Project 9x for CNIT 120: Setting Up an IPSec L2TP VPN server on Ubuntu (15 pts.)

What You Need

Purpose

This project, by itself, has no IPv6 in it. However, IPsec was originally developed as part of IPv6 and configuring it is important.

Also, a later project will use the VPN connection to connect clients to the IPv6 Internet through NAT, so this project is necessary preparation.

Finding your Linux Server's IP Address

On your Linux server, execute this command:
ifconfig
Find your IPv4 address and make a note of it.

The image below shows mine, which was 199.188.72.153:

Adding a Local IP Address

You need to add a local IP address of 172.22.1.1 on your Linux server's interface, for the VPN clients to connect to.

To add a second address to interface eth0, on your Linux server, execute these commands:

sudo ifconfig eth0:0 172.22.1.1/24

ifconfig
The new address shows up as a separate device named eth0:0, as shown below:

Installing openswan

On your Linux server, execute this command:
sudo apt-get install openswan -y
A message appears saying

"Use an X.509m certificate for this host?"

Accept the default selection of No and press Enter

A message appears saying

"Old runlevel management suspended"

Press Enter

Editing ipsec.conf

On your Linux server, execute this command:
sudo nano /etc/ipsec.conf
Hold down Ctrl+K to delete it all.

Paste in this code, replacing YOUR.SERVER.IP.ADDRESS with your server's IPv4 address:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
Save the file with Ctrl+X, Y, Enter.

Editing ipsec.secrets

On your Linux server, execute this command:
sudo nano /etc/ipsec.secrets
Hold down Ctrl+K to delete it all.

Paste in this code, replacing YOUR.SERVER.IP.ADDRESS with your server's IPv4 address, and YourSharedSecret with something only you know.

YOUR.SERVER.IP.ADDRESS   %any:  PSK "YourSharedSecret"
Save the file with Ctrl+X, Y, Enter.

Stopping Redirects

This is something openswan requires: On your Linux server, execute this command:
nano stop-redirects
Paste in this code:
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
Save the file with Ctrl+X, Y, Enter.

On your Linux server, execute this command:

sudo bash stop-redirects

Verifying Proper IPsec Function

On your Linux server, execute this command:
sudo ipsec verify
You should see that everything shows a Green OK status except for three items flagged in yellow, as shown below:

Restarting openswan

On your Linux server, execute this command:
sudo /etc/init.d/ipsec restart

Testing a Connection

On your Linux server, execute this command:
tail -f /var/log/auth.log
Log messages appear on the screen. Leave this process running while you attempt to connect from a client, as explained below.

You can test the connection from any OS. I have instructions below for Windows 7 and Mac OS X below.

Connecting from a Windows 7 PC

On your Windows 7 desktop, click Start and type in VPN

Click on "Set up a virtual private network (VPN) connection", as shown below:

In the "Create a VPN connection" box, enter your Linux server's IPv4 address in the "Internet Address" box.

Check the "Don't connect now" box, as shown below:

Click Next.

Enter username student and password "P@ssw0rd" as shown below:

Click Create.

A box appears saying "The connection is ready to use".

Click Close.

On your Windows 7 desktop, click Start and type in CONNECTIONS

Click on "View network connections".

In the "Network Connections" window, right-click "VPN Connection" and click Properties.

In the "VPN Connection Properties" sheet, click the Security tab, as shown below:

Click the "Advanced settings" button.

In the "Advanced Properties" box, click the "Use preshared key for authentication" button, and enter the key in the Key box, as shown below:

Click the OK button.

In the "VPN Connection Properties" sheet, click the OK button.

In the "Network Connections" window, right-click "VPN Connection" and click Connect.

In the "Connect VPN Connection" box, enter a username of student and a password of P@ssw0rd, as shown below:

Click the Connect button.

The connection will fail, because the VPN is not yet completely configured. That's normal at this point.

If you are using a PC, skip the Mac OS X instructions below, and resume at the "Observing the Correct Operation of IPsec" section below.

Connecting from Mac OS X

In the upper left of the Mac OS X desktop, click the Apple, and then click "System Preferences".

System Preferences opens, as shown below:

In the "Internet & Wireless" section, click Network.

The "Network" box opens, as shown below:

In the lower left corner, click the little + sign.

In the pop-up box, select an Interface of VPN, as shown below:

Click the Create button.

In the right pane, enter your Linux server's IPv4 address, which will be different from the IP address shown in the figure below, and an "Account Name" of student

Click the "Authentication Settings..." button.

In the next box, enter your password of P@ssw0rd in the top box, and the shared secret in the lower box, as shown below:

Click the OK button.

Click the Connect button.

Click the Apply button. The connection will fail, because the VPN is not yet completely configured. That's normal at this point.

Observing the Correct Operation of IPsec

Look on the Linux server. You should see this message:

STATE_QUICK_R2: IPsec SA established
as shown below on this page:

That shows that IPsec is working properly!

Configuring L2TP: Installing xl2tpd

On your Linux server, execute this command:
sudo apt-get install xl2tpd -y

Editing xl2tpd.conf

On your Linux server, execute this command:
nano /etc/xl2tpd/xl2tpd.conf
Hold down Ctrl+K to delete it all.

Paste in this code:

[global]
ipsec saref = no

[lns default]
ip range = 172.22.1.2-172.22.1.99
local ip = 172.22.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Save the file with Ctrl+X, Y, Enter.

Configuring PPP: Installing ppp

On your Linux server, execute this command:
sudo apt-get install ppp -y

Editing options.xl2tpd

On your Linux server, execute this command:
nano /etc/ppp/options.xl2tpd
Hold down Ctrl+K to delete it all.

Paste in this code:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Save the file with Ctrl+X, Y, Enter.

Editing chap-secrets

On your Linux server, execute this command:
nano /etc/ppp/chap-secrets
Hold down Ctrl+K to delete it all.

Paste in this code (for better security, replace P@ssw0rd with a better password, of course):

# user         server      password        ip
student        l2tpd       P@ssw0rd        *
Save the file with Ctrl+X, Y, Enter.

Restarting xl2tpd

On your Linux server, execute this command:
sudo /etc/init.d/xl2tpd restart

Connecting from a Client

Once again, there are two sets of instructions here, for PC or Mac.

Connecting from a Windows 7 Client

On your Windows 7 PC, in the "Network Connections" window, right-click "VPN Connection" and click Connect.

The "VPN Connection" icon should turn blue, indicating a connection, as shown below:

On your Windows 7 PC, in the "Network Connections" window, right-click "VPN Connection" and click Status.

In the "VPN Connection Status" box, click the Details tab.

You should see a connection with "Encryption" of "IPsec: AES 128", as shown below:

Saving the Screen Image

Make sure the "Encryption" type of "IPsec: AES 128" is visible.

Save a screen shot of this image with the filename

Proj 9x from Your Name
Since you are using Windows, skip ahead to the "Turning In your Project" section.

Connecting from a Mac OS X Client

In the upper left of the Mac OS X desktop, click the Apple, and then click "System Preferences".

In the "Internet & Wireless" section, click Network.

The "Network" box opens, as shown below:

On the left, click "VPN (L2TP)".

On the right, click the Connect button.

You should see a green dot, with the message "VPN (L2TP) Connected", as shown below:

Saving the Screen Image

Make sure the "VPN (L2TP) Connected" message is visible.

Save a screen shot of this image with the filename

Proj 9x from Your Name

Turning In your Project

Email the image to cnit.120@gmail.com with a subject line of
Proj 9x from Your Name

Sources

http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu

http://www.cryptocracy.com/blog/2012/05/13/ipsec-slash-l2tp-vpn-server-with-ubuntu-precise/

http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

https://blog.perfect-privacy.com/2010/08/28/l2tp-ipsec-vpn-with-windows-7/

http://freespace.virgin.net/christiaan.theron1/Revised%20draft%20VPN%20update%20of%20IPCop%20admin%20manual/Draft%20VPN%20Troubleshooting%20guide%20v1.02.html

http://comments.gmane.org/gmane.network.openswan.user/19249

https://www.publicvpn.com/support/MacOSX105.php

Last modified 10-28-14