Linux is most likely platform all network services will implement for your organization’s users. it is suitable for file and printer sharing, or Web among other things.
The most popular network services required in remote access for mobile users. Linux can answer that requirement as well you need to simply create a VPN server using OpenSWAN. Here’s the way it operates.
OpenSWAN is an Open Source implementation of IPSec for Linux OS. it’s actually a code fork FreeS/WAN project, started by developers frustrated altogether with the challenges that are surrounding that project. This brief walk-through will help you understand the concepts and steps to install Openswan. Before installing make sure you have the latest stable install of OpenSWAN. you can check this using this command.
rpm -qa|grep openswan
rpm -qa|grep ppp
rpm -e openswan
From within the directory housing the files, run the commands:
rpm -ivhopenswan-XXX.rpm (where XXX is the release number)
rpm -ivhopenswan-doc-XXX.rpm (where XXX is the release number
We’re going to overwrite that with our own information, so back up that file with the following command:
cp /etc/ipsec.conf /etc/ipsec.conf_OLD
Now, open the /etc/ipsec.conf file in your favorite text editor, delete all the information in it, and paste the following code into that file:
#Disable Opportunistic Encryption
All you need to do, as root, is run the command:
If you are installing l2tp from source, you will need to download the l2tp source to /usr/local/src.
After the next commands:
cd /usr/local/src tar zxf l2tpd-0.69.tar.gz mv l2tpd-0.69.sysv.patch l2tpd-0.69/ mv l2tpd /etc/rc.d/init.d/ cd l2tpd-0.69 patch < l2tpd-0.69.sysv.patch make cp l2tpd /usr/sbin chmod 755 /usr/sbin/l2tpd l2tp should be properly installed.
Before you move on, it’s best to take care of the start-up environment for l2tp by issuing the following commands:
chmod 755 /etc/rc.d/init.d/l2tpd chkconfig —add l2tpd chkconfig l2tpd on
The configuration files for l2tp will be located in /etc/l2tp. the installation should create this directory automatically (it should), then you are heading in the right direction.
Open /etc/l2tp/l2tp.conf and add the following:
[global] port = 1701 [lns default] ip range = 192.168.1.101-192.168.1.254 local ip = 192.168.1.100 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPN ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd length bit = ye
The ip range configuration is the range of IP addresses that clients will be given when a connection is established. The local ip line is the server address. These lines can be configured to fit your network configuration.
The VPN setup is almost done, but first configure PPP, because l2tp uses this to tunnel into the server. The l2tpd configuration we just edited specifies /etc/ppp/options.l2tpd as pppoptfile (PPP options file). Create this file, and paste the following:
ipcp-accept-remote ms-dns 192.168.1.2 ms-wins 192.168.1.3 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 silent
Open up /etc/ppp/chap-secrets in your favorite text editor for configuration. The format of this file will be:
Client server secret IP addresses
Here is an example:
# Secrets for authentication using CHAP # client server secret IP addresses username * "password" 192.168.1.0/24 * username "password" 192.168.1.0/24
The IP addresses configuration will be the range of IP addresses handed out to clients, so make sure this is configured correctly.
Start it up
The order of starting will be l2tp followed by OpenSWAN. First, run the command:
Next, fire up OpenSWAN with the command:
If there are any errors they will be reported in /var/log/messages and /var/log/secure.
Now that you have OpenSWAN and l2tp up and running you will have to configure your firewall to route packets from your external to internal interfaces. In order to do this, Packet Forwarding must be switched on. To switch it on, open /etc/sysctl.conf and change:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
Make sure the UDP 500 and 4500 and TCP 4500 ports are all open. Without these ports open, your VPN will not allow traffic in.
If you use iptables as your firewall, add the following rules to the /etc/sysconfig/iptables file:
-A RH-Firewall-1-INPUT -ippp+ -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT -A RH-Firewall-1-INPUT -m state —state NEW -m udp -p udp —dport 500 -j ACCEPT -A RH-Firewall-1-INPUT -m state —state NEW -m tcp -p tcp —dport 4500 -j ACCEPT -A RH-Firewall-1-INPUT -m state —state NEW -m udp -p udp —dport 4500 -j ACCEPT
Congratulations! Now we have an OpenSwan VPN server running in the next article will see how to configure VPN on client side……………..