L2TP/IPSEC
From Bashlinux
How to setup VPN for Android/IOS
- This is managed by L2TP/IPSEC
apt-get -y install openswan ppp xl2tpd radiusclient1
- Setup IP Forward
# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf # sysctl -p
- Add to /etc/rc.local in order to ensure openswan starts correctly after reboot
echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart
How to setup UFW to allow VPN traffic
- Edit /etc/ufw/before.rules and ad the following:
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through ppp0 - Change to match you out-interface -A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE -A POSTROUTING -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT
- Setup NAT
# sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
- Allow traffic from public interfaces that need to be open on the firewall are:
ufw allow 500/udp ufw allow 4500/udp
- Add the following rules to /etc/ufw/before.rules to allow ESP formatted traffic
-A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT -A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT -A ufw-before-input -i wlan0 -j ACCEPT -A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT -A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT -A ufw-before-output -o wlan0 -j ACCEPT
- Restart UFW
# ufw disable && ufw enable
How to setup a VPN client on IOS
Set them on iOS devices under Settings > General > Network > VPN > Add VPN Configuration
L2TP configuration
- Description: Bashlinux VPN
- Server: 10.20.30.40
- Account: <your username>
- RSA SecurID: OFF
- Password: <your LDAP password>
- Secret: 17eX19KR73oW58Jq
- Send All Traffic: ON
- Proxy: Off
How to tweak zentyal to authenticate L2TP/IPSEC users via LDAP through Radius
- Change Service-Type to
Framed-User
insteadLogin-User
on /usr/share/zentyal/stubs/radius/users.mas - Add the secret key
- SERVER: On Zentyal front-end
- CLIENT: /etc/radiusclient/servers
References
- http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu
- http://www.marthijnvandenheuvel.com/2012/05/26/how-to-set-up-a-pptp-vpn-server-on-ubuntu/
- http://support.apple.com/kb/HT1288
- http://www.vyatta.org/node/235
- VPN with LDAP authentication
- L2TP/IPSec with Zentyal/Freeradius and radiusclient1
- iPhone/iPad Settings