belerofon/ Januar 25, 2019/ IT-Security, Netzwerk

Install the software

First, we start with installing all required software:

apt-get install strongswan xl2tpd ppp

Config StrongSwan

vi /etc/strongswan.conf 
charon {
  load_modular          = yes
  install_routes        = yes
  plugins {
        include strongswan.d/charon/*.conf
  }
  filelog {
        /var/log/charon.log {
            time_format = %b %e %T
            ike_name = yes
            #append = no
            #default = 2
            flush_line = yes
        }
        stderr {
            # default loglevel.
            #ike = 4
            #knl = 3
        }
    }
}

include strongswan.d/*.conf

Configure IPSec

Now we start with configuring the software. First we start with IPSec:

 vi /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
          uniqueids = yes

# default for connections
conn %default
          pfs=yes
          aggressive = no
          #installpolicy=yes
          mobike = no
          ikelifetime=8h
          keyingtries=3
          keylife=3h
          keyingtries=%forever
          rekey=no
          rekeymargin=3m
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear

#VPN IPSec-over-L2TP Roadworrior
conn IPSec-L2TP-Roadworrier
          ### CONECTION SETTINGS ###
          forceencaps=yes
          type=transport
          auto=add
          ### PROPOSAL ###
          keyexchange=ikev1
          authby=secret
          ike=aes256-sha256-modp2048
          esp=aes256-sha256-modp2048
          ### SERVER SIDE ###
          left=%defaultroute
          leftfirewall = yes
          leftprotoport=udp/1701
          ### CLIEND SIDE ###
          right=%any
          rightfirewall = yes
          rightprotoport=udp/%any
          ### PHASE II SELECTORS ###
          leftsubnet=0.0.0.0/0
          rightsubnet=0.0.0.0/0

Some notes about this configuration:

  • We use a secret or password for authentication. Sources on the internet seem to suggest that the iPhone cannot handle certificates.
  • we must configure the dead peer detection rules at the bottom or else you cannot reconnect to the VPN when returning from sleep.

IPSec Secrets

We thus also need to configure an encryption secret (password) for the IPSec tunnel.

 vi /etc/ipsec.secrets

%any %any: PSK “this-is-my-super-secret-password”

It is smart to choose a strong (long) password.

Also possible Options:

  • RSA defines an RSA private key
  • ECDSA defines an ECDSA private key
  • PSK defines a pre-shared key
  • EAP defines EAP credentials
  • NTLM defines NTLM credentials
  • XAUTH defines XAUTH credentials
  • PIN defines a smartcard PIN

Example:

# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.1 %any : PSK "v+NkxY9L-$Fd4qCC2o/gGr9QwF2d21jL" 

: RSA moonKey.pem
%MINIFYHTML50dd70add5b4a01947e1958c4f2da3905% : EAP "x3.dEhgN" 
carol : XAUTH "4iChxLT3" 
dave  : XAUTH "ryftzG4A" 

# get secrets from other files
include ipsec.*.secrets

Configure L2TP

Inside the directory /etc/xl2tpd you have to edit xl2tpd.conf like this:

vi /etc/xl2tpd/xl2tpd.conf 
[global]
        auth file = /etc/l2tpd/l2tp-secrets
        port = 1701
        access control = no
        ipsec saref = yes

[lns default]
        ip range = 192.168.254.100-192.168.254.150
        local ip = 192.168.254.254
        assign ip = yes
        require chap = yes
        refuse pap = yes
        require authentication = yes
        name = L2TP
        ppp debug = yes
        pppoptfile = /etc/ppp/options.xl2tpd
        length bit = yes

The “ip range” is within your internal network. It is a range outside of your DHCP-scope. The “ip range” must not include the “local ip”. This IP address is dedicated to your Linux host. Important: once the VPN setup is working properly Turn off all debugging options (set them to ‘no’). Otherwise, your logs will fill up very quickly because every time a packet is transmitted, this is logged.

Configure PPP

Now we must configure PPP. Edit /etc/ppp/options.xl2tpd and make it look like this:

vi /etc/ppp/options.xl2tpd
persist
ipparam portunity

# Allow all usernames to connect.
proxyarp
ipcp-accept-local
ipcp-accept-remote

# Set the DNS servers the PPP clients will use.
#ms-dns 192.168.254.254
#ms-dns 2a03:4000:6:d0f1::
ms-dns 8.8.8.8

noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
lock
connect-delay 5000

# Enable IPv6
+ipv6

Note that you must enter a valid DNS server that must be reachable by the VPN client (iPhone) through the tunnel. We are almost there. Now we must also configure a password for the PPP connection.

CHAP Secrets

Edit /etc/ppp/chap-secrets and make it look like this:

vi /etc/ppp/chap-secrets

USERNAME * PASSWORD *

This password is not related to the IPSec password. I think it is wise to configure different passwords for IPSec and PPP.

Configuring the firewall

Using UFW

An IPSec + L2TP + PPP VPN requires the following ports to be opened:

500/udp
4500/udp
1701/udp

Using IPTables

Configuring traffic forwarding rules 
If you use a Linux box with IPtables, you may already have a functioning configuration. However, this line is required for traffic forwarding to work:

 iptables -t nat -A POSTROUTING -s 192.168.248.0/24 -o eth0 -j MASQUERADE

You can also Add a Interface and an Up/Down-IPTables-Condition

#VPN Network (VLAN 1, Port eth1)
auto eth1:1
iface eth1:1 inet static
    address 192.168.254.254
    netmask 255.255.255.0

### VPN Forward RoadWarrior IPSec-over-L2TP ###
post-up   iptables -t nat -A POSTROUTING -s '192.168.254.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.254.0/24' -o eth0 -j MASQUERADE
### Allow Access to other networks
post-up   iptables -t nat -I POSTROUTING -s '192.168.254.0/24' -d '192.192.0.0/22' -j ACCEPT
post-down iptables -t nat -D POSTROUTING -s '192.168.254.0/24' -d '192.192.0.0/22' -j ACCEPT

You must replace the correct IP addresses according to your configuration.

Traffic Forwarding

You may also have to enable traffic forwarding like this:

 vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Share this Post