VPN server L2TP/IPSec (PSK) on Debian 6.0 squeeze

Network layout:

Internet === Router (192.168.0.1) === Debian SRV(192.168.0.2, GW 192.168.0.1, DNS 192.168.0.1)

apt-get install openswan xl2tpd ppp

/etc/ipsec.conf:

version 2.0

config setup
plutostderrlog=/var/log/ipsec.log
nat_traversal=yes
virtual_private=%v4:!10.0.0.0/24
oe=off
protostack=netkey

conn %default
forceencaps=yes
compress=yes

conn l2tp-psk-nat
rightsubnet=vhost:%priv
also=l2tp-psk-nonat

conn l2tp-psk-nonat
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=40
dpdtimeout=130
dpdaction=clear
keyexchange=ike
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.2
leftprotoport=17/1701
leftnexthop=192.168.0.1
right=%any
rightprotoport=17/%any

/etc/ipsec.secrets:

192.168.0.2 %any : PSK “very-secret-key”

/etc/xl2tpd/xl2tpd.conf:

[global]
; listen-addr = 192.168.0.2
; port = 1701
ipsec saref = yes
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
force userspace = yes
;
[lns default] ; Our fallthrough LNS definition
ip range = 10.0.0.10-10.0.0.100 ; * Allocate from this IP range
assign ip = yes
local ip = 10.0.0.1 ; * Our local IP to use
length bit = yes ; * Use length bit in payload?
require chap = yes ; * Require CHAP auth. by peer
refuse pap = yes ; * Refuse PAP authentication
require authentication = yes ; * Require peer to authenticate
; name = l2tpVPN ; * Report this as our hostname
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd

/etc/ppp/options.xl2tpd:

ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
logfile /var/log/xl2tpd.log
noccp
auth
crtscts
lock
hide-password
modem
mru 1280
mtu 1280
debug
nodefaultroute
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noipx
idle 1800
connect-delay 5000

/etc/ppp/chap-secrets:

test l2tpd “testpassword” *

Windows XP/7(reboot after add value):

iptables(VPN):
iptables -A INPUT -m policy –dir in –pol ipsec -p udp –dport 1701 -j ACCEPT # на 1701 пускаем только ipsec пакеты
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp –dport 4500 -j ACCEPT
iptables -A FORWARD -i ppp+ -p all -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT #для общения вне своего ppp
iptables -A FORWARD -i eth0 -o ppp+ -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE # маскарадим под IP сервера

iptables (router):
iptables -t nat -A POSTROUTING -p udp -m udp –dport 500 -j DNAT –to-destination 192.168.0.1:500
iptables -t nat -A POSTROUTING -p udp -m udp –dport 4500 -j DNAT –to-destination 192.168.0.1:4500
iptables -t nat -A POSTROUTING -p udp -m udp –dport 1701 -j DNAT –to-destination 192.168.0.1:1701
iptables -t nat -A POSTROUTING -p 50 -j DNAT –to-destination 192.168.0.1

В Windows в ключе реестра (указан ниже) необходимо создать DWORD параметр AssumeUDPEncapsulationContextOnSendRule и установить ему значение 2.

•для Windows XP — HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPsec
•для Windows Vista/7 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

По-умолчанию VPN-соединение в windows xp/7 ставит основной маршрут через VPN сеть. Чтобы это изменить необходимо убрать галочку:
Свойства VPN-соединения-Сеть-Протокол Интернета TCP/IP-Свойства-Дополнительно
“Использовать основной шлюз в удаленной сети”. DNS можно тоже выставить вручную, чтобы по-умолчанию брался из уже имеющегося локального подключения.

Ссылки:
http://blog.bertelsen.co/2012/02/debian-squeeze-l2tpipsec-vpn-server.html
http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu
http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
http://wiki.debian.org/HowTo/iPhoneVPNServer
http://wingloon.com/2012/01/11/how-to-install-setup-l2tp-over-ipsec-vpn-in-debian-lenny/
http://blackpenguins.ru/?p=151
http://louwrentius.com/blog/2011/12/setting-up-a-vpn-with-your-iphone-using-l2tp,-ipsec-and-linux/
http://www.alsigned.ru/?p=836
https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
http://www.linux.org.ru/forum/admin/8189019
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q281555
http://confoundedtech.blogspot.ru/2011/08/android-nexus-one-ipsec-psk-vpn-with.html
http://www.vpnfortress.com/setup/android-l2tp-setup.html
http://www.mayrhofer.eu.org/l2tp-ipsec-gateway-for-mobile-phones
http://unixadmins.su/index.php?topic=1282.0
http://www.lostbyte.com/projects/l2tpipsec-vpn-for-ios/
http://www.jacco2.dds.nl/networking/linux-l2tp.html
http://en.gentoo-wiki.com/w/index.php?title=IPsec_L2TP_VPN_server
http://www.aa-asterisk.org.uk/index.php/Setting_up_an_L2TP/IPSec_server_on_Debian

Leave a comment

You must be logged in to post a comment.