IPSEC/L2TP VPN on Ubuntu 12.10 with OpenSwan, xl2tpd and ppp

[alert style=”green”]This tutorial is originally written by: Remy Van Elst @ www.raymii.org (original post here)[/alert]

 

This is a guide on setting up a IPSEC/L2TP vpn on Ubuntu 12.10 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp for authentication. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs.

This tutorial is tested on a VPS from InceptionHosting.com. They provide excellent VPS servers! If you buy a VPS via this link, you help support me!

IPSec encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. L2TP provides a tunnel to send data. It does not provide encryption and authentication though, that is why we need to use it together with IPSec.

To work trough this tutorial you should have:

  • 1 ubuntu 12.10 server with at least 1 public IP address and root access
  • 1 (or more) clients running an OS that support IPsec/L2tp vpns (Ubuntu, Mac OS, Windows, Android).
  • Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall.

If you are not running Ubuntu 12.10 you might have to compile the packages manually because openswan and xl2tpd in the older repositories seem to have critical bugs which make this all fail.

I do all the steps as the root user. You should do to, but only via * -i* or * su -*. Do not allow root to login via SSH!

Install ppp openswan and xl2tpd

First we will install the required packages:

The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).

If you do not have lsof installed you also need to install that, otherwise the ipsec verify will fail:

Firewall and sysctl

We are going to set the firewall and make sure the kernel forwards IP packets:

Execute this command to enable the iptables firewall to allow the vpn:

Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.

/etc/rc.local

To make sure this keeps working at boot you might want to add the following to /etc/rc.local:

There are better ways to do this (via sysctl.conf and ufw for example) but this is something that just works.

Configure Openswan (IPSEC)

Use your favorite editor to edit the following file:

Below is the contents of mine. Most lines have a comment below it explaining what it does.

The shared secret

The shared secret is defined in the /etc/ipsec.secrets file. Make sure it is long and random:

Verify

Now to make sure IPSEC works, execute the following command:

My output looks like this:

The /bin/sh and Opportunistic Encryption warnings can be ignored. The first one is a openswan bug and the second doesnt matter.

Configure xl2tpd

Use your favorite editor to edit the following file:

Below is the contents of mine. Most lines have a comment below it explaining what it does.

  • ip range = range of IPs to give to the connecting clients
  • local ip = IP of VPN server
  • refuse pap = refure pap authentication
  • ppp debug = yes when testing, no when in production

Local user (PAM//etc/passwd) authentication

To use local user accounts via pam (or /etc/passwd), and thus not having plain text user passwords in a text file you have to do a few extra steps. Huge thanks to Sascha Scandella for the hard work and troubleshooting.

In your /etc/xl2tpd/xl2tpd.conf add the following line:

and remove the following line:

In the file /etc/ppp/options.xl2tpd make sure you do not add the following line (below it states to add it, but not if you want to use UNIX authentication):

Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:

Change /etc/pam.d/ppp to this:

Add the following to /etc/ppp/pap-secrets:

(And, skip the chap-secrets file below (adding users).)

Configuring PPP

Use your favorite editor to edit the following file:

Below is the contents of mine. Most lines have a comment below it explaining what it does.

  • ms-dns = The dns to give to the client. I use googles public DNS.
  • proxyarp = Add an entry to this systems ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
  • name l2tpd = is used in the ppp authentication file.

Adding users

Every user should be defined in the /etc/ppp/chap-secrets file. Below is an example file.

  • client = username for the user
  • server = the name we define in the ppp.options file for xl2tpd
  • secret = password for the user
  • IP Address = leave to * for any address or define addresses from were a user can login.

Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

/etc/init.d/ipsec restart;
/etc/init.d/xl2tpd restart;

On the client connect to the server IP address (or add a DNS name) with a valid user, password and the shared secret. Test if you have internet access and which IP you have (via for example http://whatsmyip.org. If it is the VPN servers IP then it works.

Another nice test is to connect multiple clients of which one has a webserver. Make sure it only listens on a VPN IP (172.16.1.xxx in above example). Test if you can access it only via the VPN. You now have a secret webserver.

If you experience problems make sure to check the client log files and the ubuntu /var/log/syslog file. If you google the error messages you most of the time get a good answer.

Sources

http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu http://www.cryptocracy.com/blog/2012/05/13/ipsec-slash-l2tp-vpn-server-with-ubuntu-precise http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

7 comments for “IPSEC/L2TP VPN on Ubuntu 12.10 with OpenSwan, xl2tpd and ppp

  1. March 3, 2013 at 10:32
    • March 3, 2013 at 12:58

      It is now available from here in the comment section 🙂

  2. naveen
    June 8, 2013 at 15:05
  3. Jalindar
    July 11, 2013 at 12:43

    i am trying to setup simplest ipsec. i checked my setting is ok using #ipsec verify and it says OK.

    For simplest configuration i use ip xfrm to set up SA and SP using:

    #HOST A:192.168.77.24
    ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)” 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)” 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

    ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)” 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)” 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

    ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport

    ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport

    #HOST B:192.168.77.23
    ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)” 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)” 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

    ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)” 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)” 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

    ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport

    ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport

    Host A is Linux Ubantu 12.04LTS.
    I check setting SA and SP set using, #ip x s and #ip xfrm policy show. It shows correct setting of the SA and SP.
    But when i ping it shows simple ICMP packet on wireshark where i expect packet should be ESP.
    What that i miss, any clue will be helpful.

    Thanks in advance.

    • July 12, 2013 at 09:54

      Well, To give a correct answer would probably require some hands on and I do not have a setup like this at the moment.

      I have some thought in the back of my head about reading something like this before but can’t remember exactly what it was about.
      You are tapping in on the right interface with wireshark?
      Do you get a reply on your ping/icmp?
      If try some other type of traffic, like http between the two hosts, do you get the correct results?

      Loads of questions in return. Get back to me and we can probably work something out.

      • Jalindar
        July 18, 2013 at 05:28

        I tried with http, it also has the same result no ESP protocol message when tabbed with wireshark. http communication is as usual.

  4. Jalindar
    July 15, 2013 at 05:04

    Yes, I am tapping on the right interface using wireshark,
    I get replay on the ping request.
    As i am trying with ESP transport or even i use ESP tunneling, i think all type of traffic should get secured. but still i will give a try with http.

Leave a Reply

Your email address will not be published. Required fields are marked *