Setup L2TP/IPsec VPN Server with NAT Traversal

Setting up a L2TP VPN server under  NAT. That is what we are about to read here after.

Let us consider the scenario. This is a typical office network requirement where you have to keep your ipsec vpn under the NAT box.

l2tp-ipsec-vpn FCOOS

This article explains you how to configure  a L2TP VPN Server with  Ipsec encryption. The important  point here is that  our L2TP vpn server is inside

a  firewall with NAT.

L2TP/IPSec server internal IP address: 192.168.10.10. (CentOS.6 )

Gateway IP Address is 192.168.10.254

External NATed IP Address of the server is  1.2.3.4

With the end of this setup we should be able to connect to the office network from  Windows,linux,Apple MAC, IOS and Android devices.

Below are the steps:

Download and install the required  packages.

1. Install ipsec

We will be  using openswan for the ipsec requirements. Openswan can be installed with

yum install openswan.

yum install openswan-doc  for openswan shared documents.

This will install default ipsec files and directories. Edit  /etc/ipsec.conf and make sure you have the entries as below

# basic configuration
config setup
        # Debug-logging controls:  “none” for (almost) none, “all” for lots.
        # klipsdebug=none
        # plutodebug=”control parsing”
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12s

       oe=off

        # Enable this if you see “failed to find any available worker”
        nhelpers=0

conn L2TP-PSK-NAT
       rightsubnet=vhost:%no,%priv
       also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        leftnexthop=%defaultroute
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=%defaultroute
        # leftprotoport=17/%any
        leftprotoport=17/1701

And  edit  /etc/ipsec.secrets as below

192.168.10.10         %any:    PSK “Your presharedsecret”

Please note that you use  your  private ip address instead of the public ip-address  in the place of local server address.Also select your  pre-shared key long enough.

Ipsec gives problems with  icpmp  redirects. This need to be disabled in the kernel. You can do this by running the following command

for each in /proc/sys/net/ipv4/conf/* do  echo 0 > $each/accept_redirects  echo 0 > $each/send_redirects done 

You can verify  the ipsec  functions  by  running the following command[root@l2tp ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-220.7.1.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for ‘ip’ command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for ‘iptables’ command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

You may have to correct  Iptables and NAT to get the desired result. You are not going to use that now.

After correcting the issues you can restart the ipsec deamon.

sudo /etc/init.d/ipsec restart

At this stage we are ready with the ipsec. let us now  configure L2TP vpn.

L2TP Setup

First Install the dependancy packages for  compiling xl2tpd for your kernel

yum install make.

yum install libpcap-devel

There are  different L2TP packages are available. We will be using xl2tpd from www.xelerence.com which is a  reliable one.

wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz

tar -zxvf xl2tpd-1.3.0.tar.gz
cd xl2tpd-1.3.0

make   ; and

make install

Now  make the configureation dirctory for  xl2tpd.

mkdir -p /etc/xl2tpd

Copy the xl2tpd.conf file  to  this directory as that is the standard place for any configuration files.

Etc/xl2tpd/xl2tpd.conf  should be similar as below[global]
ipsec saref = yes
listen-addr = 192.168.10.10

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.3.3.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = ye

Here you can note down  that  Listen-address we used is  192.168.10.10,which is the  local IP address for the vpn server.

And with in the tunnel we are using 10.1.2.X network.

User authentication will be handled by the  PPP. So we need to install and configure PPP

yum  install ppp

Make sure  the ppp configuration options with xl2tpd is available at equire-mschap
require-mschap-v2
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Note that we are forcefully useing chap authentication

And  for user authentication  username and password need to be  available at  /etc/ppp/chap.secrets.

####### system-config-network will overwrite this part!!! (end) ############
username1    *     your account password.   *
username2 *    your account password    *

Routing.

We need to enable  packet forwrding between the interfaces.

sysctl -w net.ipv4.ip_forward=1
sysctl -p
This will update the ip_forward option change permenantly.

At this stage your new VPN server is ready to test. For testing purpose you need to run the xl2tpd daemon manually.

/etc/init.d/ipsec  restart

xl2tpd -D -c /etc/xl2tpd/xl2tpd.conf

You can see the l2tp vpn is working with ipsec encryption. Once you are confirmed that  it is working you may copy  the xl2tpd.init directory

to /etc/init.d/xl2tpd and  change the  startup  in such a way that  xl2tpd starts on restart.

You have to add the following entries to /etc/rc.local for the ipsec to work on each restart

for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done 

.

 

 

 

 

.

 

 

 

 

.

 

 

 

 

 

 

 

 

 

Leave a Reply