Difference between revisions of "L2TP/IPSEC"
From Bashlinux
(Created page with "__NOTOC__ === How to setup VPN for Android/IOS === * This is managed by L2TP/IPSEC * Ports that need to be open on the firewall are: ** UDP 500 ** UDP 4500 ** ESP === How to ...") |
|||
Line 2: | Line 2: | ||
=== How to setup VPN for Android/IOS === |
=== How to setup VPN for Android/IOS === |
||
* This is managed by L2TP/IPSEC |
* This is managed by L2TP/IPSEC |
||
+ | apt-get -y install openswan ppp xl2tpd radiusclient1 |
||
⚫ | |||
+ | * Setup IP Forward |
||
− | ** UDP 500 |
||
+ | # echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf |
||
− | ** UDP 4500 |
||
+ | # sysctl -p |
||
− | ** ESP |
||
+ | * Add to <tt>/etc/rc.local</tt> in order to ensure openswan starts correctly after reboot |
||
+ | echo 1 > /proc/sys/net/ipv4/ip_forward |
||
+ | for each in /proc/sys/net/ipv4/conf/* |
||
+ | do |
||
+ | echo 0 > $each/accept_redirects |
||
+ | echo 0 > $each/send_redirects |
||
+ | done |
||
+ | /etc/init.d/ipsec restart |
||
− | === How to setup |
+ | === How to setup UFW to allow VPN traffic === |
+ | * Edit <tt>/etc/ufw/before.rules</tt> and ad the following: |
||
+ | # nat Table rules |
||
+ | *nat |
||
+ | :POSTROUTING ACCEPT [0:0] |
||
+ | |||
+ | # Forward traffic through ppp0 - Change to match you out-interface |
||
+ | -A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE |
||
+ | -A POSTROUTING -j MASQUERADE |
||
+ | |||
+ | # don't delete the 'COMMIT' line or these nat table rules won't |
||
+ | # be processed |
||
+ | COMMIT |
||
+ | * Setup NAT |
||
+ | # sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw |
||
⚫ | |||
+ | ufw allow 500/udp |
||
+ | ufw allow 4500/udp |
||
+ | * Add the following rules to <tt>/etc/ufw/before.rules</tt> to allow ESP formatted traffic |
||
+ | -A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT |
||
+ | -A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT |
||
+ | -A ufw-before-input -i wlan0 -j ACCEPT |
||
+ | -A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT |
||
+ | -A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT |
||
+ | -A ufw-before-output -o wlan0 -j ACCEPT |
||
+ | * Restart UFW |
||
+ | # ufw disable && ufw enable |
||
+ | |||
+ | === How to setup a VPN client on IOS === |
||
Set them on iOS devices under <code>Settings > General > Network > VPN > Add VPN Configuration</code> |
Set them on iOS devices under <code>Settings > General > Network > VPN > Add VPN Configuration</code> |
||
Latest revision as of 04:45, 11 June 2015
How to setup VPN for Android/IOS
- This is managed by L2TP/IPSEC
apt-get -y install openswan ppp xl2tpd radiusclient1
- Setup IP Forward
# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf # sysctl -p
- Add to /etc/rc.local in order to ensure openswan starts correctly after reboot
echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart
How to setup UFW to allow VPN traffic
- Edit /etc/ufw/before.rules and ad the following:
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through ppp0 - Change to match you out-interface -A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE -A POSTROUTING -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT
- Setup NAT
# sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
- Allow traffic from public interfaces that need to be open on the firewall are:
ufw allow 500/udp ufw allow 4500/udp
- Add the following rules to /etc/ufw/before.rules to allow ESP formatted traffic
-A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT -A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT -A ufw-before-input -i wlan0 -j ACCEPT -A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT -A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT -A ufw-before-output -o wlan0 -j ACCEPT
- Restart UFW
# ufw disable && ufw enable
How to setup a VPN client on IOS
Set them on iOS devices under Settings > General > Network > VPN > Add VPN Configuration
L2TP configuration
- Description: Bashlinux VPN
- Server: 10.20.30.40
- Account: <your username>
- RSA SecurID: OFF
- Password: <your LDAP password>
- Secret: 17eX19KR73oW58Jq
- Send All Traffic: ON
- Proxy: Off
How to tweak zentyal to authenticate L2TP/IPSEC users via LDAP through Radius
- Change Service-Type to
Framed-User
insteadLogin-User
on /usr/share/zentyal/stubs/radius/users.mas - Add the secret key
- SERVER: On Zentyal front-end
- CLIENT: /etc/radiusclient/servers
References
- http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu
- http://www.marthijnvandenheuvel.com/2012/05/26/how-to-set-up-a-pptp-vpn-server-on-ubuntu/
- http://support.apple.com/kb/HT1288
- http://www.vyatta.org/node/235
- VPN with LDAP authentication
- L2TP/IPSec with Zentyal/Freeradius and radiusclient1
- iPhone/iPad Settings