Setting up VPN

By , September 16, 2009

A Virtual Private Network (VPN) is a private communications network often used by companies or organizations, to communicate


confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top
of standard protocols, or over a service provider’s private network.
VPN Scenario
There are a number of VPN scenarios you would use, these are as follows:
1.      Server to server (encrypted tunnel only)
2.      Client to Server (encrypted tunnel and authentication)
3.      Client to Client
As far as this document goes we will be considering scenarios one and two. We will be using IPSEC and L2TP. The following
diagram provides an overview of the two scenarios:
vpn.ht1
IPSEC and L2TP
IPSEC and L2TP are the two protocols discussed in this document. There are other methods of setting up a VPN but I have chosen to focus on the L2TP over IPSEC method.
Openswan (openswan-2.4.7-1.i686.rpm ) can be downloaded from the Internet, and  is used to install IPSEC. You will fine that alot of distributions include openswan. L2TP can also be downloaded from the Internet in the form of a tarball or RPM (the xl2tpd rpm or the older l2tpd rpm will work fine)
IPSEC
IPEC, which is installed when you install “Openswan”, allows you to create an encrypted tunnel between to servers that are connected via the Internet.
This means that any traffic between the two servers will be encrypted and thus will be unreadable to anyone trying to “eavesdrop” on the data passing between the two servers. Users from either side of the connection can connect to each others network through the encrypted tunnel.
To stop hackers from connecting to either of the servers, IPSEC is setup to use either “Preshared key”, “RSA key” or “PKI Certs”.
vpn.ht2
L2TP
L2TP will be used in a client server scenario, allowing the users to “log on” to the VPN server.
L2TP is used to manage things like IP address range and authentication type for the clients who connect.
Once L2TP is installed, the connection will use PPP to administer the client log on.
In order to install L2TP you will need to install  the XL2TPD or the L2TPD package. In order for L2TP to work you need to install IPSEC as well, as L2TP runs over IPSEC.


VPN config and setup overview
The server to server overview
For a server to server VPN “Pipe” you will only need an IPSEC connection since you won’t be authenticating on either server.
You will only be providing an encrypted tunnel between two networks. Your routing tables need to be configured so that each server knows about the other network.
On the server you will need to do the following, all of which will be explained in detail later:
1.      For the server to support VPN you will need to make sure that your server kernel supports IP Sec
2.      Download and install “openswan-2.4.7-1.i686.rpm” or in stall from your software manager if you distribution includes it.
3.      Set ipsec to start at boot. And start the ipsec service
4.      Check to see if ipsec has started properly with the “ipsec verify” command. The encryption should be disabled at this stage.
5.      Draw your network as follows, designate one as left and one as right.
6.      Left and right parameters must be configured in the /etc/ipsec.conf configuration file. Each server needs to be configured.
7.      Setup The RSA Keys on both servers, and restart ipsec.
8.      Change firewall settings as needed
9.      Initialize the new tunnel
10.  Test new tunnel
The client to server Overview
For a client server environment you will need to use L2TP over IPSEC. IPSEC provides the encrypted tunnel and L2TP will be used to manage clients who connect.
During this course you will install XL2TPD which is provides an updated version of L2TP.
To successfully set up a client server connection you will need to do the following:
1.      Install IPSEC on the server
2.      Install L2TP on the server
3.      Edit the /etc/ipsec.conf file to define a connection from anywhere and that the authentication will be using PPP.
4.      edit the /xl2tpd/xl2tpd.conf file to define the IP range for incoming client connections and whether the authentication will use pap or chap.
Specify your options file (options.l2tpd).
5.      Edit the /etc/ppp/chap-secrets file and add in a user name and password for the client who wants to connect.
6.      Start your services
7.      Connect with a client and test
Server to Server setup
Installing IPSEC (Openswan)
Download and install “openswan-2.4.7-1.i686.rpm” as follows
rpm -i  openswan-2.4.7-1.i686.rpm
Check the ipsec installation by verifying it with the “ipsec verify” command, this check should come back something like the following:
——————————————————————————————————————————
[root@localhost /]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.9-42.EL (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for ‘ip’ command                                       [OK]
Checking for ‘iptables’ command                                 [OK]
Checking for ‘setkey’ command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]
[root@localhost /]#
————————————————————————————————————————
If “IP Forwarding” fails then you will need to enable IP Forwarding by editing  the /etc/sysctl.conf file and make sure it reads “net/ipv4/ip_forward = 1″. This will make IP forwarding permanent.
TIP
If you only want IP forwarding to work until next reboot. then use the command “echo “1″ > /proc/sys/net/ipv4/ip_forward” at the command prompt.
Starting IPSEC
Set ipsec to start at boot with “chkconfig ipsec on”. Start the ipsec service with the “service ipsec start” command.
Server to server diagram
create a diagram of your server to server physical setup similar to the following:
image004
This diagram will help you when setting up your ipsec.conf files on each server. You will actually need two such diagrams,
One for each server as “left” is local and “right” is remote from the point of view of each server.
Configuring ipsec.conf
Based on the two diagrams of the server to server setup you will need to edit the “/etc/ipsec.conf” file for each server.
Bear in mind that each server is “left” in relation to the other server which is “right”
The following table will explain the parameters of the “/etc/ipsec.conf” file.
ipsec.conf parameters are defined as follows:
left
Internet IP address of the left-hand side VPN device.
leftsubnet
The network protected by the left-hand side VPN device
leftid
Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an “@” sign. If DNS is set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
leftrsasigkey
The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey –left command.
leftnexthop
The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
right
Internet IP address of the right-hand side VPN device
rightsubnet
The network protected by the right-hand side VPN device.
rightid
Fully qualified domain name in DNS of the right-hand side VPN device, which is preceded by an @ sign. If DNS isn’t set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
rightrsasigkey
The entire right RSA sig public key for the right-hand side VPN device. This can be obtained by going to the other computer and using the ipsec showhostkey –left command there.
rightnexthop
The next hop router from the right-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
auto
= auto – This option tell the VPN tunnel to start automatically

For other acceptable parrameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
If two servers were configured as follows:
vpn.ht3
The two ipsec.conf files, with a simple configuration, would look something like the following examples:
Server A ipsec.conf
————————————————————————————————————————-
conn net-to-net
auto=start
left=196.36.13.202
leftid=@196.36.13.202
leftrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++
OcqvaUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxC
G8fCg4F3Yrkkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io
4I9DSbd//AiFoyXr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf16
26XknYvHZt5m7g6tpyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Em
s0tnbxs7b2kVLQ82zxkoEJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4
vywDcg3ct
leftsubnet=192.168.20.0/24
leftnexthop=%defaultroute
right=196.36.13.204
rightid=@196.36.13.204
rightsubnet=10.0.0.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4
ULq1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw55
8ac3SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s4
8tvDYZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBx
rjPHLGTJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHC
sagoS+xyfF7FV7pi6achxctxAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDF
DTd8Hn9r5zO2+Z9DwyF
——————————————————————————————————————————
Server B ipsec.conf
——————————————————————————————————————————
conn net-to-net
auto=start
left=196.36.13.204
leftid=@196.36.13.204
leftrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4ULq
1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw558ac3
SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s48tvD
YZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBxrjPHLG
TJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHCsagoS+xy
txAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDFDTd8Hn9r5zO2+Z9DwyF
fF7FV7pi6achxc
leftsubnet=10.0.0.0/24
leftnexthop=%defaultroute
right=196.36.13.202
rightid=@196.36.13.202

rightsubnet=192.168.20.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++Ocqv
aUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxCG8fCg4F3Yr
kkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io4I9DSbd//AiFoy
Xr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf1626XknYvHZt5m7g6t
pyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Ems0tnbxs7b2kVLQ82zxko
EJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4vywDcg3ct
—————————————————————————————————————————–
You need to make sure that there are no blank lines for each “conn”. Also, you must indent each section as in the example. If you don’t do this then there will be errors when you try and start the VPN tunnel.
Once you have made changes to the /etc/ipsec.conf file you will need to reload ipsec.
Initializing the VPN tunnel and checking VPN status
To initialize the VPN tunnel you need to type “ipsec auto –up net-to-net” at the command prompt. If you are returned to the command prompt without error then you have probable configured the VPN tunnel correctly.
To make sure you can check the status of the VPN tunnel with the “ipsec auto –status” command.
Other concerns
Make sure that your routing on both servers have been set up correctly. You will need this if you want to pass traffic between the two networks.
Client to server setup
Server setup
When setting up the server there are essentially three things that need to be setup:
ipsec (provides encrypted tunnel)
l2tp (manages connection)
ppp (provided ppp connection and authentication)
Once these have been setup you will need to restart all the relevant services.
You will need to edit the /etc/ipsec.conf and /etc/ipsec.secrets files.
ipsec.conf
Edit the etc/ipsec.conf to include the following:
—————————————————————————————————————————-
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
————————————————————————————————————————–
In the above example you have specified the following:
conn is the name of the connection, in this case  L2TP-PSK
authby Tells IPSEC what authentication to use. In this case “secret” because we want to use ppp for authentication
left Is the default route, you can use % defaultroute if the default gateway is to be used, otherwise specify an IP address.
leftprotoport Defines the protocol and port. In this case 17/1701 means protocol 17 and port 1701
pfs whether Perfect Forward Secrecy of keys is desired on the connection’s keying channel (with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier); acceptable values are yes (the default) and no
rekey whether a connection should be renegotiated when it is about to expire; acceptable values are yes (the default) and no
keyingtries how many attempts (a whole number or %forever) should be made to negotiate a connection, or a replacement for one, before giving up (default %forever). The value %forever means
right ip address of incoming connection
for other acceptable parameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
ipsec.secrets
You will need to add a PSK key to the end of the file. The following represents the last few lines of the /etc/ipsec.secrets file where : PSK “HPGWthisisakey” has been added:
—————————————————————————————————————————
dca39469c5dd31ad50f9a58d147b178b99f24139a9bd359ede3adf832a2b562b87220d2a2e031
}
# do not change the indenting of that “}”

: PSK “HPGWthisisakey”
—————————————————————————————————————————–
L2TP
Next you will need to download and install L2TP. For the course we will use ” xl2tpd-1.1.06-4.i386.rpm’. This will install XL2TPD.
Once you have installed this you will need to edit the /etc/xl2tpd/xl2tpd.conf file as follows:
——————————————————————————————————————————-
ip range = 10.0.0.10-10.0.0.20
local ip = 10.0.0.3
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
——————————————————————————————————————————-
The parameters you need to check are as follows:
ip range
IP range of incoming connection.
local ip
IP Address of the server
require chap
“yes” tells server to use chap-secrets. chap-secrets can be used by Microsoft clients
refuse pap
“yes” server not to use PAP
require authentication
Tells server to require authentication
pppoptfile
Make sure that this path reflects the correct path to the options.xl2tpd file which is usually found in the /etc/ppp/ directory.

PPP
There are two files in the /etc/ppp directory you need for PPP to work properly with L2TP:
chap-secrets or pap-secrets (depending on your authentication method)
options.xl2tpd (There is usually no need to edit this file)
To edit the chap-secrets, browse to the /etc/ppp/chap-secrets and add in the VPN users as required. The following is an example of the format:
————————————————————————————————————————–
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
peter   *       password        *
————————————————————————————————————————–
In the above example, the user name is “peter” and the password is “password”
There is usually no need to edit the options.xl2tpd, but should you need to you should browse to browsing to  /etc/ppp/.
This file needs to be there even if you don’t need to edit it. By default the file will look like the following:
————————————————————————————————————————–
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.1
ms-dns  192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
————————————————————————————————————————-

Client setup
The most common client is the Microsoft Windows client. The following will demonstrate how to connect a Windows client to a Linux based VPN server.
In order to connect to a VPN server you will need to do the following:
1.      Open the “control panel” and double click on “Network Connections”
image006
2.      Click on “create a new connection”
3.      Follow the Wizard.
image010
image011
image012
image013

Once you have gone through the wizard, you need to “Right click” on the connection and select “properties”:
4.      Go to the “Networking” tab and change the “Type of VPN” to “L2TPIPSecVPN”
image016
image018
5.      Next go to the “Security” tab and click on “IPSec Setting” and put in the “code” that you put in the “/etc/ipsec.secrets” file.
7.      Test the connection, you should be asked for your user name and password. Use the user and password you created in the /etc/ppp/chap-secrets file.
image020

Comments are closed

OfficeFolders theme by Themocracy

  • next
  • arrested
  • only
  • new
  • credit
  • brokers
  • advance
  • credit
  • get
  • scams
  • online
  • first
  • river
  • canada
  • day
  • requirements
  • credit
  • call
  • get
  • without
  • interest
  • checks
  • about
  • lenders
  • inc
  • instant
  • action
  • safe
  • open
  • interest
  • than
  • texas
  • small
  • lender
  • ohio
  • rock
  • law
  • who
  • where
  • consumer
  • instant
  • long
  • report
  • lenders
  • credit
  • better
  • without
  • bad
  • toronto
  • lender
  • jersey
  • ohio
  • default
  • poor
  • income
  • faxless
  • springfield
  • with
  • saint
  • credit
  • where
  • fast
  • out
  • cash
  • cash
  • start
  • locations
  • check
  • port
  • fast
  • cash
  • lenders
  • use
  • people
  • over
  • that
  • ohio
  • get
  • happens
  • are
  • austin
  • help
  • internet
  • assistance
  • park
  • contact
  • direct
  • hour
  • back
  • york
  • back
  • ontario
  • check
  • real
  • laws
  • companies
  • fast
  • with
  • arizona
  • rate
  • lenders
  • africa
  • hills
  • guaranteed
  • that
  • bank
  • group
  • sue
  • happens
  • law
  • ohio
  • bad
  • now
  • ohio
  • faxless
  • reviews
  • reviews
  • state
  • antonio
  • checks
  • lenders
  • instant
  • illegal
  • online
  • employment
  • reviews
  • florida
  • louisiana
  • ontario
  • indiana
  • indiana
  • toronto
  • springs
  • locations
  • business
  • out
  • today
  • instant
  • pay
  • ontario
  • york
  • safe
  • direct
  • month
  • cash
  • online
  • virginia
  • near
  • finance
  • deposit
  • business
  • phone
  • assistance
  • credit
  • card
  • county
  • calls
  • faxless
  • not
  • instant
  • faxing
  • credit
  • companies
  • cheque
  • debt
  • check
  • savings
  • card
  • month
  • arrested
  • indian
  • online
  • michigan
  • check
  • wisconsin
  • debit
  • lake
  • florida
  • savings
  • online
  • not
  • collections
  • with
  • stop
  • job
  • city
  • stores
  • direct
  • legit
  • garnish
  • reviews
  • companies
  • lender
  • credit
  • credit
  • lenders
  • arrested
  • internet
  • statute
  • bad
  • cant
  • saint
  • ontario
  • direct
  • which
  • with
  • companies
  • are
  • vancouver
  • direct
  • same
  • account
  • account
  • are
  • site
  • lenders
  • texas
  • express
  • help
  • san
  • advance
  • start
  • defaulting
  • job
  • park
  • approval
  • interest
  • online
  • bad
  • valley
  • unsecured
  • lenders
  • why
  • safe
  • savings
  • lenders
  • cycle
  • national
  • bad
  • utah
  • state
  • credit
  • report
  • required
  • time
  • regulation
  • bankruptcy
  • check
  • score
  • statute
  • companies
  • online
  • websites
  • company
  • pay
  • interest
  • delaware
  • springs
  • legal
  • default
  • advance
  • hours
  • accept
  • ace
  • vista
  • deposit
  • wage
  • worth
  • instant
  • low
  • jail
  • check
  • number
  • with
  • charge
  • georgia
  • colorado
  • places
  • centers
  • online
  • auto
  • credit
  • first
  • numbers
  • georgia
  • lenders
  • day
  • national
  • money
  • out
  • credit
  • direct
  • limitations
  • rock
  • payment
  • apr
  • law
  • lenders
  • credit
  • phone