How to: Set up Openswan L2TP VPN Server on CentOS 6

Have you ever wanted to set up your own VPN server? By following the steps below, you can set up your own L2TP VPN server on CentOS 6. Note that an L2TP VPN, which we’re setting up here, is more secure than a PPTP VPN server. OpenVPN is another alternative to L2TP VPNs, but OpenVPN requires OpenVPN software on the client device. In contrast, L2TP VPNs are supported out of the box in most modern operating systems (Windows, Mac OS X, Ubuntu, RHEL, CentOS) as well as mobile devices (iOS [iPhones, iPads], Android, and Windows Phone).

–

Packages to install

yum install lsof man
yum install openswan
yum install ppp xl2tpd

Note: You need to have the epel repository installed to install xl2tpd. To install epel if you haven’t already, check this post.

Potential OpenSwan version issues with iOS devices behind NAT

OpenSwan version 2.6.32-18.el6_3 had a bug wherein iOS devices were unable to make a successful VPN connection if they were behind NAT, which includes attempting a VPN connection while connected to a cellular network. Downgrading to version 2.6.32-16.el6 allowed iOS devices to again connect.

It appears that this bug is fixed as of version 2.6.32-21.2.el6, but do note if you have trouble getting iOS devices to work behind NAT, it may be due to the version of OpenSwan you’ve installed.

For more information, see this page: http://bugs.centos.org/view.php?id=5832

–

IP Addresses in this example

 In the following configuration files, various IP addresses are listed. Change these IPs to match your environment

• 10.0.100.0/24 – Internal LAN IP subnet: This is the IP subnet used on your local LAN that the VPN server resides upon.

• 10.0.100.3 – Local IP used by VPN server for the L2TP tunnels: This is a completely made up number – you are assigning an IP address to the tunnel side of your VPN server. Make sure the IP you assign is not within your DHCP server’s DHCP scope.

• 10.0.100.50-100 – Local IP range to be handed out to VPN-connected clients: You define your own range here – make sure it’s in the same subnet as your local LAN but not part of your DHCP scope.

• 10.0.100.2 – IP address of VPN server: This is the primary IP address of the VPN server on your local LAN – this should be a static or statically assigned address.

• 10.0.100.1 – DNS server: This is the DNS server that the L2TP VPN-connected clients will use.

• 10.0.100.1 – Gateway/Router: This is the IP address of the border router on your internal network – it can be NAT’ed.

–

Configuration Files

/etc/sysctl.conf 

Edit the file to allow IP forwarding:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Reload sysctl with this command:

sysctl -p

–

/etc/rc.local

Add the following block to the bottom of the configuration file:

# Correct ICMP Redirect issues with OpenSWAN

for each in /proc/sys/net/ipv4/conf/*; do
        echo 0 > $each/accept_redirects
        echo 0 > $each/send_redirects
        echo 0 > $each/rp_filter
done

–

/etc/ipsec.conf

In the ipsec.conf file, you define a “left” and “right” side of the IPsec connection. In this example, the “left” side is your internal LAN, while the “right” side is the remote, client side which originates on port 1701.Make sure to change the virtual_private line to match your internal LAN subnet.

nehelpers is set to 0 to work around an error message when network helpers are not available.

plutodebug may be set to “control” if you wish to see messages logged in /var/log/pluto.log. Note: I do not suggest leaving this turned on as the log file will quickly grow to a massive size.

Additional lines are added at the bottom of the defined L2TP-PSK connection to better handle compatibility with Mac OS X and iOS clients.

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version       2.0    # conforms to second version of ipsec.conf specification

# basic configuration

config setup
       interfaces=%defaultroute
       klipsdebug=none
       nat_traversal=yes
       nhelpers=0
       oe=off
       plutodebug=none
       plutostderrlog=/var/log/pluto.log
       protostack=netkey
       virtual_private=%v4:10.0.100.0/24

conn L2TP-PSK
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       rekey=no
       type=transport
       forceencaps=yes
       right=%any
       rightsubnet=vhost:%any,%priv
       #rightprotoport=17/0       rightprotoport=17/%any  多客户端不同账号同一IP连接VPN,尝试过有问题
       # Using the magic port of "0" means "any one single port". This is
       # a work around required for Apple OSX clients that use a randomly
       # high port, but propose "0" instead of their port.
       left=%defaultroute
       leftprotoport=17/1701
       # Apple iOS doesn't send delete notify so we need dead peer detection
       # to detect vanishing clients
       dpddelay=10
       dpdtimeout=90
       dpdaction=clear

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

–

/etc/ipsec.secrets 

First, create a new host key for the machine — this example is using a pre-shared key (PSK), but it’s still a good idea to generate the machine key:

    ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/

Next, add a line with the internal LAN IP address of the server, the var %any:PSK to use the pre-shared key, and then define the pre-shared key in quotes.

    10.0.100.2      %any:     PSK     "yourPSKHere"

In the /etc/IPsec.secrets file, make sure you remove or uncomment the line “include /etc/ipsec.d/*.secrets,” or you’ll get an error and the VPN just won’t connect.

: RSA  {

# Your RSA generated machine key will be here after running the above IPsec newhostkey command

}

# do not change the indenting of that "}"
    10.0.100.2      %any:     PSK     "yourPSKHere"

Make sure you set the permissions on your secrets file to keep it private.

sudo chown root:root /etc/ipsec.secrets
sudo chmod 600 /etc/ipsec.secrets

–

/etc/xl2tpd/xl2tpd.conf

This is the xl2tpd configuration file. Make sure to change the listen-addr to that of your server, the ip range for your VPN clients, and the local IP of the VPN interface on the server.

[global]
listen-addr = 10.0.100.2
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; works around bug: http://bugs.centos.org/view.php?id=5832

force userspace = yes

;
[lns default]
ip range = 10.0.100.50-10.0.100.100
local ip = 10.0.100.3
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = CentOSVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

–

/etc/ppp/options.xl2tpd

ms-dns should be set to the DNS server you wish the VPN clients to use. You can specify multiple DNS servers by adding multiple ms-dns entries on separate lines.

ipcp-accept-local
ipcp-accept-remote
ms-dns  10.0.100.1
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/ppp.log

–

/etc/ppp/chap-secrets

This is the file in which you define your user accounts for the VPN — they are in username and password pairs.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1           *       sgrongPassword1         *
user2           *       strongPassword2         *

Secure the /etc/ppp/chap-secrets file

sudo chown root:root /etc/ppp/chap-secrets
sudo chmod 600 /etc/ppp/chap-secrets

–

IPTables Configuration

If you are running IPTables as the firewall on your VPN server, run the following commands to allow functioning VPN access

#Allow ipsec traffic
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE

#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

#Save your configuration
iptables save

Note that if your current firewall configuration contains the following lines, your VPN connection will fail!

Remove these lines if they exist in your /etc/sysconfig/iptables file:

iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited, the VPN connection will fail!

–

Enable and Start Services

chkconfig xl2tpd on
chkconfig ipsec on
service ipsec start
service xl2tpd start

–

Optional configuration

Ignore ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done

Don’t send ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

–

Troubleshooting

To see if your IPsec configuration looks OK, run the following command:

ipsec verify

You can also enable logging in /etc/ipsec.conf by setting plutodebug to “control”. This will log messages to /var/log/pluto.log.

There is an additional log file in /var/log/ppp.log.

–

Helpful links

http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html

http://coding.zencoffee.org/2012/10/ipsecl2tp-vpn-server-on-centos-6-psk.html

http://amadys.blogspot.com/2010/06/openswan-2626-ipsec-for-linux.html

http://comments.gmane.org/gmane.network.openswan.user/20373

http://www.drlongghost.com/wordpress/2011/04/22/trying-to-get-iphone-to-ubuntu-vpn-working-with-openswan/

http://www.pariahzero.net/Blog/files/e7d5abf84a96640d5cd70dd0dfb3d200-71.html

http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-with-ubuntu-1004-and-strongswan/

Categories: CentOS, Linux, VPN