNDIR=/var/run/xl2tpd LOGTAG=xl2tpd.sh LOGFACILITY=local0.info CreateRunDir() { if [ -d "${VARRUNDIR}" ] ; then return 0; fi mkdir "${VARRUNDIR}" -p return $? } Start() { CreateRunDir xl2tpd logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Started!" #sysctl -p #Add this if you want to enable IP_FORWARDING in sysctl.conf } Stop() { killall xl2tpd logger -s -t ${LOGTAG} -p ${LOGFACILITY} "Stopped!" } case $1 in start) Start ;; stop) Stop ;; restart) Stop sleep 1 Start ;; *)
OK, you're done. To start the story you need to do the following:
/etc/init.d/ipsec start
/etc/init.d/xl2tpd.sh start
Make sure that the start-script from pocketU didn't cross your way (/etc/rc.d/extensions.d).
What is left to do for you?
On the client-side you have to put in the pre-shared key from l2tp.secrets and UName/PW from /etc/ppp/chap-sectrets.
That should do the job.
Changes
2010.09.08: Initial Version