Feature #1957

VPN: support IPsec/L2TP

Added by Giacomo Sanchietti about 8 years ago. Updated almost 8 years ago.

Status:CLOSEDStart date:09/17/2013
Priority:NormalDue date:09/20/2013
Assignee:-% Done:

100%

Category:nethserver-ipsec
Target version:v6.4-beta2
Resolution: NEEDINFO:No

shorewall-ipsec.patch Magnifier (2.21 KB) Giacomo Sanchietti, 08/09/2013 02:48 PM


Related issues

Related to NethServer 6 - Feature #1763: VPN CLOSED 08/28/2013 09/16/2013
Related to NethServer 6 - Enhancement #2248: Store root server certificate in NSS database CLOSED 09/25/2013 09/25/2013
Related to NethServer 6 - Enhancement #2281: Reuse firewall rules on custom zones CLOSED
Related to NethServer 6 - Enhancement #2294: IPSec: honor VPNClientAccess property CLOSED

Associated revisions

Revision 7df481f7
Added by Davide Principi almost 8 years ago

First commit. Refs #1957

Revision 2f4e0795
Added by Davide Principi almost 8 years ago

templates-default: added template-begin-semicolon for config files with comments starting with ";", like smb.conf or xl2tpd.conf. Refs #1957

Revision 85f4399e
Added by Giacomo Sanchietti almost 8 years ago

pki-vpn-gencert: create pkcs12 file. Refs #1763 #1957

Revision 25d473ac
Added by Davide Principi almost 8 years ago

/etc/shorewall/tunnels template: expanded on *-save and *-update events. Refs #1957

Revision 9c61b4d9
Added by Davide Principi almost 8 years ago

/etc/shorewall/policy (20levelHigh): always apply "high" policy. Restore the condition when other policies will be defined. Refs #1957

Revision 6414bc72
Added by Davide Principi almost 8 years ago

/etc/shorewall/hosts template: expanded on *-save and *-update event. Refs #1957

Revision 180c2589
Added by Davide Principi almost 8 years ago

Create empty default vpn DB. Refs #1957

Revision 29edddbd
Added by Davide Principi almost 8 years ago

*.spec.in: added ipset requirement to manage VPN dynamic zones. Refs #1957

Revision f46d0c9c
Added by Davide Principi almost 8 years ago

shorewall/interfaces template (20ppp): generic PPP interface declaration. Refs #1957

Revision 9a08773c
Added by Davide Principi almost 8 years ago

ip-up.local, ip-down.local scripts: set "ipparam" option for pppd to invoke a custom pppd script. Refs #1957

Revision 0a7173b7
Added by Davide Principi almost 8 years ago

Initial IPsec configuration and UI stub. Refs #1957

Revision 9b820623
Added by Davide Principi almost 8 years ago

/etc/ppp/options.xl2tpd template: use green IP as DNS address. Refs #1957

Revision 1c0ef001
Added by Davide Principi almost 8 years ago

Accept DHCP from all interfaces. Refs #1957

Removed interfaces parameter in /etc/dnsmasq.conf template (10base).
bootps UDP port 67 must now be closed by firewall rules on interfaces
that must not allow it.

Revision 916e74bd
Added by Davide Principi almost 8 years ago

Set secret files permissions for root only. Refs #1957

/etc/ipsec.secrets RPM default permissions are 0600, to keep secret
passwords secure. Also NSS DB private RSA key password must be kept
secure in /etc/ipsec.d/nsspassword.

Revision 10e6a240
Added by Davide Principi almost 8 years ago

VPN IPsec UI module. Refs #1957

This first version of the web UI module controls ipsec and xl2tpd
daemons execution, changes RoadWarriors subnet assignment and IPsec
authentication method (PSK or RSA). The nethserver-ipsec-save event
has been defined for these purposes.

Revision 7a115920
Added by Davide Principi almost 8 years ago

Removed IPsec client configuration. Refs #1763 #1957

IPsec "client" configuration is still not supported: we accept L2TP
roadwarriors only.

Revision c86a757d
Added by Davide Principi almost 8 years ago

Changed IPsec UI module labels. Refs #1957

Revision 99cf0c75
Added by Davide Principi almost 8 years ago

use Nethgui\System\PlatformInterface as Validate, instead of "NethPlatform" class. Refs #1957

Revision 0e496e2f
Added by Giacomo Sanchietti almost 8 years ago

createlinks: excute firewall-adjust on nethserver-ipsec-save and nethserver-ipsec-update events. Refs #1957

Revision 68b1c8da
Added by Giacomo Sanchietti almost 8 years ago

ipsec.conf template: change 'leftid' option when rsa authentication is enabled. Refs #1957

Revision f21eda9e
Added by Davide Principi almost 8 years ago

Removed firewall-adjust action from update event. Refs #1957

Update events are designed to be invoked by nethserver yum plugin
after the RPM transaction. The firewall-adjust action is invoked
once, after all update events have been executed.

Revision 4b989f55
Added by Davide Principi almost 8 years ago

Expand /etc/ppp/options.xl2tpd on nethserver-samba-* events. Refs #1957

/etc/ppp/options.xl2tpd must be re-expanded if ntlm_auth binary
becomes available. Also removed pppd settings from xl2tpd.conf.

History

#2 Updated by Giacomo Sanchietti almost 8 years ago

Tested with StrongSwan (not working) and OpenSwan (partially working).

I was able to connect iOS, Android and Windows XP clients using the green interface.
No luck to make it work in a server and gateway configuration. Error was:

"L2TP-PSK-NAT"[3] 88.52.179.11 #3: next payload type of ISAKMP Identification Payload has an unknown value: 195
"L2TP-PSK-NAT"[3] 88.52.179.11 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
| payload malformed after IV
|   ae 2e 8e 03  23 fd 55 1c  7f a8 07 a0  29 a8 d8 13
|   26 bf fa ae
"L2TP-PSK-NAT"[3] 88.52.179.11 #3: sending notification PAYLOAD_MALFORMED to 88.52.179.11:4500

No errors found in PKS configuration.

Below the configuration following this tutorial: https://help.ubuntu.com/community/L2TPServer
Configuration uses PSK and password saved in clear-text as chap secrets.

IPSEC configuration

Package installation:

yum localinstall http://ftp.uni-koeln.de/mirrors/fedora/epel/6/i386/epel-release-6-8.noarch.rpm 
yum --enablerepo=epel install openswan xl2tpd

ipsec.conf (replace X.X.X.X with server IP address):

version 2.0     # conforms to second version of ipsec.conf specification
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    oe=off
    protostack=netkey
    plutostderrlog=/var/log/ipsec.log

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    # Replace IP address with your local IP (private, behind NAT IP is okay as well)
    left=X.X.X.X
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/%any
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

/etc/xl2tpd/xl2tpd.conf:

[global]
ipsec saref = no
; debug tunnel = yes

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd:

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ipsec.d/ipsec.secrets (replace X.X.X.X with server IP address):

X.X.X.X   %any:  PSK "nethesis" 

/etc/ppp/chap-secrets:

test l2tpd nethesis *
test * nethesis *

/etc/xl2tpd/l2tp-secrets:

*    *    nethesis

Add to sysctl and reboot (or activate using echo):

# for ipsec, configure some additional settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Firewall configuration:

config set xl2tpd service status enabled access public UDPPort 1701
config set pluto service status enabled access public UDPPorts 500,4500
signal-event firewall-adjust

A partial Shorewall configuration is in attachment.
More information on Shorewall configuration: http://www.shorewall.net/IPSEC-2.6.html

Start services:

service ipsec start
service xl2tpd start

Logs:
  • /var/log/ipsec.log
  • /var/log/messages (for xl2tpd)

Windows XP/7 configuration (Windows Registry modification required):
http://support.microsoft.com/kb/926179/en-us

Command for checking IPSEC status:

ip -s xfrm state
ip -s xfrm policy

#3 Updated by Giacomo Sanchietti almost 8 years ago

  • Parent task deleted (#1763)

#4 Updated by Davide Principi almost 8 years ago

  • Due date set to 09/20/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 09/17/2013
  • % Done changed from 20 to 30
  • Estimated time set to 24.00

#6 Updated by Davide Principi almost 8 years ago

Radius service is not required if we use the pppd winbind plugin for L2TP authentications and RSA certificates for simple net2net tunnels.

See #1769#note-3

#7 Updated by Davide Principi almost 8 years ago

  • Subject changed from VPN: support L2TP to VPN: support IPsec/L2TP

#8 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60
Release notes
This L2TP prototype works but some issues are not completely solved:
  1. MS-CHAP(v2) authentication is available only if ntlm_auth binary is detected when /etc/ppp/options.xl2tpd is expanded. This means that nethserver-samba must be installed to authenticate system users.
    If this is not acceptable, don't install ntlm_auth and define CHAP users in /etc/ppp/chap-secrets.
  2. All system users can connect. We can configure ntlm_auth to check for a specific group membership before grant access. Fixed in #2294
  3. Firewall policy for connections between lvpn and fw zone is ACCEPT without any other rules. Everything is open. This issue must be solved after #2281.

Net2net functionality is partially implemented.

No UI interface is provided at this moment.

Most log informations from ipsec (pluto) daemon are directed to /var/log/ipsec.log. xl2tpd and pppd daemons messages are in /var/log/messages, together with pluto startup/shutdown messages.

Requires
  • nethserver-base-1.4.1-10.0git148d5133.ns6.noarch
  • nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch
  • nethserver-vpn gitd5f5fd8.ns6
Test case 1
Check L2TP with PSK.
  1. Install nethserver-samba and nethserver-ipsec
  2. Set PSK authentication:
       # config setprop ipsec status enabled KeyType psk KeyPskSecret s3cret
       # signal-event nethserver-ipsec-save
    
  3. Create a user account, user01, set a password xxxx
  4. Configure your L2TP client (I've tested WinXP2/Win7), setting PSK, enabling MS-CHAP
  5. Connect providing user01 credentials
  6. Check green network reachability
Test case 2
Check L2TP with RSA. As case 1, install packages, then
  1. Set RSA authentication:
       # config setprop ipsec status enabled KeyType rsa
       # signal-event nethserver-ipsec-save
    
  2. Download .p12 user certificate and CA public key ca.crt from VPN/Accounts UI module
  3. Install the certificates in your client. For WinXP I've followed this guide (pdf) from http://kb.juniper.net.
  4. Connect providing user01 credentials
  5. Check green network reachability

#9 Updated by Davide Principi almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

Added UI module implementation.

In nethserver-testing:
nethserver-ipsec-0.0.4-1.ns6.noarch.rpm
nethserver-lib-1.3.1-1.0git2f4e0795.ns6.noarch.rpm
nethserver-shorewall-1.0.1-3.0gitaa80bbaf.ns6.noarch

#10 Updated by Davide Principi almost 8 years ago

In nethserver-testing:
nethserver-vpn-1.0.0-25.0git7a115920.ns6.noarch
nethserver-ipsec-0.0.5-1.ns6.noarch
nethserver-firewall-base-1.0.5-7.0git9a08773c.ns6.noarch.rpm

#11 Updated by Giacomo Sanchietti almost 8 years ago

  • Assignee set to Giacomo Sanchietti

#12 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Tested using samba as domain controller.

Test case 1: FAILED

Firewall rules are not applied by nethserver-ipsec-update and nethserver-ipsec-save events.
After reloading firewall rules, IPSec tunnel and L2TP authentication work correctly.

Tested with Android client, release: 4.2.2 (CyanogenMod)

Test case 2: FAILED

IPSec daemon is not configured correctly to allow RSA authentication.

Changes needed to /etc/ipsec.conf:

--- /etc/ipsec.conf    2013-10-16 09:49:51.593349777 +0000
+++ /etc/ipsec.conf.ok    2013-10-16 09:49:49.246435683 +0000
@@ -39,7 +39,7 @@
 conn %default
     authby=rsasig
     leftcert=fw.test.loc
-    leftid=@fw.test.loc
+    leftid=%fromcert
     leftrsasigkey=%cert
     type=tunnel

Tested with Android client, release: 4.2.2 (CyanogenMod)

See also #2294

#13 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#14 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Updated /etc/openvpn.conf template and added firewall-adjust action to nethserver-ipsec-update and nethserver-ipsec-save events.

#15 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-ipsec-0.0.5-2.0git68b1c8da.ns6.noarch.rpm
Package in nethserver-updates:
  • nethserver-lib-1.3.2-1.ns6.noarch.rpm

Repeat previous test cases.

#16 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi

#17 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 20

#18 Updated by Davide Principi almost 8 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#19 Updated by Davide Principi almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-ipsec-0.0.7-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.5-4.0git1c0ef001.ns6.noarch.rpm

#20 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi

#21 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#22 Updated by Davide Principi almost 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-ipsec-1.0.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.0.6-1.ns6.noarch.rpm
nethserver-shorewall-1.0.2-1.ns6.noarch.rpm
nethserver-firewall-base-1.0.6-1.ns6.noarch.rpm

with dependencies:
xl2tpd-1.3.1-7.el6.x86_64.rpm (from EPEL)
openswan-2.6.32-20.el6_4.x86_64.rpm (from CentOS updates)

Also available in: Atom PDF