How to configure IPSec/L2TP VPN server in CentOS 6

How to configure IPSec/L2TP VPN server in CentOS 6

I’ve been using PPTP as a VPN solution for a while (despite is security obsolescence) however I have the feeling that one of my ISPs has started filtering and/or throttling PPTP traffic that goes outside its network.

As a result, I had to look for an alternate VPN system to use when I need to dial back to my home network while on the move to access my media library or when I require a trusted connection or a whitelisted IP.

The next best thing (and least complicated to set up going from PPTP) is IPSec/L2TP, which has built-in support in most current operating systems (including Windows, Linux and Android).

Prerequisites

Due to its double-encapsulation nature (L2TP performs the tunnelling of data and IPSec provides the encrypted channel), L2TP/IPSec has a more complex setup and configuration procedure, both for the server and the client:

  • OpenSWAN provides the IPSEC component, encapsulating packets from the client to/from the server, providing basic network connectivity and authentication.  On connection, the client provides a pre-shared key to the server, and then OpenSWAN establishes the IPSEC tunnel and passes control to xl2tpd.
  • xl2tpd provides the component which connects the two networks (the client’s and the server’s) together.  It talks to pppd to authenticate a user, and then makes that user appear on the local network as some IP in its defined range.
  • pppd provides authentication for users. 

This way, there are 2 passwords required – one for the IPSec component provided by OpenSWAN (set as the pre-shared key), and one for the actual user account which is connecting to the VPN.

The numbers used in the configurations below – adjust them to suit your specific network setup needs:

  • 192.168.1.0/24 – local LAN network range
  • 192.168.1.100 – LAN IP of VPN server (also running the DNS server)
  • 192.168.1.1 – peer local IP of the L2TP VPN
  • 192.168.1.101-120 – local IP range used for the L2TP tunnels, outside of the DHCP allocation range
  • 192.168.1.254 – router NATting internet traffic for the LAN

Packages

To set up a server on CentOS, we start by installing the necessary software:
yum install openswan xl2tpd pppd
chkconfig ipsec on
chkconfig xl2tpd on

Then edit /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

Edit /etc/rc.local and add the following at the end:

# Correct ICMP Redirect issues with OpenSWAN
for each in /proc/sys/net/ipv4/conf/*; do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
   echo 0 > $each/rp_filter
done

IPSec

Edit /etc/ipsec.conf to contain:

config setup
   klipsdebug=none
   plutodebug=none
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:192.168.1.0/24
   interfaces="%defaultroute"
   oe=off

conn L2TP-PSK
   authby=secret
   pfs=no
   auto=add
   keyingtries=3
   rekey=no
   type=transport
   forceencaps=yes
   right=%any
   rightsubnet=vhost:%no,%priv
   rightprotoport=17/%any
   leftnexthop=%defaultroute
   left=%defaultroute
   leftprotoport=17/1701

Next edit /etc/ipsec.secrets and define the PSK secret (preshared key as it’s named in most clients) for IPSec:

192.168.1.1   %any:   PSK yoursecretkey

Xl2tpd

Moving on to xl2tp, edit /etc/xl2tpd/xl2tpd.conf to contain:

[global]
listen-addr = 192.168.1.1

[lns default]
ip range = 192.168.1.101-192.168.1.120
local ip = 192.168.1.100
refuse pap = yes
require authentication = yes
name = LinuxVPNServer
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Then /etc/ppp/options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

The last step is to edit /etc/ppp/chap-secrets and insert records for all logins allowed into the VPN:

# Secrets for authentication using CHAP
# client server secret IP addresses
firstusername * firstpassword *
secondusername * secondpassword *

Finalizing

Almost done. (Re)start the services:
service ipsec restart
service xl2tpd restart

And you should be able to connect from your Windows, Linux or Android clients (tutorials coming soon).

 

Source: this tutorial is pretty much a copy of IPSec/L2TP VPN Server on CentOS 6 (PSK)

 

Leave a Reply