Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

IPSEC L2TP VPN on CentOS 6 / Red Hat Enterprise Linux 6 / Scientific Linux 6

Published: 01-12-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a guide on setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat EnterpriseLinux 6 or Scientific Linux 6 using Openswan as the IPsec server, xl2tpd as thel2tp provider and ppp for authentication. We choose the IPSEC/L2TP protocolstack because of recent vulnerabilities found in pptpd VPN's.

IPSec encrypts your IP packets to provide encryption and authentication, so noone can decrypt or forge data between your clients and your server. L2TPprovides a tunnel to send data. It does not provide encryption andauthentication though, that is why we need to use it together with IPSec.

Why a VPN?

More than ever, your freedom and privacy when online is under threat.Governments and ISPs want to control what you can and can't see while keeping arecord of everything you do, and even the shady-looking guy lurking around yourcoffee shop or the airport gate can grab your bank details easier than you maythink. A self hosted VPN lets you surf the web the way it was intended:anonymously and without oversight.

A VPN (virtual private network) creates a secure, encrypted tunnel through whichall of your online data passes back and forth. Any application that requires aninternet connection works with this self hosted VPN, including your web browser,email client, and instant messaging program, keeping everything you do onlinehidden from prying eyes while masking your physical location and giving youunfettered access to any website or web service no matter where you happen tolive or travel to.

This tutorial is available for the following platforms:

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

To work trough this tutorial you should have:

I do all the steps as the root user. You should do to, but only via sudo-i orsu -. Do not allow root to login via SSH!

Install and downgrade the packages

Install wget and bind-utils (for the host command):

yum install wget bind-utils

Install the EPEL repository for the xl2tpd package. (More info aboutEPEL).

wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpmrpm -ivh ./epel-release-6-8.noarch.rpm

Note that the version of epel-release might not be 6.8, but 6.9. Changeaccordingly.

Now install the required packages, openswan for ipsec, xl2tpd for the l2tpand ppp for the authentication:

yum install openswan xl2tpd ppp lsof

Because of a bug in openswan 2.6.32 release 19.el6_3 we need to downgradeopenswan to version 2.6.32 release 16.el6. We do this by executing thefollowing command two times (or, until we are on 2.6.32 R 16.el6):

yum downgrade openswan---> Package openswan.i686 0:2.6.32-18.el6_3 will be a downgrade---> Package openswan.i686 0:2.6.32-19.el6_3 will be erasedyum downgrade openswan---> Package openswan.i686 0:2.6.32-16.el6 will be a downgrade---> Package openswan.i686 0:2.6.32-18.el6_3 will be erased

If you cannot downgrade to this version your repo does not have that many olderpackage versions available. You can download it from here for x86 or fromhere for x64. You can install it afterwards with rpm -iopenswan-2.6.32-16.el6.i686.rpm.

Firewall and sysctl

We are going to set the firewall and make sure the kernel forwards IP packets:

Execute this command to enable the iptables firewall to allow the vpn:

iptables --table nat --append POSTROUTING --jump MASQUERADE

Execute the below commands to enable kernel IP packet forwarding and disable ICPredirects.

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conffor vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done sysctl -p
/etc/rc.local

To make sure this keeps working at boot you might want to add the following to/etc/rc.local :

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; doneiptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%

Add it before the exit 0 line and replace %SERVERIP% with the external IP ofyour VPS.

Configure Openswan (IPSEC)

Use your favorite editor to edit the following file:

/etc/ipsec.conf

Below is the contents of mine. Most lines have a comment below it explainingwhat it does.

version 2 # conforms to second version of ipsec.conf specificationconfig setup    dumpdir=/var/run/pluto/    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?    nat_traversal=yes    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.    protostack=netkey    #decide which protocol stack is going to be used.    force_keepalive=yes    keep_alive=60    # Send a keep-alive packet every 60 seconds.conn L2TP-PSK-noNAT    authby=secret    #shared secret. Use rsasig for certificates.    pfs=no    #Disable pfs    auto=add    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.    keyingtries=3    #Only negotiate a conn. 3 times.    ikelifetime=8h    keylife=1h    ike=aes256-sha1;modp1024!    phase2alg=aes256-sha1;modp1024    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.    type=transport    #because we use l2tp as tunnel protocol    left=%SERVERIP%    #fill in server IP above    leftprotoport=17/1701    right=%any    rightprotoport=17/%any    dpddelay=10    # Dead Peer Dectection (RFC 3706) keepalives delay    dpdtimeout=20    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.    dpdaction=clear    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
The shared secret

The shared secret is defined in the /etc/ipsec.secrets file. Make sure it islong and random:

%SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

And don't forget to change %SERVERIP% to the public IP of your server.

Verify

Now to make sure IPSEC works, execute the following command:

 ipsec verify

My output looks like this:

Checking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path                                 [OK]Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)Checking for IPsec support in kernel                            [OK] SAref kernel support                                           [N/A] NETKEY:  Testing for disabled ICMP send_redirects              [OK]NETKEY detected, testing for disabled ICMP accept_redirects     [OK]Testing against enforced SElinux mode                           [OK]Checking that pluto is running                                  [OK] Pluto listening for IKE on udp 500                             [OK] Pluto listening for NAT-T on udp 4500                          [OK]Two or more interfaces found, checking IP forwarding            [OK]Checking NAT and MASQUERADEing                                  [OK]Checking for 'ip' command                                       [OK]Checking /bin/sh is not /bin/dash                               [OK]Checking for 'iptables' command                                 [OK]Opportunistic Encryption Support                                [DISABLED]

Configure xl2tpd

Use your favorite editor to edit the following file:

/etc/xl2tpd/xl2tpd.conf

Below is the contents of mine. Most lines have a comment below it explainingwhat it does.

[global]ipsec saref = yesforce userspace = yes[lns default]ip range = 172.16.1.30-172.16.1.100local ip = 172.16.1.1refuse pap = yesrequire authentication = yesppp debug = nopppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

Local user (PAM//etc/passwd) authentication

To use local user accounts via pam (or /etc/passwd), and thus not having plaintext user passwords in a text file you have to do a few extra steps. Huge thanksto Sascha Scandella for the hard work and troubleshooting.

In your /etc/xl2tpd/xl2tpd.conf add the following line:

unix authentication = yes

and remove the following line:

refuse pap = yes

In the file /etc/ppp/options.xl2tpd make sure you do not add the followingline (below it states to add it, but not if you want to use UNIXauthentication):

require-mschap-v2

Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:

login

Change /etc/pam.d/ppp to this:

auth    required        pam_nologin.soauth    required        pam_unix.soaccount required        pam_unix.sosession required        pam_unix.so

Add the following to /etc/ppp/pap-secrets:

*       l2tpd           ""              *

(And, skip the chap-secrets file below (adding users).)

Configuring PPP

Use your favorite editor to edit the following file:

/etc/ppp/options.xl2tpd

Below is the contents of mine. Most lines have a comment below it explainingwhat it does.

require-mschap-v2ms-dns 8.8.8.8ms-dns 8.8.4.4authmtu 1200mru 1000crtsctshide-passwordmodemname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 4

Adding users

Every user should be defined in the /etc/ppp/chap-secrets file. Below is anexample file.

# Secrets for authentication using CHAP# client       server  secret                  IP addressesalice          l2tpd   0F92E5FC2414101EA            *bob            l2tpd   DF98F09F74C06A2F             *

Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

/etc/init.d/ipsec restart;  /etc/init.d/xl2tpd restart

On the client connect to the server IP address (or add a DNS name) with a validuser, password and the shared secret. Test if you have internet access and whichIP you have (via for example whatsmyip.org. ). If it is the VPN servers IPthen it works.

Another nice test is to connect multiple clients of which one has a webserver.Make sure it only listens on a VPN IP (172.16.1.xxx in above example). Test ifyou can access it only via the VPN.

If you experience problems make sure to check the client log files and theubuntu /var/log/secure file. If you google the error messages you most of thetime get a good answer.

Tags: centos, ipsec, l2tp, openvpn, pptp, red-hat, scientific-linux, tutorials, vpn