A Virtual Private Network (VPN) is a private communications network often used by companies or organizations, to communicate
confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top
of standard protocols, or over a service provider’s private network.
There are a number of VPN scenarios you would use, these are as follows:
1. Server to server (encrypted tunnel only)
2. Client to Server (encrypted tunnel and authentication)
3. Client to Client
As far as this document goes we will be considering scenarios one and two. We will be using IPSEC and L2TP. The following
diagram provides an overview of the two scenarios:
IPSEC and L2TP
IPSEC and L2TP are the two protocols discussed in this document. There are other methods of setting up a VPN but I have chosen to focus on the L2TP over IPSEC method.
Openswan (openswan-2.4.7-1.i686.rpm ) can be downloaded from the Internet, and is used to install IPSEC. You will fine that alot of distributions include openswan. L2TP can also be downloaded from the Internet in the form of a tarball or RPM (the xl2tpd rpm or the older l2tpd rpm will work fine)
IPEC, which is installed when you install “Openswan”, allows you to create an encrypted tunnel between to servers that are connected via the Internet.
This means that any traffic between the two servers will be encrypted and thus will be unreadable to anyone trying to “eavesdrop” on the data passing between the two servers. Users from either side of the connection can connect to each others network through the encrypted tunnel.
To stop hackers from connecting to either of the servers, IPSEC is setup to use either “Preshared key”, “RSA key” or “PKI Certs”.
L2TP will be used in a client server scenario, allowing the users to “log on” to the VPN server.
L2TP is used to manage things like IP address range and authentication type for the clients who connect.
Once L2TP is installed, the connection will use PPP to administer the client log on.
In order to install L2TP you will need to install the XL2TPD or the L2TPD package. In order for L2TP to work you need to install IPSEC as well, as L2TP runs over IPSEC.
VPN config and setup overview
The server to server overview
For a server to server VPN “Pipe” you will only need an IPSEC connection since you won’t be authenticating on either server.
You will only be providing an encrypted tunnel between two networks. Your routing tables need to be configured so that each server knows about the other network.
On the server you will need to do the following, all of which will be explained in detail later:
1. For the server to support VPN you will need to make sure that your server kernel supports IP Sec
2. Download and install “openswan-2.4.7-1.i686.rpm” or in stall from your software manager if you distribution includes it.
3. Set ipsec to start at boot. And start the ipsec service
4. Check to see if ipsec has started properly with the “ipsec verify” command. The encryption should be disabled at this stage.
5. Draw your network as follows, designate one as left and one as right.
6. Left and right parameters must be configured in the /etc/ipsec.conf configuration file. Each server needs to be configured.
7. Setup The RSA Keys on both servers, and restart ipsec.
8. Change firewall settings as needed
9. Initialize the new tunnel
10. Test new tunnel
The client to server Overview
For a client server environment you will need to use L2TP over IPSEC. IPSEC provides the encrypted tunnel and L2TP will be used to manage clients who connect.
During this course you will install XL2TPD which is provides an updated version of L2TP.
To successfully set up a client server connection you will need to do the following:
1. Install IPSEC on the server
2. Install L2TP on the server
3. Edit the /etc/ipsec.conf file to define a connection from anywhere and that the authentication will be using PPP.
4. edit the /xl2tpd/xl2tpd.conf file to define the IP range for incoming client connections and whether the authentication will use pap or chap.
Specify your options file (options.l2tpd).
5. Edit the /etc/ppp/chap-secrets file and add in a user name and password for the client who wants to connect.
6. Start your services
7. Connect with a client and test
Server to Server setup
Installing IPSEC (Openswan)
Download and install “openswan-2.4.7-1.i686.rpm” as follows
rpm -i openswan-2.4.7-1.i686.rpm
Check the ipsec installation by verifying it with the “ipsec verify” command, this check should come back something like the following:
[root@localhost /]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.9-42.EL (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Checking for ‘setkey’ command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
If “IP Forwarding” fails then you will need to enable IP Forwarding by editing the /etc/sysctl.conf file and make sure it reads “net/ipv4/ip_forward = 1″. This will make IP forwarding permanent.
If you only want IP forwarding to work until next reboot. then use the command “echo “1″ > /proc/sys/net/ipv4/ip_forward” at the command prompt.
Set ipsec to start at boot with “chkconfig ipsec on”. Start the ipsec service with the “service ipsec start” command.
Server to server diagram
create a diagram of your server to server physical setup similar to the following:
This diagram will help you when setting up your ipsec.conf files on each server. You will actually need two such diagrams,
One for each server as “left” is local and “right” is remote from the point of view of each server.
Based on the two diagrams of the server to server setup you will need to edit the “/etc/ipsec.conf” file for each server.
Bear in mind that each server is “left” in relation to the other server which is “right”
The following table will explain the parameters of the “/etc/ipsec.conf” file.
ipsec.conf parameters are defined as follows:
Internet IP address of the left-hand side VPN device.
The network protected by the left-hand side VPN device
Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an “@” sign. If DNS is set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey –left command.
The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
Internet IP address of the right-hand side VPN device
The network protected by the right-hand side VPN device.
Fully qualified domain name in DNS of the right-hand side VPN device, which is preceded by an @ sign. If DNS isn’t set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
The entire right RSA sig public key for the right-hand side VPN device. This can be obtained by going to the other computer and using the ipsec showhostkey –left command there.
The next hop router from the right-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
= auto – This option tell the VPN tunnel to start automatically
For other acceptable parrameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
If two servers were configured as follows:
The two ipsec.conf files, with a simple configuration, would look something like the following examples:
Server A ipsec.conf
Server B ipsec.conf
You need to make sure that there are no blank lines for each “conn”. Also, you must indent each section as in the example. If you don’t do this then there will be errors when you try and start the VPN tunnel.
Once you have made changes to the /etc/ipsec.conf file you will need to reload ipsec.
Initializing the VPN tunnel and checking VPN status
To initialize the VPN tunnel you need to type “ipsec auto –up net-to-net” at the command prompt. If you are returned to the command prompt without error then you have probable configured the VPN tunnel correctly.
To make sure you can check the status of the VPN tunnel with the “ipsec auto –status” command.
Make sure that your routing on both servers have been set up correctly. You will need this if you want to pass traffic between the two networks.
Client to server setup
When setting up the server there are essentially three things that need to be setup:
ipsec (provides encrypted tunnel)
l2tp (manages connection)
ppp (provided ppp connection and authentication)
Once these have been setup you will need to restart all the relevant services.
You will need to edit the /etc/ipsec.conf and /etc/ipsec.secrets files.
Edit the etc/ipsec.conf to include the following:
In the above example you have specified the following:
conn is the name of the connection, in this case L2TP-PSK
authby Tells IPSEC what authentication to use. In this case “secret” because we want to use ppp for authentication
left Is the default route, you can use % defaultroute if the default gateway is to be used, otherwise specify an IP address.
leftprotoport Defines the protocol and port. In this case 17/1701 means protocol 17 and port 1701
pfs whether Perfect Forward Secrecy of keys is desired on the connection’s keying channel (with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier); acceptable values are yes (the default) and no
rekey whether a connection should be renegotiated when it is about to expire; acceptable values are yes (the default) and no
keyingtries how many attempts (a whole number or %forever) should be made to negotiate a connection, or a replacement for one, before giving up (default %forever). The value %forever means
right ip address of incoming connection
for other acceptable parameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
You will need to add a PSK key to the end of the file. The following represents the last few lines of the /etc/ipsec.secrets file where : PSK “HPGWthisisakey” has been added:
# do not change the indenting of that “}”
: PSK “HPGWthisisakey”
Next you will need to download and install L2TP. For the course we will use ” xl2tpd-1.1.06-4.i386.rpm’. This will install XL2TPD.
Once you have installed this you will need to edit the /etc/xl2tpd/xl2tpd.conf file as follows:
ip range = 10.0.0.10-10.0.0.20
local ip = 10.0.0.3
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
The parameters you need to check are as follows:
IP range of incoming connection.
IP Address of the server
“yes” tells server to use chap-secrets. chap-secrets can be used by Microsoft clients
“yes” server not to use PAP
Tells server to require authentication
Make sure that this path reflects the correct path to the options.xl2tpd file which is usually found in the /etc/ppp/ directory.
There are two files in the /etc/ppp directory you need for PPP to work properly with L2TP:
chap-secrets or pap-secrets (depending on your authentication method)
options.xl2tpd (There is usually no need to edit this file)
To edit the chap-secrets, browse to the /etc/ppp/chap-secrets and add in the VPN users as required. The following is an example of the format:
# Secrets for authentication using CHAP
# client server secret IP addresses
peter * password *
In the above example, the user name is “peter” and the password is “password”
There is usually no need to edit the options.xl2tpd, but should you need to you should browse to browsing to /etc/ppp/.
This file needs to be there even if you don’t need to edit it. By default the file will look like the following:
The most common client is the Microsoft Windows client. The following will demonstrate how to connect a Windows client to a Linux based VPN server.
In order to connect to a VPN server you will need to do the following:
1. Open the “control panel” and double click on “Network Connections”
2. Click on “create a new connection”
3. Follow the Wizard.
Once you have gone through the wizard, you need to “Right click” on the connection and select “properties”:
4. Go to the “Networking” tab and change the “Type of VPN” to “L2TPIPSecVPN”
5. Next go to the “Security” tab and click on “IPSec Setting” and put in the “code” that you put in the “/etc/ipsec.secrets” file.
7. Test the connection, you should be asked for your user name and password. Use the user and password you created in the /etc/ppp/chap-secrets file.