L2TP/IPSEC: Difference between revisions

From Bashlinux
Jump to navigationJump to search
Content deleted Content added
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
Created page with "__NOTOC__ === How to setup VPN for Android/IOS === * This is managed by L2TP/IPSEC * Ports that need to be open on the firewall are: ** UDP 500 ** UDP 4500 ** ESP === How to ..."
 
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
 
Line 2: Line 2:
=== How to setup VPN for Android/IOS ===
=== How to setup VPN for Android/IOS ===
* This is managed by L2TP/IPSEC
* This is managed by L2TP/IPSEC
apt-get -y install openswan ppp xl2tpd radiusclient1
* Ports that need to be open on the firewall are:
* Setup IP Forward
** UDP 500
# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
** UDP 4500
# sysctl -p
** ESP
* Add to <tt>/etc/rc.local</tt> in order to ensure openswan starts correctly after reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart


=== How to setup a VPn client on IOS ===
=== How to setup UFW to allow VPN traffic ===
* Edit <tt>/etc/ufw/before.rules</tt> and ad the following:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through ppp0 - Change to match you out-interface
-A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
* Setup NAT
# sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
* Allow traffic from public interfaces that need to be open on the firewall are:
ufw allow 500/udp
ufw allow 4500/udp
* Add the following rules to <tt>/etc/ufw/before.rules</tt> to allow ESP formatted traffic
-A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT
-A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT
-A ufw-before-input -i wlan0 -j ACCEPT
-A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT
-A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT
-A ufw-before-output -o wlan0 -j ACCEPT
* Restart UFW
# ufw disable && ufw enable

=== How to setup a VPN client on IOS ===
Set them on iOS devices under <code>Settings > General > Network > VPN > Add VPN Configuration</code>
Set them on iOS devices under <code>Settings > General > Network > VPN > Add VPN Configuration</code>


Latest revision as of 04:45, 11 June 2015

How to setup VPN for Android/IOS

  • This is managed by L2TP/IPSEC
apt-get -y install openswan ppp xl2tpd radiusclient1
  • Setup IP Forward
# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
# sysctl -p
  • Add to /etc/rc.local in order to ensure openswan starts correctly after reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

How to setup UFW to allow VPN traffic

  • Edit /etc/ufw/before.rules and ad the following:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through ppp0 - Change to match you out-interface
-A POSTROUTING -s 172.10.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
  • Setup NAT
# sed -i -e '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
  • Allow traffic from public interfaces that need to be open on the firewall are:
 ufw allow 500/udp
 ufw allow 4500/udp
  • Add the following rules to /etc/ufw/before.rules to allow ESP formatted traffic
-A ufw-before-input -s xxx.xxx.xxx.xxx -p esp -j ACCEPT 
-A ufw-before-input -s xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT 
-A ufw-before-input -i wlan0 -j ACCEPT 
-A ufw-before-output -d xxx.xxx.xxx.xxx -p esp -j ACCEPT 
-A ufw-before-output -d xxx.xxx.xxx.xxx -p udp -m multiport --sports isakmp,10000 -j ACCEPT 
-A ufw-before-output -o wlan0 -j ACCEPT
  • Restart UFW
# ufw disable && ufw enable

How to setup a VPN client on IOS

Set them on iOS devices under Settings > General > Network > VPN > Add VPN Configuration

L2TP configuration

  • Description: Bashlinux VPN
  • Server: 10.20.30.40
  • Account: <your username>
  • RSA SecurID: OFF
  • Password: <your LDAP password>
  • Secret: 17eX19KR73oW58Jq
  • Send All Traffic: ON
  • Proxy: Off

How to tweak zentyal to authenticate L2TP/IPSEC users via LDAP through Radius

  • Change Service-Type to Framed-User instead Login-User on /usr/share/zentyal/stubs/radius/users.mas
  • Add the secret key
    • SERVER: On Zentyal front-end
    • CLIENT: /etc/radiusclient/servers

References

  • VPN with LDAP authentication
https://safesrv.net/setup-l2tp-over-ipsec-to-authenticate-off-freeradius-on-ubuntu-11-10/
  • L2TP/IPSec with Zentyal/Freeradius and radiusclient1
https://safesrv.net/setup-l2tp-over-ipsec-to-authenticate-off-freeradius-on-ubuntu-11-10/
  • iPhone/iPad Settings
http://pleasefeedthegeek.wordpress.com/2012/04/21/l2tp-ubuntu-server-setup-for-ios-clients/
Retrieved from "https://wiki.bashlinux.com/index.php?title=L2TP/IPSEC&oldid=1017"