L2TP/IPSEC

From Bashlinux
Jump to: navigation, search

How to setup VPN for Android/IOS

  • This is managed by L2TP/IPSEC
apt-get -y install openswan ppp xl2tpd radiusclient1
  • Setup IP Forward
# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
# sysctl -p
  • Add to /etc/rc.local in order to ensure openswan starts correctly after reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

How to setup UFW to allow VPN traffic

  • Edit /etc/ufw/before.rules and ad the following:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through ppp0 - Change to match you out-interface
-A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
  • Setup NAT
# sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
  • Allow traffic from public interfaces that need to be open on the firewall are:
 ufw allow 500/udp
 ufw allow 4500/udp
  • Add the following rules to /etc/ufw/before.rules to allow ESP formatted traffic
-A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT 
-A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT 
-A ufw-before-input -i wlan0 -j ACCEPT 
-A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT 
-A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT 
-A ufw-before-output -o wlan0 -j ACCEPT
  • Restart UFW
# ufw disable && ufw enable

How to setup a VPN client on IOS

Set them on iOS devices under Settings > General > Network > VPN > Add VPN Configuration

L2TP configuration

  • Description: Bashlinux VPN
  • Server: 10.20.30.40
  • Account: <your username>
  • RSA SecurID: OFF
  • Password: <your LDAP password>
  • Secret: 17eX19KR73oW58Jq
  • Send All Traffic: ON
  • Proxy: Off

How to tweak zentyal to authenticate L2TP/IPSEC users via LDAP through Radius

  • Change Service-Type to Framed-User instead Login-User on /usr/share/zentyal/stubs/radius/users.mas
  • Add the secret key
    • SERVER: On Zentyal front-end
    • CLIENT: /etc/radiusclient/servers

References

  • VPN with LDAP authentication
https://safesrv.net/setup-l2tp-over-ipsec-to-authenticate-off-freeradius-on-ubuntu-11-10/
  • L2TP/IPSec with Zentyal/Freeradius and radiusclient1
https://safesrv.net/setup-l2tp-over-ipsec-to-authenticate-off-freeradius-on-ubuntu-11-10/
  • iPhone/iPad Settings
http://pleasefeedthegeek.wordpress.com/2012/04/21/l2tp-ubuntu-server-setup-for-ios-clients/