Feature #1957
VPN: support IPsec/L2TP
Status: | CLOSED | Start date: | 09/17/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 09/20/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-ipsec | |||
Target version: | v6.4-beta2 | |||
Resolution: | NEEDINFO: | No |
Description
L2TP is the new standard for VPN.
L2TP should be integrated with system users using PAM (may require radius).
See:Related issues
Associated revisions
First commit. Refs #1957
templates-default: added template-begin-semicolon for config files with comments starting with ";", like smb.conf or xl2tpd.conf. Refs #1957
/etc/shorewall/tunnels template: expanded on *-save and *-update events. Refs #1957
/etc/shorewall/policy (20levelHigh): always apply "high" policy. Restore the condition when other policies will be defined. Refs #1957
/etc/shorewall/hosts template: expanded on *-save and *-update event. Refs #1957
Create empty default vpn DB. Refs #1957
*.spec.in: added ipset requirement to manage VPN dynamic zones. Refs #1957
shorewall/interfaces template (20ppp): generic PPP interface declaration. Refs #1957
ip-up.local, ip-down.local scripts: set "ipparam" option for pppd to invoke a custom pppd script. Refs #1957
Initial IPsec configuration and UI stub. Refs #1957
/etc/ppp/options.xl2tpd template: use green IP as DNS address. Refs #1957
Accept DHCP from all interfaces. Refs #1957
Removed interfaces parameter in /etc/dnsmasq.conf template (10base).
bootps UDP port 67 must now be closed by firewall rules on interfaces
that must not allow it.
Set secret files permissions for root only. Refs #1957
/etc/ipsec.secrets RPM default permissions are 0600, to keep secret
passwords secure. Also NSS DB private RSA key password must be kept
secure in /etc/ipsec.d/nsspassword.
VPN IPsec UI module. Refs #1957
This first version of the web UI module controls ipsec and xl2tpd
daemons execution, changes RoadWarriors subnet assignment and IPsec
authentication method (PSK or RSA). The nethserver-ipsec-save event
has been defined for these purposes.
Changed IPsec UI module labels. Refs #1957
use Nethgui\System\PlatformInterface as Validate, instead of "NethPlatform" class. Refs #1957
createlinks: excute firewall-adjust on nethserver-ipsec-save and nethserver-ipsec-update events. Refs #1957
ipsec.conf template: change 'leftid' option when rsa authentication is enabled. Refs #1957
Removed firewall-adjust action from update event. Refs #1957
Update events are designed to be invoked by nethserver yum plugin
after the RPM transaction. The firewall-adjust action is invoked
once, after all update events have been executed.
Expand /etc/ppp/options.xl2tpd on nethserver-samba-* events. Refs #1957
/etc/ppp/options.xl2tpd must be re-expanded if ntlm_auth binary
becomes available. Also removed pppd settings from xl2tpd.conf.
History
#2 Updated by Giacomo Sanchietti almost 8 years ago
- File shorewall-ipsec.patch added
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
Tested with StrongSwan (not working) and OpenSwan (partially working).
I was able to connect iOS, Android and Windows XP clients using the green interface.
No luck to make it work in a server and gateway configuration. Error was:
"L2TP-PSK-NAT"[3] 88.52.179.11 #3: next payload type of ISAKMP Identification Payload has an unknown value: 195 "L2TP-PSK-NAT"[3] 88.52.179.11 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet | payload malformed after IV | ae 2e 8e 03 23 fd 55 1c 7f a8 07 a0 29 a8 d8 13 | 26 bf fa ae "L2TP-PSK-NAT"[3] 88.52.179.11 #3: sending notification PAYLOAD_MALFORMED to 88.52.179.11:4500
No errors found in PKS configuration.
Below the configuration following this tutorial: https://help.ubuntu.com/community/L2TPServer
Configuration uses PSK and password saved in clear-text as chap secrets.
IPSEC configuration¶
Package installation:
yum localinstall http://ftp.uni-koeln.de/mirrors/fedora/epel/6/i386/epel-release-6-8.noarch.rpm yum --enablerepo=epel install openswan xl2tpd
ipsec.conf (replace X.X.X.X with server IP address):
version 2.0 # conforms to second version of ipsec.conf specification config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24 oe=off protostack=netkey plutostderrlog=/var/log/ipsec.log conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=30 dpdtimeout=120 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h type=transport # Replace IP address with your local IP (private, behind NAT IP is okay as well) left=X.X.X.X # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/%any right=%any rightprotoport=17/%any #force all to be nat'ed. because of iOS forceencaps=yes
/etc/xl2tpd/xl2tpd.conf:
[global] ipsec saref = no ; debug tunnel = yes [lns default] ip range = 10.152.2.2-10.152.2.254 local ip = 10.152.2.1 ; leave chap unspecified for maximum compatibility with windows, iOS, etc ; require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
/etc/ppp/options.xl2tpd:
refuse-mschap-v2 refuse-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 lock hide-password local debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
/etc/ipsec.d/ipsec.secrets (replace X.X.X.X with server IP address):
X.X.X.X %any: PSK "nethesis"
/etc/ppp/chap-secrets:
test l2tpd nethesis * test * nethesis *
/etc/xl2tpd/l2tp-secrets:
* * nethesis
Add to sysctl and reboot (or activate using echo):
# for ipsec, configure some additional settings net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0
Firewall configuration:
config set xl2tpd service status enabled access public UDPPort 1701 config set pluto service status enabled access public UDPPorts 500,4500 signal-event firewall-adjust
A partial Shorewall configuration is in attachment.
More information on Shorewall configuration: http://www.shorewall.net/IPSEC-2.6.html
Start services:
service ipsec start service xl2tpd startLogs:
- /var/log/ipsec.log
- /var/log/messages (for xl2tpd)
Windows XP/7 configuration (Windows Registry modification required):
http://support.microsoft.com/kb/926179/en-us
Command for checking IPSEC status:
ip -s xfrm state ip -s xfrm policy
#3 Updated by Giacomo Sanchietti almost 8 years ago
- Parent task deleted (
#1763)
#4 Updated by Davide Principi almost 8 years ago
- Due date set to 09/20/2013
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- Start date set to 09/17/2013
- % Done changed from 20 to 30
- Estimated time set to 24.00
#6 Updated by Davide Principi almost 8 years ago
Radius service is not required if we use the pppd
winbind
plugin for L2TP authentications and RSA certificates for simple net2net tunnels.
See #1769#note-3
#7 Updated by Davide Principi almost 8 years ago
- Subject changed from VPN: support L2TP to VPN: support IPsec/L2TP
#8 Updated by Davide Principi almost 8 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
This L2TP prototype works but some issues are not completely solved:
MS-CHAP(v2)
authentication is available only ifntlm_auth
binary is detected when/etc/ppp/options.xl2tpd
is expanded. This means that nethserver-samba must be installed to authenticate system users.
If this is not acceptable, don't installntlm_auth
and define CHAP users in/etc/ppp/chap-secrets
.All system users can connect. We can configureFixed in #2294ntlm_auth
to check for a specific group membership before grant access.- Firewall policy for connections between
lvpn
andfw
zone is ACCEPT without any other rules. Everything is open. This issue must be solved after #2281.
Net2net functionality is partially implemented.
No UI interface is provided at this moment.
Most log informations from ipsec (pluto) daemon are directed to /var/log/ipsec.log
. xl2tpd
and pppd
daemons messages are in /var/log/messages
, together with pluto
startup/shutdown messages.
- nethserver-base-1.4.1-10.0git148d5133.ns6.noarch
- nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch
- nethserver-vpn gitd5f5fd8.ns6
Check L2TP with PSK.
- Install nethserver-samba and nethserver-ipsec
- Set PSK authentication:
# config setprop ipsec status enabled KeyType psk KeyPskSecret s3cret # signal-event nethserver-ipsec-save
- Create a user account,
user01
, set a passwordxxxx
- Configure your L2TP client (I've tested WinXP2/Win7), setting PSK, enabling MS-CHAP
- Connect providing
user01
credentials - Check green network reachability
Check L2TP with RSA. As case 1, install packages, then
- Set RSA authentication:
# config setprop ipsec status enabled KeyType rsa # signal-event nethserver-ipsec-save
- Download
.p12
user certificate and CA public keyca.crt
from VPN/Accounts UI module - Install the certificates in your client. For WinXP I've followed this guide (pdf) from http://kb.juniper.net.
- Connect providing
user01
credentials - Check green network reachability
#9 Updated by Davide Principi almost 8 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
Added UI module implementation.
In nethserver-testing:
nethserver-ipsec-0.0.4-1.ns6.noarch.rpm
nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch.rpm
nethserver-shorewall-1.0.1-3.0gitaa80bbaf.ns6.noarch
#10 Updated by Davide Principi almost 8 years ago
In nethserver-testing:
nethserver-vpn-1.0.0-25.0git7a115920.ns6.noarch
nethserver-ipsec-0.0.5-1.ns6.noarch
nethserver-firewall-base-1.0.5-7.0git9a08773c.ns6.noarch.rpm
#11 Updated by Giacomo Sanchietti almost 8 years ago
- Assignee set to Giacomo Sanchietti
#12 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Tested using samba as domain controller.
Test case 1: FAILED
Firewall rules are not applied by nethserver-ipsec-update and nethserver-ipsec-save events.
After reloading firewall rules, IPSec tunnel and L2TP authentication work correctly.
Tested with Android client, release: 4.2.2 (CyanogenMod)
Test case 2: FAILED
IPSec daemon is not configured correctly to allow RSA authentication.
Changes needed to /etc/ipsec.conf
:
--- /etc/ipsec.conf 2013-10-16 09:49:51.593349777 +0000 +++ /etc/ipsec.conf.ok 2013-10-16 09:49:49.246435683 +0000 @@ -39,7 +39,7 @@ conn %default authby=rsasig leftcert=fw.test.loc - leftid=@fw.test.loc + leftid=%fromcert leftrsasigkey=%cert type=tunnel
Tested with Android client, release: 4.2.2 (CyanogenMod)
See also #2294
#13 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#14 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Updated /etc/openvpn.conf template and added firewall-adjust action to nethserver-ipsec-update and nethserver-ipsec-save events.
#15 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-ipsec-0.0.5-2.0git68b1c8da.ns6.noarch.rpm
- nethserver-lib-1.3.2-1.ns6.noarch.rpm
Repeat previous test cases.
#16 Updated by Davide Principi almost 8 years ago
- Assignee set to Davide Principi
#17 Updated by Davide Principi almost 8 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 20
#18 Updated by Davide Principi almost 8 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
#19 Updated by Davide Principi almost 8 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-ipsec-0.0.7-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.5-4.0git1c0ef001.ns6.noarch.rpm
#20 Updated by Davide Principi almost 8 years ago
- Assignee set to Davide Principi
#21 Updated by Davide Principi almost 8 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
#22 Updated by Davide Principi almost 8 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-ipsec-1.0.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.6-1.ns6.noarch.rpm
nethserver-shorewall-1.0.2-1.ns6.noarch.rpm
nethserver-firewall-base-1.0.6-1.ns6.noarch.rpm
with dependencies:
xl2tpd-1.3.1-7.el6.x86_64.rpm (from EPEL)
openswan-2.6.32-20.el6_4.x86_64.rpm (from CentOS updates)