Setting up a VPN server with OpenSWAN

Linux is most likely platform all network services will implement for your organization’s users. it is suitable for file and printer sharing, or Web among other things.

The most popular network services required in remote access for mobile users. Linux can answer that requirement as well you need to simply create a VPN server using OpenSWAN. Here’s the way it operates.

What’s OpenSWAN?

OpenSWAN is  an Open Source implementation of IPSec for Linux OS. it’s actually a code fork FreeS/WAN project, started by developers frustrated altogether with the challenges that are surrounding that project. This brief walk-through will help you understand the concepts and steps to install Openswan. Before installing make sure you have the latest stable install of OpenSWAN. you can check this using this command.

rpm -qa|grep openswan
rpm -qa|grep ppp
rpm -e openswan

From within the directory housing the files, run the commands:

rpm -ivhopenswan-XXX.rpm (where XXX is the release number)
rpm -ivhopenswan-doc-XXX.rpm (where XXX is the release number
 

We’re going to overwrite that with our own information, so back up that file with the following command:

cp /etc/ipsec.conf /etc/ipsec.conf_OLD

Now, open the /etc/ipsec.conf file in your favorite text editor, delete all the information in it, and paste the following code into that file:

version 2.0
config setup
     interfaces=%defaultroute
     klipsdebug=none
     plutodebug=none
     overridemtu=1410
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
     keyingtries=3
     compress=yes
     disablearrivalcheck=no
     authby=secret
     type=tunnel
     keyexchange=ike
ikelifetime=240m
     keylife=60m
conn roadwarrior-net
     leftsubnet=192.168.0.0/16
     also=roadwarrior
connroadwarrior-all
     leftsubnet=0.0.0.0/0
     also=roadwarrior
conn roadwarrior-l2tp
     leftprotoport=17/0
     rightprotoport=17/1701
     also=roadwarrior
conn roadwarrior-l2tp-updatedwin
     leftprotoport=17/1701
     rightprotoport=17/1701
     also=roadwarrior
connroadwarrior
     pfs=no
     left=XXX.XXX.XXX.XXX
     leftnexthop=YYY.YYY.YYY.YYY
     right=%any
     rightsubnet=vhost:%no,%priv
     auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Installing l2tp

All you need to do, as root, is run the command:

If you are installing l2tp from source, you will need to download the l2tp source to /usr/local/src.

After the next commands:

cd /usr/local/src
tar zxf l2tpd-0.69.tar.gz
mv l2tpd-0.69.sysv.patch l2tpd-0.69/
mv l2tpd /etc/rc.d/init.d/
cd l2tpd-0.69
patch < l2tpd-0.69.sysv.patch
make
cp l2tpd /usr/sbin
chmod 755 /usr/sbin/l2tpd
l2tp should be properly installed.

Before you move on, it’s best to take care of the start-up environment for l2tp by issuing the following commands:

chmod 755 /etc/rc.d/init.d/l2tpd
chkconfig —add l2tpd
chkconfig l2tpd on

The configuration files for l2tp will be located in /etc/l2tp.  the installation should create this directory automatically (it should), then you are heading in the right direction.

Open /etc/l2tp/l2tp.conf and add the following:

[global]
port = 1701
[lns default]
ip range = 192.168.1.101-192.168.1.254
local ip = 192.168.1.100
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = ye

The ip range configuration is the range of IP addresses that clients will be given when a connection is established. The local ip line is the server address. These lines can be configured to fit your network configuration.

PPP configuration

The VPN setup is almost done, but first configure PPP, because l2tp uses this to tunnel into the server. The l2tpd configuration we just edited specifies /etc/ppp/options.l2tpd as pppoptfile (PPP options file). Create this file, and paste the following:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.2
ms-wins 192.168.1.3
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

Open up /etc/ppp/chap-secrets in your favorite text editor for configuration. The format of this file will be:

Client     server     secret     IP addresses

Here is an example:

# Secrets for authentication using CHAP
# client     server     secret         IP addresses
username     *          "password"     192.168.1.0/24
*            username   "password"     192.168.1.0/24

The IP addresses configuration will be the range of IP addresses handed out to clients, so make sure this is configured correctly.

Start it up

The order of starting will be l2tp followed by OpenSWAN. First, run the command:

/etc/rc.d/init.d/l2tpd start

Next, fire up OpenSWAN with the command:

/etc/rc.d/init.d/ipsec start

If there are any errors they will be reported in /var/log/messages and /var/log/secure.

Now that you have OpenSWAN and l2tp up and running you will have to configure your firewall to route packets from your external to internal interfaces. In order to do this, Packet Forwarding must be switched on. To switch it on, open /etc/sysctl.conf and change:

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Make sure the UDP 500 and 4500 and TCP 4500 ports are all open. Without these ports open, your VPN will not allow traffic in.

If you use iptables as your firewall, add the following rules to the /etc/sysconfig/iptables file:

-A RH-Firewall-1-INPUT -ippp+ -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -m state —state NEW -m udp -p udp —dport 500 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state —state NEW -m tcp -p tcp —dport 4500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state —state NEW -m udp -p udp —dport 4500 -j ACCEPT

Congratulations! Now we have an OpenSwan VPN server running in the next article will see how to configure VPN on client side……………..

Advertisements
%d bloggers like this: