Difference between revisions of "IPSEC/L2TP VPN Server"

From Amahi Wiki
Jump to: navigation, search
 
(24 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
heading =WARNING|
 
heading =WARNING|
 
message = This is recommended only for advanced users, proceed with caution.}}
 
message = This is recommended only for advanced users, proceed with caution.}}
This is a IPSEC/L2TP VPN server implementation for Fedora 14 that allows Android OS (2.3.5 or less) devices to connect to your HDA.  It has been tested with Android OS 2.3.5 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™].  It may not work for all Android devices or may require some modification.
+
 
 +
{{NeedsUpdate}}
 +
 
 +
 
 +
This is a IPsec/L2TP VPN server implementation for Fedora 14 that allows Android OS (2.3.5 or less) devices to connect to your HDA.  It has been tested with Android OS 2.3.5 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™].  It may not work for all Android devices or may require some modification.
  
 
===Setup===
 
===Setup===
 
Install the packages first as root user:
 
Install the packages first as root user:
{{Code|yum -y install openswan xl2tpd}}
+
yum -y install openswan xl2tpd
  
 
====Configure Openswan====
 
====Configure Openswan====
  
*Edit '''''/etc/ipsec.conf''''' with your favorite editor and update as follows ('''NOTE:'''  Replace the ''{HDA IP Address}'' i.e. 192.168.0.10, ''{Router IP Address}'' i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
+
*Edit '''''/etc/ipsec.conf''''' with your favorite editor and update as follows ('''NOTE:'''  Replace the ''{HDA IP Address}'' i.e. 192.168.0.10 and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
{{Text|Text=config setup
+
<pre>
 +
config setup
 
         protostack=netkey
 
         protostack=netkey
 
         nat_traversal=yes
 
         nat_traversal=yes
Line 19: Line 24:
 
         oe=off
 
         oe=off
 
         nhelpers=0
 
         nhelpers=0
 
+
<nowiki></nowiki>
conn L2TP-PSK
+
conn L2TP-PSK-NAT
        authby=secret
+
    rightsubnet=vhost:%priv
        pfs=no
+
    also=L2TP-PSK-noNAT
        auto=add
+
<nowiki></nowiki>
        keyingtries=3
+
conn L2TP-PSK-noNAT
        rekey=no
+
    authby=secret
        ikelifetime=8h
+
    pfs=no
        keylife=1h
+
    auto=add
        type=transport
+
    keyingtries=3
        left={HDA IP Address}
+
    rekey=no
        leftprotoport=17/1701
+
    ikelifetime=8h
        leftnexthop={Router IP Address}
+
    keylife=1h
        right=%any
+
    type=transport
        rightprotoport=17/0
+
    left=<nowiki>{HDA IP Address}</nowiki>
        rightsubnet=vhost:%no,%priv}}
+
    leftprotoport=17/1701
 +
    right=%any
 +
    rightprotoport=17/%any</pre>
  
  
 
* Add the following to '''''/etc/ipsec.d/hda.secrets''''':
 
* Add the following to '''''/etc/ipsec.d/hda.secrets''''':
{{Text|{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"}}
+
{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"
  
  
 
* Edit '''''/etc/sysctl.conf''''' and add following to the file:
 
* Edit '''''/etc/sysctl.conf''''' and add following to the file:
{{Text|Text=net.ipv4.ip_forward = 1
+
<pre>
 +
net.ipv4.ip_forward = 1
 
net.ipv4.conf.default.accept_redirects = 0
 
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0}}
+
net.ipv4.conf.default.send_redirects = 0</pre>
  
  
 
* In the same file, disable the following by adding a #:
 
* In the same file, disable the following by adding a #:
{{Text|Text=<nowiki>#</nowiki>net.bridge.bridge-nf-call-ip6tables = 0
+
<pre>
 +
<nowiki>#</nowiki>net.bridge.bridge-nf-call-ip6tables = 0
 
<nowiki>#</nowiki>net.bridge.bridge-nf-call-iptables = 0
 
<nowiki>#</nowiki>net.bridge.bridge-nf-call-iptables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-arptables = 0}}
+
<nowiki>#</nowiki>net.bridge.bridge-nf-call-arptables = 0</pre>
  
  
* Create '''''/usr/bin/disable_send_accept_redirects''''' and add the following:
+
* To enable changes, do the following:
{{Text|Text=<nowiki>#</nowiki>!/bin/bash
+
sysctl -p
  
<nowiki>#</nowiki> Disable send redirects
 
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
 
  
<nowiki>#</nowiki> Disable accept redirects
+
* Create '''''/usr/bin/zl2tpset''''' and add the following:
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+
<pre>
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
+
<nowiki>#</nowiki>!/bin/bash
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
+
for each in /proc/sys/net/ipv4/conf/*"
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects}}
+
do
 +
echo 0 > \$each/accept_redirects
 +
echo 0 > \$each/send_redirects
 +
done</pre>
 +
 
  
 
* Make it executable
 
* Make it executable
{{Code|chmod 755 /usr/bin/disable_send_accept_redirects}}
+
chmod 755 /usr/bin/zl2tpset
  
  
 
* Add the following to '''''/etc/rc.local''''' so this script runs on boot:
 
* Add the following to '''''/etc/rc.local''''' so this script runs on boot:
{{Text|Text=/root/bin/disable_send_accept_redirects}}
+
/usr/bin/zl2tpset
  
  
 
* To verify everything is set correctly, do the following:
 
* To verify everything is set correctly, do the following:
{{Code|service ipsec start
+
service ipsec start
ipsec verify}}
+
ipsec verify
  
  
 
* Everything should be "green" except ''SAref kernel support'' ('''N/A''') and ''Opportunistic Encryption'' ('''DISABLED''').
 
* Everything should be "green" except ''SAref kernel support'' ('''N/A''') and ''Opportunistic Encryption'' ('''DISABLED''').
 +
  
 
====Configure xl2tpd====
 
====Configure xl2tpd====
* Edit '''''/etc/xl2tpd/xl2tpd.conf''''':
+
* Edit '''''/etc/xl2tpd/xl2tpd.conf''''' and update to reflect as follows:
** Ensure <code>ipsec saref = yes</code> is uncommented.
+
'''NOTE:'''  The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP.  Given example, you could use 192.168.10.101.
** The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP.  Given example, you could use 192.168.10.101.
+
<pre>
 +
[global]
 +
ipsec saref = no
 +
 +
[lns default]
 +
ip range = 192.168.10.150-192.168.10.200
 +
local ip = 192.168.10.101
 +
require chap = yes
 +
refuse pap = yes
 +
require authentication = yes
 +
ppp debug = yes
 +
pppoptfile = /etc/ppp/options.xl2tpd
 +
length bit = yes</pre>
  
 
====Configure PPP====
 
====Configure PPP====
 
* Add following to '''''/etc/ppp/chap-secrets''''' (replace username and password accordingly):
 
* Add following to '''''/etc/ppp/chap-secrets''''' (replace username and password accordingly):
{{Text|Text=username * password *}}
+
 
 +
username * password *
 
* Check '''''/etc/ppp/options.xl2tpd''''' to verify that all ''ms-dns'' entries point to the correct nameservers (the HDA).
 
* Check '''''/etc/ppp/options.xl2tpd''''' to verify that all ''ms-dns'' entries point to the correct nameservers (the HDA).
 
*Start xl2tpd:
 
*Start xl2tpd:
{{Code|service xl2tpd start}}
+
service xl2tpd start
  
 
====Configure Router====
 
====Configure Router====
Line 99: Line 121:
  
 
====Set Services to Start on Boot====
 
====Set Services to Start on Boot====
{{code|chkconfig ipsec on
+
chkconfig ipsec on
chkconfig xl2tpd on}}
+
chkconfig xl2tpd on
  
That's basically it, you can now setup your L2TP/IPSEC VPN client and try to connect.
+
That's basically it, you can now setup your L2TP/IPsec VPN client and try to connect.
  
  
 
References:
 
References:
  
[http://www.mindbug.org/2010/11/fedora-as-ipsecl2tp-vpn-server-for-mac.html Fedora as IPSEC/L2TP VPN Server for Mac and Android]
+
[http://www.mindbug.org/2010/11/fedora-as-ipsecl2tp-vpn-server-for-mac.html Fedora as IPsec/L2TP VPN Server for Mac and Android]
  
 
[https://lists.openswan.org/pipermail/users/2008-March/014218.html Installing OpenSwan for the first time]
 
[https://lists.openswan.org/pipermail/users/2008-March/014218.html Installing OpenSwan for the first time]
 +
 +
[http://www.linuxhelp.in/2011/06/installing-and-configuring-l2tp-vpn.html Installing and configuring l2tp vpn using xl2tpd]
  
 
===Android L2TP/IPsec Client Setup===
 
===Android L2TP/IPsec Client Setup===
Line 142: Line 166:
  
 
Reference:  [https://www.goldenfrog.com/vyprvpn/support/vpn-setup/android-l2tp Android L2TP/IPsec Instructions]
 
Reference:  [https://www.goldenfrog.com/vyprvpn/support/vpn-setup/android-l2tp Android L2TP/IPsec Instructions]
 
===TIPS===
 
There is a nice [http://3h3.62.sl.pt VPN Menu] shortcut that you can install from the Android App Market that puts a shortcut on the home screen.  When selected, it takes you right to the VPN screen.
 

Latest revision as of 03:58, 23 June 2020

Warning.png WARNING
This is recommended only for advanced users, proceed with caution.



Msgbox.update.png Update Needed
The contents of this page have become outdated or irrelevant. Please consider updating it.


This is a IPsec/L2TP VPN server implementation for Fedora 14 that allows Android OS (2.3.5 or less) devices to connect to your HDA. It has been tested with Android OS 2.3.5 via Samsung Galaxy S™ II Skyrocket™. It may not work for all Android devices or may require some modification.

Setup

Install the packages first as root user:

yum -y install openswan xl2tpd

Configure Openswan

  • Edit /etc/ipsec.conf with your favorite editor and update as follows (NOTE: Replace the {HDA IP Address} i.e. 192.168.0.10 and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24
        oe=off
        nhelpers=0

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left={HDA IP Address}
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


  • Add the following to /etc/ipsec.d/hda.secrets:
{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"


  • Edit /etc/sysctl.conf and add following to the file:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0


  • In the same file, disable the following by adding a #:
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0


  • To enable changes, do the following:
sysctl -p


  • Create /usr/bin/zl2tpset and add the following:
#!/bin/bash
for each in /proc/sys/net/ipv4/conf/*"
do
echo 0 > \$each/accept_redirects
echo 0 > \$each/send_redirects
done


  • Make it executable
chmod 755 /usr/bin/zl2tpset


  • Add the following to /etc/rc.local so this script runs on boot:
/usr/bin/zl2tpset


  • To verify everything is set correctly, do the following:
service ipsec start
ipsec verify


  • Everything should be "green" except SAref kernel support (N/A) and Opportunistic Encryption (DISABLED).


Configure xl2tpd

  • Edit /etc/xl2tpd/xl2tpd.conf and update to reflect as follows:

NOTE: The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.

[global]
ipsec saref = no
 
[lns default]
ip range = 192.168.10.150-192.168.10.200
local ip = 192.168.10.101
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Configure PPP

  • Add following to /etc/ppp/chap-secrets (replace username and password accordingly):
username * password *
  • Check /etc/ppp/options.xl2tpd to verify that all ms-dns entries point to the correct nameservers (the HDA).
  • Start xl2tpd:
service xl2tpd start

Configure Router

You need to forward port 500 and 4500 (both UDP) to your HDA IP address.

Set Services to Start on Boot

chkconfig ipsec on
chkconfig xl2tpd on

That's basically it, you can now setup your L2TP/IPsec VPN client and try to connect.


References:

Fedora as IPsec/L2TP VPN Server for Mac and Android

Installing OpenSwan for the first time

Installing and configuring l2tp vpn using xl2tpd

Android L2TP/IPsec Client Setup

CONFIGURE

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN Settings
    • Add VPN
    • Add L2TP/IPsec PSK VPN
    • VPN Name and type in a descriptive name (i.e. HDA)
    • Set VPN Server and type the following server hostname to username.yourhda.com (username=HDA name)
    • Set IPSec pre-shared key and enter thisisourkey (replace with your secret key)
  • Uncheck Enable L2TP secret
  • Open the menu and choose Save

CONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN configuration from the list
  • Enter your username and password (use correct capitalization)
  • Select Remember username and Connect

DISCONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • Select the VPN configuration from the list
    • Select Disconnect


Reference: Android L2TP/IPsec Instructions