Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto l2tp/IPsec VPNServer (PSK MS-Chap for now)
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5, 6, 7  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri Apr 15, 2005 6:02 pm    Post subject: Howto l2tp/IPsec VPNServer (PSK MS-Chap for now) Reply with quote

A more up to date version can be found here.

http://teh.sh.nu/HowTo

This will work with the default windows XP and OS-X clients.
Note: Some patching may be required.

Auth type = PSK / Ms-chap
Ports: 4500 / 500
Protocol = esp

This is more or less a brain dump for me so i do not forget what i did. Once I free up a machine

NOTE: This same configuration works on gentoo Hardened SELinux.

I took most of my info from the following two sites.
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
http://megaz.arbuz.com/archives/2005/01/28/linux-vpn-guide/1

In my current setup my VPN is behind a NAT Firewall which caused some issues I will explain how to set this up at the end if it is needed by folks.

I am thinking about running this on a production server but I have a few security issues that need to be addressed. I hope to figure these out soon. (Mainly with VPN behind a nat)

Current Software versions

Quote:
kernel-2.6.9-gentoo-r9 (gentoo-dev-sources or gentoo-sources now I think.)
net-misc/openswan-2.3.0 (2.3.1 is in portage now will most likely update soon)
net-firewall/ipsec-tools-0.4-r1
net-dialup/l2tpd-0.70_pre20031121
net-dialup/ppp-2.4.2-r10


Kernel Configuration.

Make sure to have the following . (May have some extra modules you can fine tune as you please)
Code:
Networking support  --->
                   Networking options  --->
                            <M> PF_KEY socket
                            [*] TCP/IP networking
                                    <M> IP: AH transformation
                                    <M> IP: ESP transformation
                                    <M> IP: IPComp transformation
                                    <M> IPsec user configuration interface

                            [*] Network device support   
                            <M>     PPP (point-to-point protocol) support
                                     <M>     PPP support for async serial ports
                                     <M>     PPP support for sync tty ports
                                     <M>     PPP Deflate compression                     
                                     <M>     PPP BSD-Compress compression                       
                                     <M>     PPP over Ethernet (EXPERIMENTAL)
             
            Device Drivers  --->
                      Character devices  --->
                               [*] Legacy (BSD) PTY support

Note: Last Kernel option may not be needed.

I have added a bunch of Cryptographic options this can be fine tuned also I am sure.
Code:

Cryptographic options  --->
         --- Cryptographic API                                     
            ---   HMAC support                                         
            <M>   Null algorithms                                     
            <M>   MD4 digest algorithm                               
            <M>   MD5 digest algorithm                                 
            <M>   SHA1 digest algorithm                               
            <M>   SHA256 digest algorithm                             
            <M>   SHA384 and SHA512 digest algorithms
            <M>   DES and Triple DES EDE cipher algorithms
            <M>   Blowfish cipher algorithm
            <M>   Twofish cipher algorithm
            <M>   Serpent cipher algorithm
            <M>   Deflate compression algorithm


Emerging Software

My Server Specific USE
Code:
USE="-X -alsa -oss -gif -emboss -f77 -font-server -fortran java -truetype-fonts -type1-fonts -mad -gpm -gnome -motif -mikmod -encode -kde -apm -nls -arts -avi -bitmap-fonts -cups -foomaticdb -gtk -gtk2 -ipv6 -jpeg -mpeg -oggvorbis -opengl -pdflib -png -qt -quicktime -readline -sdl -truetype -xmms -xv nptl ssl pam ssh"


Code:
echo "net-misc/openswan ~x86" >> /etc/portage/package.keywords


Code:
emerge openswan ipsec-tools l2tpd ppp


IpSec Configuration

Lets say your external Ip is 50.50.50.50 and an internal subnet of 192.168.1.x

Code:
vi /etc/ipsec/ipsec.conf

Code:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



Next we need to edit the /etc/ipsec/ipsec.secrets file
Code:
50.50.50.50 %any: PSK "biGl0nGlin3oft3xtwith8725364514and*$@andstuff"

This PSK (Private Shared Key) will need to be passed out to all users that use the vpn. You may want to enforce a good security policy for this key if you do decide to run this setup in production.

Note: The %any means that any ip can connect If you are only connecting via one external machine add only its IP address for a more secure install.


l2tpd Configuration

Edit /etc/l2tpd.conf
Code:
; l2tpd.conf
;
[global]
listen-addr = 50.50.50.50
port = 1701

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 50.50.50.50
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes



Note: the listen-addr will need to be the ip that is known to the machine.
Note: If you are running behind a NAT, this will be your internal ip. (See VPN behind a NAT at the bottom for more info.)

I set the ip range to match up with my internal subnet and assigned a block of ips that I know I am not using. Also it is nice to set up your dns server to assign a name to this block of ips to debug and for easy tracking.

PPP Configuration
Edit /etc/ppp/options.l2tp
Code:
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent


Set ms-dns to your DNS server ip.

To set up your users edit /etc/ppp/chap-secrets
Code:
# Secrets for authentication using CHAP
# client        server           secret            IP addresses
testuser     *                 "password"      192.168.1.0/24
*                 testuser     "password"      192.168.1.0/24

This is an example of one user. You need to add an entry for client and server. Also make sure 192.168.1.0/24 matches your subnet change as needed.

Kicking off the VPN
Add to your default runlevel
Code:
rc-update add l2tpd default
rc-update add ipsec default

Fire it up and hope....
Code:
/etc/init.d/l2tpd start
 * Starting l2tpd...
This binary does not support kernel L2TP.                                 [ ok ]

Note: When you start l2tpd you will see the above message. This is not an error.
Code:
/etc/init.d/ipsec start
 * Starting IPSEC ......
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/xfrm/xfrm_us  [ ok ]


I use syslog-ng so the logs to look at for me are /var/log/syslog and messages.

After start up I have the following modules loaded
Code:

Module                  Size  Used by
xfrm_user              16516  0
xfrm4_tunnel            4100  0
af_key                 33680  0
ppp_async              11392  0
crc_ccitt               2176  1 ppp_async
ppp_generic            25236  1 ppp_async
slhc                    8064  1 ppp_generic
deflate                 3840  0
zlib_deflate           21656  1 deflate
zlib_inflate           17792  1 deflate
twofish                37248  0
serpent                12928  0
blowfish                9984  0
des                    11648  0
sha256                  9344  0
sha1                    8832  0
crypto_null             2304  0
ipcomp                  8456  0
esp4                    8576  0
ah4                     7040  0
md5                     4096  1


Setting up Windows XP Client
Ok "clicky, clicky, clicky" folks

Click Start --> Settings --> Network Connections --> New Connection Wizard
because wizards are cool and can turn people into frogs...
Click Next on the first screen
Click Connect to the network at my workplace then click Next
Click Virtual Private Network connection then click Next
Type in a name for the VPN then click Next
Click Do Not dial the initial connection then click Next
Enter the IP address of your new VPN Server then click Next
Add a shortcut if you want then click Finish

A window will open next prompting you for a User name and Password.

We will need to change some of the properties to make the connection happen so click properties.
Click the Security Tab and click IPSec Settings by the bottom. Enter your long PSK that you set up in the /etc/ipsec/ipsec.secrets file.

Next go to the Networking Tab and in the Type of VPN Dropdown box select "L2TP IPSec VPN"
That should be it click ok after.

Now log in with the username and password that you set up in you /etc/ppp/chap-secrets file.

Setting up OS-X Client
to do..

Setting up Linux Client
to do..

Patching the src so ipsec will work behind a NAT
Get the patch http://lists.openswan.org/pipermail/users/2005-February/003931.html
Save in a happy place.
Since I am sure you emerged openswan already we will need to go to the src dir.
Code:
cd /usr/portage/distfiles/

Extract / Patch / Compress
Code:

tar xfvz openswan-2.3.0.tar.gz
cd openswan-2.3.0/programs/pluto
patch ipsec_doi.c <path to>/openswan-2.3.0-NATserver.patch
cd /usr/portage/distfiles
tar cfvz openswan-2.3.0.tar.gz openswan-2.3.0

Digest and Remerge
Code:

ebuild /usr/portage/net-misc/openswan/openswan-2.3.0.ebuild digest
emerge openswan

Start openswan
Code:
/etc/init.d/ipsec start


That should do it..

I by no means am a VPN Expert this was my first shot at one and it was a learning experience so i figured I would post my findings.

i hope it helps someone..


Last edited by dashnu on Fri Jul 28, 2006 12:48 pm; edited 8 times in total
Back to top
View user's profile Send private message
Morbo
n00b
n00b


Joined: 08 Jan 2005
Posts: 19

PostPosted: Sun Apr 17, 2005 3:32 am    Post subject: Reply with quote

Thanks.

Worked great except for one thing. I had to enable "PF_KEY sockets" under Network Options in the kernel as well.
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Sun Apr 17, 2005 12:34 pm    Post subject: Reply with quote

Cool, I added PF_KEY socket.
_________________
write quit bang
Back to top
View user's profile Send private message
wedge14
n00b
n00b


Joined: 07 Apr 2005
Posts: 19

PostPosted: Mon Apr 18, 2005 8:08 pm    Post subject: Reply with quote

Thanks for the how to. One problem so far, when I close the VPN on the XP machine the pppd process does not always close out propperly.

Successful session looks like this...
Code:
Apr 18 15:17:06 [pppd] pppd 2.4.2 started by root, uid 0
Apr 18 15:17:06 [pppd] Using interface ppp0
Apr 18 15:17:06 [pppd] Connect: ppp0 <--> /dev/ttyp0
Apr 18 15:17:06 [pppd] Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Apr 18 15:17:06 [pppd] found interface eth1 for proxy arp
Apr 18 15:17:06 [pppd] local  IP address 192.168.101.25
Apr 18 15:17:06 [pppd] remote IP address 192.168.101.26
Apr 18 15:18:51 [kernel] process `host' is using obsolete setsockopt SO_BSDCOMPAT
Apr 18 15:19:26 [pppd] LCP terminated by peer (y~zM-^?^@<M-Mt^@^@^@^@)
Apr 18 15:19:26 [l2tpd] control_finish: Connection closed to xx.xx.xx.xx, port 1701 (), Local: 50947, Remote: 10_
Apr 18 15:19:26 [pppd] Terminating on signal 15.
Apr 18 15:19:26 [pppd] Modem hangup
Apr 18 15:19:26 [pppd] Connection terminated.
Apr 18 15:19:26 [pppd] Connect time 2.4 minutes.
Apr 18 15:19:26 [pppd] Sent 3100 bytes, received 7649 bytes.
Apr 18 15:19:26 [pppd] Connect time 2.4 minutes.
Apr 18 15:19:26 [pppd] Sent 3100 bytes, received 7649 bytes.
Apr 18 15:19:26 [pppd] Exit.


But most of the time I get this.. with pppd still running
Code:
Apr 18 15:20:21 [pppd] pppd 2.4.2 started by root, uid 0
Apr 18 15:20:21 [pppd] Using interface ppp0
Apr 18 15:20:21 [pppd] Connect: ppp0 <--> /dev/ttyp0
Apr 18 15:20:21 [pppd] Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Apr 18 15:20:21 [pppd] found interface eth1 for proxy arp
Apr 18 15:20:21 [pppd] local  IP address 192.168.101.25
Apr 18 15:20:21 [pppd] remote IP address 192.168.101.26
Apr 18 15:20:56 [pppd] LCP terminated by peer (1M-w^XM-^M^@<M-Mt^@^@^@^@)
Apr 18 15:20:57 [l2tpd] control_finish: Connection closed to xx.xx.xx.xx, port 1701 (), Local: 34032, Remote: 11_


Naturally the ppp(0,1,2....) interfaces start stacking up.

Any thoughts?
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Tue Apr 19, 2005 2:44 pm    Post subject: Reply with quote

I have not noticed this . I am out of the office today so I will look into this first thing tomorrow morning. I imagine bad things will happen if the ppp connects keep stacking up, good find.

Also if anyone ends up using this with some 'load' say 10+ users or so I would love to know how it holds up. I have only tested a single user as of now.
_________________
write quit bang
Back to top
View user's profile Send private message
wedge14
n00b
n00b


Joined: 07 Apr 2005
Posts: 19

PostPosted: Tue Apr 19, 2005 5:40 pm    Post subject: Reply with quote

Thanks for looking. As far as I can tell the l2tpd process is spawning a child process, shown here...
Code:
9357 ?        S      0:00 /usr/sbin/pppd passive -detach 192.168.101.25:192.168.101.26 refuse-pap auth require-chap name VPNserver debug file /etc/ppp/options.l2tpd /dev/ttyp0

L2tp is then not propperly killing the process when the session disconnects. I have to manually kill it almost every time. Also the client who was connected can't connect again untill I do kill it.

I'm concidering trying rp-l2tp, any expierence with that?

System info:
Kernel 2.6.11-gentoo-r6 - everything built into the kernel rather than modules
Openswan 2.3.1
ppp-2.4.2-r10
Not going through NAT at this time

Other than that it should be identical to your configuration.

Thanks.
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed Apr 20, 2005 2:10 pm    Post subject: Reply with quote

I was not able to reproduce your error. I logged in and out about 20 times in a row. Not sure if this has anything to do with it but are the /etc/ppp/ip-up & ip-down executing properly I did not see anything in you logs relating to it? The only other thing i can think of is the fact that you compiled ppp into your kernel rather than a module.

Try to check to make sure ip-up ip-down are executing if so I would recompile you kern with M's.
_________________
write quit bang
Back to top
View user's profile Send private message
wedge14
n00b
n00b


Joined: 07 Apr 2005
Posts: 19

PostPosted: Fri Apr 22, 2005 6:33 pm    Post subject: Reply with quote

Got it working!!!

Turns out is was my firewall rules ... duh.

Added the following to iptables for the ppp interfaces..
Code:
-A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -o ppp+ -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT


Thanks for the help.
Back to top
View user's profile Send private message
SkidSoft
n00b
n00b


Joined: 24 Jul 2003
Posts: 48

PostPosted: Thu Apr 28, 2005 4:01 pm    Post subject: Reply with quote

I keep getting...

Code:
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.15.2'
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: I did not send a certificate because I do not have one.
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: sent MR3, ISAKMP SA established
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: responding to Quick Mode {msgid:9bac738d}
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 28 15:31:50 [l2tpd] control_finish: Connection established to 192.168.15.2, 1701.  Local: 46882, Remote: 8.  LNS session is 'default'_
Apr 28 15:31:50 [l2tpd] start_pppd: Unable to open /dev/ttyp0 to launch pppd!_
Apr 28 15:31:50 [l2tpd] control_finish: Call established with 192.168.15.2, Local: 31999, Remote: 1, Serial: 0_
Apr 28 15:31:50 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 28 15:31:50 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: IPsec SA established {ESP=>0x19b50f11 <0x5369b9d6 xfrm=3DES_0-HMAC_MD5}
Apr 28 15:32:16 [l2tpd] control_finish: Connection closed to 192.168.15.2, port 1701 (), Local: 46882, Remote: 8_


I'm using udev and dont' understand why it can't open /dev/ttyp0. Can some give me a clue? :)
_________________
--------------------------------------------------
Skid

And he got his head sent home in a freezerbag!
--Bill Murray in The Man Who Knows Too Little
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri Apr 29, 2005 12:36 pm    Post subject: Reply with quote

To be honest udev is brand new to me. I just installed it like a week ago at home. I have not applied it to any of my work servers yet because devfs just works still :P

I looked at home and compared to my work vpn server and both have ttyp0 -> pty/s0.

you have this device and it points to pty/s0?

It may have something to do with the kernel..

Quote:
Device Drivers --->
Character devices --->
[*] Legacy (BSD) PTY support


Try to compile that in.
_________________
write quit bang
Back to top
View user's profile Send private message
SkidSoft
n00b
n00b


Joined: 24 Jul 2003
Posts: 48

PostPosted: Fri Apr 29, 2005 4:48 pm    Post subject: Reply with quote

I have compiled that option in but mine isn't a symlink to the serial port. I"ll try that...

[EDIT]
Bad news, didn't work. Now I dont' even have a way of getting back my ttyp0 even though it didn't work. Can someone give me a mknod or something to get it back?
_________________
--------------------------------------------------
Skid

And he got his head sent home in a freezerbag!
--Bill Murray in The Man Who Knows Too Little
Back to top
View user's profile Send private message
SkidSoft
n00b
n00b


Joined: 24 Jul 2003
Posts: 48

PostPosted: Fri Apr 29, 2005 9:31 pm    Post subject: Reply with quote

well, got udev a little more configured, but I still get that same error with PPPD above.

Can anyone think of anything UDEV related that I might not have right or forgotten?
_________________
--------------------------------------------------
Skid

And he got his head sent home in a freezerbag!
--Bill Murray in The Man Who Knows Too Little
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri May 20, 2005 4:26 pm    Post subject: Reply with quote

I just set this up on gentoo hardened SELinux running udev with no problems. Did you ever get this working with udev?
Back to top
View user's profile Send private message
Narusegawa
Apprentice
Apprentice


Joined: 29 Jun 2004
Posts: 210
Location: Bimringham, UK

PostPosted: Wed Jun 08, 2005 10:25 am    Post subject: Reply with quote

You mention

Quote:
Auth type = PSK / Ms-chap
Ports: 4500 / 500


Are these absolutely needed or can this be done with just L2TP 1701?

I'm moving into a house share soon with a net connection already there. And rather than have them port forward tons of stuff for me I want to only forward L2TP VPN if I can help it.
_________________
WARNING: It is a violation of federal law to use me in a way inconsistent with my labelling. I am dangerous to humans and domestic animals. Please avoid contact with your eyes and clothing. I should be stored out of the reach of children.
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed Jun 08, 2005 12:30 pm    Post subject: Reply with quote

This method used l2tp inside of Ipsec. I would not fully trust just a plain l2tp connect. It is rumored not to be secure. The method I talk about allows that port to be closed. If you want to do this you can look at ..

Code:
/etc/l2tpd/l2tp-secrets
for auth maybe and..

Code:
/etc/l2tpd/l2tpd.conf
for configuration.

However I am not sure how you would set this up. But i bet you could get it to work.
_________________
write quit bang
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri Jun 10, 2005 1:44 pm    Post subject: Reply with quote

wedge14 wrote:
Got it working!!!

Turns out is was my firewall rules ... duh.

Added the following to iptables for the ppp interfaces..
Code:
-A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -o ppp+ -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT


Thanks for the help.


I am havin trouble allowing this to pass through my f-wall.. can you explain a bit better what you did?

I have the following so far.

<snip>
Code:

#External VPN Access
einfo "Creating external vpn traffic chain"
$IPT -N external-vpn-traffic
$IPT -F external-vpn-traffic
$IPT -A external-vpn-traffic -i $EXTIF -p udp  --dport 4500 -j ACCEPT
$IPT -A external-vpn-traffic -i $EXTIF -p udp  --dport 500 -j ACCEPT

#PPP interfaces forward
einfo "Creating ppp forward traffic chain"
$IPT -N ppp-forward-vpn-traffic
$IPT -F ppp-forward-vpn-traffic
$IPT -A ppp-forward-vpn-traffic -i ppp+ -j ACCEPT
$IPT -A ppp-forward-vpn-traffic -o ppp+ -j ACCEPT

#PPP interfaces out
einfo "Creating ppp output traffic chain"
$IPT -N ppp-output-vpn-traffic
$IPT -F ppp-output-vpn-traffic
$IPT -A ppp-output-vpn-traffic -o ppp+ -j ACCEPT


Then I add my custom rules to input / output / forward
_________________
write quit bang
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Thu Jun 16, 2005 2:45 pm    Post subject: Reply with quote

Fixed.. Added these rules

Code:
# External Input VPN Access
$IPT -N external-vpn-traffic
$IPT -F external-vpn-traffic
$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT
$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 500 \
  -j ACCEPT
$IPT -A external-vpn-traffic -p esp -j ACCEPT

Code:
# Output l2tp traffic
$IPT -N allow-l2tp-traffic-out
$IPT -F allow-l2tp-traffic-out
$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \
  -j ACCEPT

Code:
# Output VPN traffic chain
$IPT -N allow-vpn-traffic-out
$IPT -F allow-vpn-traffic-out
$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \
  -j ACCEPT

Code:
# Output esp packets
$IPT -N allow-esp-traffic-out
$IPT -F allow-esp-traffic-out
$IPT -A allow-esp-traffic-out -p esp -j ACCEPT


Code:

# Rule for VPN (Ipsec/l2tp)
$IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1


also added this rule to redirect ppp to squid for vpn based web browsing.

Code:
$IPT -A internal-squid-traffic -i $VPN -s $LOCAL_NETWORK -p tcp --dport 3128 -j ACCEPT

and this...
Code:
$IPT -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT \
  --to-port 3128

my almost complet firewall is here for more reference.. http://teh.sh.nu/scripts/firewall.stable (should be firewall kinda stable. :roll:)

also if anyone wants to take the time to once over this script that would be cool.. It is my first attempt at iptables and i tried it the gentoo way.
_________________
write quit bang
Back to top
View user's profile Send private message
Lajasha
Veteran
Veteran


Joined: 17 Mar 2004
Posts: 1040
Location: Vibe Central

PostPosted: Mon Jun 20, 2005 4:06 pm    Post subject: Reply with quote

Has anyone tried this lately? The reason I ask is I can not get the patch to work.

The current version in portage 2.3.1, so I got the patch for that version and try to apply it but it gets rejected.

Code:
patching file ipsec_doi.c
Hunk #1 FAILED at 1526.
1 out of 1 hunk FAILED -- saving rejects to file ipsec_doi.c.rej

just incase anyone wanted to know what is in the rejects file here it is for your viewing pleasure.
Code:
****************** 1526,1531 ****
        struct connection *p = find_client_connection(c
            , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);

        if (p == NULL)
        {
            /* This message occurs in very puzzling circumstances
--- 1526,1544 ----
        struct connection *p = find_client_connection(c
            , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);

+ #ifdef NAT_TRAVERSAL
+ #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+     if( (p1st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+        && !(p1st->st_policy & POLICY_TUNNEL)
+        && (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+        && (p == NULL) )
+         {
+           p = c;
+           DBG(DBG_CONTROL, DBG_log("using (something) old for transport mode connection \"%s\"", p->name));
+         }
+ #endif
+ #endif
+
        if (p == NULL)
        {
            /* This message occurs in very puzzling circumstances

Any help on this subject would be great.
_________________
Come and play in my land
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Tue Jun 21, 2005 3:38 pm    Post subject: Reply with quote

Maybe a newer patch is provided for that version but I doubt it.. Someone from the mail-list wrote it try to post there.
_________________
write quit bang
Back to top
View user's profile Send private message
pava_rulez
Guru
Guru


Joined: 02 Mar 2005
Posts: 339
Location: Bologna -> Italy -> Europe

PostPosted: Fri Jul 01, 2005 8:04 am    Post subject: Reply with quote

maletek wrote:
Has anyone tried this lately? The reason I ask is I can not get the patch to work.

The current version in portage 2.3.1, so I got the patch for that version and try to apply it but it gets rejected.

Code:
patching file ipsec_doi.c
Hunk #1 FAILED at 1526.
1 out of 1 hunk FAILED -- saving rejects to file ipsec_doi.c.rej



The same for me, any hint? :cry:
Back to top
View user's profile Send private message
pava_rulez
Guru
Guru


Joined: 02 Mar 2005
Posts: 339
Location: Bologna -> Italy -> Europe

PostPosted: Fri Jul 01, 2005 8:41 am    Post subject: Reply with quote

Moreover I'm gonna ask you another thing: my openwan server is in a DMZ which gateway to the public internet is a linux server. So, which parameters do I have to set in l2tpd.conf? I mean listen-addr, port and so on? (linux server external eth?). However this is my situation:

Code:
 /etc/init.d/l2tpd start
 * Starting l2tpd ...
parse_config: line 13: data 'listen-addr = xxx.xxx.xxx.xxx' occurs with no context
init: Unable to load config file   
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri Jul 01, 2005 1:23 pm    Post subject: Reply with quote

Couple things I would use the stable version in portage. I am crashing every night with ~x86 going to log a bug if I get a chance.
That patch should work with x86 (i think)

Also some of the info in this howto in not correct. I will update and make it official after a run stable for a week or so.

Code:
[global]
port = 1701

[lns default]
ip range = 192.168.1.130-192.168.1.149
local ip = 192.168.1.4
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNd00d
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


ip-range should be the ip's of the virtual netwrok people will get when they connect to your server
local ip should be an _free_ ip that the l2tpd daemon can use ..

listen-addr is not used.. It is a way to allow l2tpd to listen on the internal interface only. Since we do not use this it is very important that l2tpd is blocked by iptables! Port 1701 UDP for external access.

again I will update this doc soon but I go on vaction at the end of day today.
_________________
write quit bang
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Fri Jul 01, 2005 1:34 pm    Post subject: Reply with quote

Another thing if you get this up and running test your incoming / outgoing packets to make sure they are encapsulated. You can use tcpdump. Look for ESP packets or UDP 4500 if you are using NAT-T ESP is encapsulated inside of UDP packets with NAT-T.. And nail your firewall to make sure only UDP 500 and 4500 are open externaly. If you have a DROP ALL policy you may want to make sure you log a lot so you can figure out what packets need to be allowed out and forwarded. My firewall settings above are not currently correct. I had to add some stuff for the ppp device also.
_________________
write quit bang
Back to top
View user's profile Send private message
pava_rulez
Guru
Guru


Joined: 02 Mar 2005
Posts: 339
Location: Bologna -> Italy -> Europe

PostPosted: Fri Jul 01, 2005 1:40 pm    Post subject: Reply with quote

dashnu wrote:

again I will update this doc soon but I go on vaction at the end of day today.


NOOOOO, you can't leave me this way...
I was joking, have a good time and thanks for the howto! :D
Back to top
View user's profile Send private message
Lajasha
Veteran
Veteran


Joined: 17 Mar 2004
Posts: 1040
Location: Vibe Central

PostPosted: Fri Jul 01, 2005 1:40 pm    Post subject: Reply with quote

Sorry no i have not had a chance to work more on this at the moment, however if you do figure it out please post back as to what you did.
_________________
Come and play in my land
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Page 1 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum