NethServer 6

Tested with StrongSwan (not working) and OpenSwan (partially working).

I was able to connect iOS, Android and Windows XP clients using the green interface.
No luck to make it work in a server and gateway configuration. Error was:

"L2TP-PSK-NAT"[3] 88.52.179.11 #3: next payload type of ISAKMP Identification Payload has an unknown value: 195
"L2TP-PSK-NAT"[3] 88.52.179.11 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
| payload malformed after IV
|   ae 2e 8e 03  23 fd 55 1c  7f a8 07 a0  29 a8 d8 13
|   26 bf fa ae
"L2TP-PSK-NAT"[3] 88.52.179.11 #3: sending notification PAYLOAD_MALFORMED to 88.52.179.11:4500

Below the configuration following this tutorial: https://help.ubuntu.com/community/L2TPServer
Configuration uses PSK and password saved in clear-text as chap secrets.

IPSEC configuration¶

Package installation:

yum localinstall http://ftp.uni-koeln.de/mirrors/fedora/epel/6/i386/epel-release-6-8.noarch.rpm 
yum --enablerepo=epel install openswan xl2tpd

ipsec.conf (replace X.X.X.X with server IP address):

version 2.0     # conforms to second version of ipsec.conf specification
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    oe=off
    protostack=netkey
    plutostderrlog=/var/log/ipsec.log

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    # Replace IP address with your local IP (private, behind NAT IP is okay as well)
    left=X.X.X.X
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/%any
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

/etc/xl2tpd/xl2tpd.conf:

[global]
ipsec saref = no
; debug tunnel = yes

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd:

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ipsec.d/ipsec.secrets (replace X.X.X.X with server IP address):

X.X.X.X   %any:  PSK "nethesis" 

/etc/ppp/chap-secrets:

test l2tpd nethesis *
test * nethesis *

/etc/xl2tpd/l2tp-secrets:

*    *    nethesis

Add to sysctl and reboot (or activate using echo):

# for ipsec, configure some additional settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Firewall configuration:

config set xl2tpd service status enabled access public UDPPort 1701
config set pluto service status enabled access public UDPPorts 500,4500
signal-event firewall-adjust

Start services:

service ipsec start
service xl2tpd start

• /var/log/ipsec.log
• /var/log/messages (for xl2tpd)

Windows XP/7 configuration (Windows Registry modification required):
http://support.microsoft.com/kb/926179/en-us

Command for checking IPSEC status:

ip -s xfrm state
ip -s xfrm policy

1. MS-CHAP(v2) authentication is available only if ntlm_auth binary is detected when /etc/ppp/options.xl2tpd is expanded. This means that nethserver-samba must be installed to authenticate system users.
   If this is not acceptable, don't install ntlm_auth and define CHAP users in /etc/ppp/chap-secrets.
2. All system users can connect. We can configure ntlm_auth to check for a specific group membership before grant access. Fixed in #2294
3. Firewall policy for connections between lvpn and fw zone is ACCEPT without any other rules. Everything is open. This issue must be solved after #2281.

Net2net functionality is partially implemented.

No UI interface is provided at this moment.

Most log informations from ipsec (pluto) daemon are directed to /var/log/ipsec.log. xl2tpd and pppd daemons messages are in /var/log/messages, together with pluto startup/shutdown messages.

• nethserver-base-1.4.1-10.0git148d5133.ns6.noarch
• nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch
• nethserver-vpn gitd5f5fd8.ns6

1. Install nethserver-samba and nethserver-ipsec
2. Set PSK authentication:

      # config setprop ipsec status enabled KeyType psk KeyPskSecret s3cret
      # signal-event nethserver-ipsec-save
   

3. Create a user account, user01, set a password xxxx
4. Configure your L2TP client (I've tested WinXP2/Win7), setting PSK, enabling MS-CHAP
5. Connect providing user01 credentials
6. Check green network reachability

1. Set RSA authentication:

      # config setprop ipsec status enabled KeyType rsa
      # signal-event nethserver-ipsec-save
   

2. Download .p12 user certificate and CA public key ca.crt from VPN/Accounts UI module
3. Install the certificates in your client. For WinXP I've followed this guide (pdf) from http://kb.juniper.net.
4. Connect providing user01 credentials
5. Check green network reachability

Added UI module implementation.

In nethserver-testing:
nethserver-ipsec-0.0.4-1.ns6.noarch.rpm
nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch.rpm
nethserver-shorewall-1.0.1-3.0gitaa80bbaf.ns6.noarch

Tested using samba as domain controller.

Test case 1: FAILED

Firewall rules are not applied by nethserver-ipsec-update and nethserver-ipsec-save events.
After reloading firewall rules, IPSec tunnel and L2TP authentication work correctly.

Tested with Android client, release: 4.2.2 (CyanogenMod)

Test case 2: FAILED

IPSec daemon is not configured correctly to allow RSA authentication.

Changes needed to /etc/ipsec.conf:

--- /etc/ipsec.conf    2013-10-16 09:49:51.593349777 +0000
+++ /etc/ipsec.conf.ok    2013-10-16 09:49:49.246435683 +0000
@@ -39,7 +39,7 @@
 conn %default
     authby=rsasig
     leftcert=fw.test.loc
-    leftid=@fw.test.loc
+    leftid=%fromcert
     leftrsasigkey=%cert
     type=tunnel

Tested with Android client, release: 4.2.2 (CyanogenMod)

See also #2294

Updated /etc/openvpn.conf template and added firewall-adjust action to nethserver-ipsec-update and nethserver-ipsec-save events.

• nethserver-ipsec-0.0.5-2.0git68b1c8da.ns6.noarch.rpm

• nethserver-lib-1.3.2-1.ns6.noarch.rpm

Repeat previous test cases.

In nethserver-testing:
nethserver-ipsec-0.0.7-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.5-4.0git1c0ef001.ns6.noarch.rpm

VERIFIED

In nethserver-updates:
nethserver-ipsec-1.0.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.6-1.ns6.noarch.rpm
nethserver-shorewall-1.0.2-1.ns6.noarch.rpm
nethserver-firewall-base-1.0.6-1.ns6.noarch.rpm

with dependencies:
xl2tpd-1.3.1-7.el6.x86_64.rpm (from EPEL)
openswan-2.6.32-20.el6_4.x86_64.rpm (from CentOS updates)