| View previous topic :: View next topic |
| Author |
Message |
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4345
Location: Spa (Belgium)
|
 Posted: Fri Jul 06, 2007 1:45 pm Post subject: |
 |
|
| AVNazyrov wrote: | | ... have somebody tried to use OpenVPN instead of L2TP? |
I have. And to say the truth it's easier to accomplish than IPsec. While there are blocking cases with IPsec (like NATed networks), OpenVPN only needs a single UDP port (1194) and it works in all cases.
It's safe as it uses connection-less protocols like UDP hence blinded against SYN flood and other classical TCP attacks. It involves principles easy to understand as it relies on well know technologies like SSL encryption and routing/bridging - nothing more nothing less.
It has a GUI client for Windows and, IIRC, Mac OS. Linux has kvpnc and many other clients, text or graphical. I have tried and used Windows GUI. Not much to say about it: I like it very much  .
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
 |
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4345
Location: Spa (Belgium)
|
| Posted: Fri Jul 06, 2007 1:59 pm Post subject: |
|
|
| Quote: | | Considerably faster than L2TP |
| AVNazyrov wrote: | | Have anybody else tested it? |
To add to your question, I've tested both at that time (one year and a half ago). I started with OpenSwan to link two networks from our company through the Internet. The purpose was to work remotely with Citrix.
OpenSwan proved unstable as soon as more than 3-4 users were using the link between both sites. It was probably a configuration/fine tuning problem but we switched to OpenVPN and it worked at once - with my limited knowledge of VPN [internals] at that time . So I can confirm that L2TP/IPsec requires strong knowledge in that domain...
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”
Last edited by VinzC on Fri Jul 06, 2007 6:38 pm; edited 1 time in total |
|
| Back to top |
|
|
AVNazyrov
n00b
Joined: 05 Jul 2007
Posts: 3
|
| Posted: Fri Jul 06, 2007 2:28 pm Post subject: |
|
|
VinzC, many thanks for your answer. I think, I'll try to use OpenVPN soon.
One remark: now OpenSWAN works with NATed nets perfectly too and requires only three UDP ports opened in firewall.
| VinzC wrote: | | So I can confirm that L2TP/IPsec requires strong knowledge in that domain... |
Two thumbs up!  |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Aug 06, 2007 3:12 pm Post subject: |
|
|
Some random comments..
| Quote: | L2TP VPN Cons:
Unstable L2TP code; l2tpd requires heavy patching with the latest kernels; kernel recompilation with TTY support is preferable
|
Xelerance maintains a version of this code.. Frequent updates and seems pretty active to me.
| Quote: |
Unexpected crashes when the client connection is not closed properly
|
I have _never_ seen this.
| Quote: |
Hard to configure; requires good linux skills along with solid understanding of networking and VPN technology
|
I would hope so.
| Quote: |
Slower than OpenVPN
|
Probably due to the layers and encryption.. NAT-T --> ESP --> L2TP ... Anyways never had any speed issues myself. I would imagine when push came to shove ESP is a bit more secure then SSL based VPNs and probably much much more widely accepted. 
| Quote: |
Almost no support from the community
|
I find the openswan lists to be exceptional. Especially Paul from Xelerance he has helped me out a countless number of times.. The openswan book is also a great read/help.. Hey i am in the community and helped out several people between this thread and my howto..
I am not trying to flame just reponding to these comments with my experiences... I never used openvpn and may be a bit partial to openswan seeing I connect/secure all my networks together using gentoo endpoints with openswan & iptables.
_________________
write quit bang |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4345
Location: Spa (Belgium)
|
| Posted: Tue Aug 07, 2007 9:08 am Post subject: |
|
|
| dashnu wrote: | | Some random comments... |
| Quote: | | Almost no support from the community |
I also find quite odd that such a message is posted... in a forum. I love paradoxes like this...
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
mike123abc
n00b
Joined: 24 Aug 2007
Posts: 1
|
| Posted: Fri Aug 24, 2007 5:57 am Post subject: XP client to Linux server stops as soon as the ipsec done |
|
|
Suse 9.3 2.6.11 Kernel <----> NAT Windows XP
I have openswan 2.2.0 and the latests download xl2tpd-1.1.11
The syslog info from pluto, it looks like it does its job and establishes an ipsec connection.
| Quote: | Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[7] 75.23.215.33 #7: responding to Main Mode from unknown peer 75.23.215.33
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[7] 75.23.215.33 #7: transition from state (null) to state STATE_MAIN_R1
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[7] 75.23.215.33 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[7] 75.23.215.33 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[7] 75.23.215.33 #7: Peer ID is ID_FQDN: '@FUJI'
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33 #7: deleting connection "roadwarrior-all" instance with peer 75.23.215.33 {isakmp=#0/ipsec=#0}
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33 #7: I did not send a certificate because I do not have one.
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: sent MR3, ISAKMP SA established
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-l2tp"[4] 75.23.215.33:4500 #8: responding to Quick Mode
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-l2tp"[4] 75.23.215.33:4500 #8: transition from state (null) to state STATE_QUICK_R1
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-l2tp"[4] 75.23.215.33:4500 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 22:58:15 www pluto[11446]: "roadwarrior-l2tp"[4] 75.23.215.33:4500 #8: IPsec SA established {ESP=>0x928e14de <0xe9359c83 NATOA=192.168.1.146} |
Nothing happens until the XP box times out or you press cancel, then it gets a nice delete message from XP
| Quote: | Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: received Delete SA(0x928e14de) payload: deleting IPSEC State #8
Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: deleting connection "roadwarrior-l2tp" instance with peer 75.23.215.33 {isakmp=#0/ipsec=#0}
Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: received and ignored informational message
Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: received Delete SA payload: deleting ISAKMP State #7
Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500: deleting connection "roadwarrior-all" instance with peer 75.23.215.33 {isakmp=#0/ipsec=#0}
Aug 23 22:58:31 www pluto[11446]: packet from 75.23.215.33:4500: received and ignored informational message |
My ipsec.conf file: (note the indents are there, just not appearing in this post)
| Quote: | # /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
|
My xl2tpd with all the debugging on sitting on the terminal does not seem to do anything after initial load:
| Quote: | xl2tpd[11865]: init_config: Using old style config files /etc/l2tp/l2tpd.conf and /etc/l2tpd/l2tp-secrets
xl2tpd[11865]: parse_config: global context descriptor
xl2tpd[11865]: parse_config: field is port, value is 1701
xl2tpd[11865]: set_port: Setting global port number to 1701
xl2tpd[11865]: set_port: port flag to '1701'
xl2tpd[11865]: parse_config: field is debug avp, value is yes
xl2tpd[11865]: set_debug avp: debug avp flag to 'yes'
xl2tpd[11865]: parse_config: field is debug network, value is yes
xl2tpd[11865]: set_debug network: debug network flag to 'yes'
xl2tpd[11865]: parse_config: field is debug packet, value is yes
xl2tpd[11865]: set_debug packet: debug packet flag to 'yes'
xl2tpd[11865]: parse_config: field is debug state, value is yes
xl2tpd[11865]: set_debug state: debug state flag to 'yes'
xl2tpd[11865]: parse_config: field is debug tunnel, value is yes
xl2tpd[11865]: set_debug tunnel: debug tunnel flag to 'yes'
xl2tpd[11865]: parse_config: field is ip range, value is 172.22.172.100-172.22.172.200
xl2tpd[11865]: range start = ac16ac64, end = ac16acc8, sense=4294967295d
xl2tpd[11865]: parse_config: field is local ip, value is 172.22.172.4
xl2tpd[11865]: parse_config: field is require chap, value is yes
xl2tpd[11865]: set_require chap: require chap flag to 'yes'
xl2tpd[11865]: parse_config: field is refuse pap, value is yes
xl2tpd[11865]: set_refuse pap: refuse pap flag to 'yes'
xl2tpd[11865]: parse_config: field is require authentication, value is yes
xl2tpd[11865]: set_require authentication: require authentication flag to 'yes'
xl2tpd[11865]: parse_config: field is name, value is LinuxVPN
xl2tpd[11865]: set_name: name flag to 'LinuxVPN'
xl2tpd[11865]: parse_config: field is ppp debug, value is yes
xl2tpd[11865]: set_ppp debug: ppp debug flag to 'yes'
xl2tpd[11865]: parse_config: field is pppoptfile, value is /etc/ppp/options.l2tpd
xl2tpd[11865]: set_pppoptfile: pppoptfile flag to '/etc/ppp/options.l2tpd'
xl2tpd[11865]: parse_config: field is length bit, value is yes
xl2tpd[11865]: set_length bit: length bit flag to 'yes'
xl2tpd[11865]: setsockopt recvref: Protocol not available
xl2tpd[11865]: This binary does not support kernel L2TP.
xl2tpd[11865]: xl2tpd version xl2tpd-1.1.11 started on www PID:11865
xl2tpd[11865]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11865]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11865]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11865]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[11865]: Listening on IP address 0.0.0.0, port 1701
|
So, I guess the problem/question is:
I have a successful ipsec connection made, but now I need to figure out how to get the l2tpd involved. I checked firewall rules there is nothing for port 1701. The other issue is that there is no ipsec0 interface (seems the 2.6 kernel does not need it), is this the issue? The linux box is directly connected to the internet, there is no private net. I have not figured out the right internet search to quite figure out how ipsec packets get to l2tpd. If there was a virtual ipsec0 interface I could see them being routed to port 1701 there and the l2tpd listening on that interface and getting the packets. Do I need to create/configure a device? What do I need to do to at least get to the next stage of debugging where packets get to l2tpd.
I was able to get openvpn up and running with a tap0 working and got a VPN working with my XP box. But, XP does not really like to use openVPN, you have to do all the stuff manually and the spiffy UI that users would use wants to use l2tp. The only complaint I can see from l2tp is that recvref is not available in setsockopt. Maybe it is something, the source does not give much insite, exploring this some more at the moment... |
|
| Back to top |
|
|
temper
n00b
Joined: 06 Jun 2008
Posts: 38
Location: Tbilisi, Georgia
|
| Posted: Tue Dec 30, 2008 3:13 pm Post subject: |
|
|
HI. It's my first time doing this king of connection... so I need little help from the community.
When I connect my client (windows xp sp3) to my host, internet goes down on client. I can ping both local and global ips in both ways, but client cannot ping anything outside vpn 
I'm using:
| Code: | 2.6.26-gentoo-r4 kernel
net-misc/openswan version: 2.4.13-r2
net-firewall/ipsec-tools version: 0.6.7 0.7.1
net-dialup/ppp version: 2.4.4-r21
net-dialup/xl2tpd version: 1.1.12 1.1.12-r1
(There is no l2tpd daemon in my portage tree)
|
I beleive I have configured kernel correctly.
This is my ipsec.conf:
| Code: | # /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:!192.168.1.0/24
conn %default
keyingtries=3
compress=no
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
#conn roadwarrior-all
# leftsubnet=0.0.0.0/0
# also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/1701
rightprotoport=17/1701
rekey=no
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
authby=secret
type=tunnel
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf |
ipsec.secrets
xx.xx.xx.xx is my global ip.
| Code: | ipsec.secrets
XX.XX.XX.XX %any: PSK "verylongpassword" |
chap-secrets:
| Code: |
# Secrets for authentication using CHAP
# client server secret IP addresses
client * "password" 192.168.1.5
* client "password" 192.168.1.5
|
options.l2tp:
| Code: | ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
|
and this is /etc/xl2tpd/xl2tpd.conf
| Code: |
; l2tpd.conf
;
[global]
port = 1701
[lns default]
ip range = 192.168.1.4-192.168.1.40
local ip = 192.168.1.2
require chap = yes
refuse pap = yes
require authentication = yes
name = MyVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
|
I setup XP correcty. I don't why internet is not working
I looked in /var/log/messages, route -n, iptables -L, emerge --info, tcpdump, lsmod... but I don't how
to troubles shoot this. I've been struggling very long time to get it working, but I don't have enough skills yet to make it all on my own...I hope someone can guide me through this... TIA |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4345
Location: Spa (Belgium)
|
| Posted: Tue Dec 30, 2008 5:05 pm Post subject: |
|
|
Remember what a VPN is: a secure tunnel between your computer and the remote network. Secure tunnel means every network packet is sent through the tunnel for security. Hence there's no route to the Internet by default, other than through the default gateway at the opposite side of the tunnel.
That is to say that a host connected through VPN must isolate itself as well as the remote network from external attacks. If a VPN host is compromised then the remote network is under threat as well. This is why it is unwise to have a VPN host also connected to the Internet directly.
There are two ways for a host to also send/receive packets to/from the Internet: either directly (dangerous as I've just explained) or through a gateway on the remote network. - The latter option is preferable and requires adding routes to the gateway on the remote network and possibly changing firewall rules on the remote Internet gateway.
- If this is not possible then the former option is your only choice
By default, Windows VPN hosts use the remote gateway as the default gateway, making Internet unavailable on the VPN host. You can change that behaviour on Windows XP by changing how Windows routes packets. There is a checkbox «Use default gateway on the remote network» (typing from memory) in the TCP/IP properties of your VPN connection. It is checked by default. Uncheck it before making the VPN connection and you'll be able to surf the Internet from your machine while the VPN link is active.
You've been warned .
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Dec 30, 2008 7:39 pm Post subject: |
|
|
I do not use this setup anymore however, it sounds to me as if your firewall at the remote end-point is causing the problem.
I routed all packets outbound from client through the tunnel and out the VPN.
Keep in mind with this setup a PPP+ interface is created and the proper forwarding rules must be set.
Is this VPN end-point also your firewall ? Or behind a firewall in place already?
_________________
write quit bang |
|
| Back to top |
|
|
temper
n00b
Joined: 06 Jun 2008
Posts: 38
Location: Tbilisi, Georgia
|
| Posted: Tue Dec 30, 2008 8:02 pm Post subject: |
|
|
OK, now I get little better understanding of how vpn works. But I'm still ubber n00b, I know... 
Well, I will test this when my brother gets off of his MMORPG games and let you know. I'll try both methods. This is my home network and I have no information sensitive things on it, or any service running to be concerned about security. My initial goal was to setup LAN connetion, but I don't have a router and spare NIC's to plug into PC's to setup LAN, they are both Laptops btw. I know there are other solution, like ftp, ssh but want to learn how to setup VPN's over IPsec...Thank you for help.
EDIT:
VinzC
dashnu
Thanks for helping me. I got it working finally. Thank you!!!
Aand have a Happy new year! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
