Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
Last revision Both sides next revision
ipsec [2013/07/27 22:10]
ipsec [2021/04/24 15:13]
cubebuilder
Line 1: Line 1:
 +====== Setting up an IPSEC tunnel ======
  
 +This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
 +
 +If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]].
 +
 +If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]].
 +===== Supported Operating Systems ====
 +
 +All operating systems with IPSEC support are, you guessed it, supported.
 +
 +We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.
 +
 +Please note, if you're setting this up on an OpenVZ with us, **you must use a 64bit based template**.
 +===== Prerequisites =====
 +
 +   * iptables installed on your BuyVM VPS (included already in most cases)
 +   * **A 64bit based distribution if you're doing this on OpenVZ**. This can't be stressed enough and will not work on a 32bit distribution (for the time being).
 +
 +===== Setup =====
 +
 +First you must install openswan & xl2tpd. 
 +
 +On Debian/Ubuntu:
 +
 +<code>
 +apt-get update
 +apt-get install openswan xl2tpd
 +</code>
 +
 +**Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
 +
 +On CentOS:
 +
 +<code>
 +yum -y install xl2tpd openswan
 +</code>
 +===== Setup ipsec.conf =====
 +
 +Open up ''/etc/ipsec.conf'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +
 +# /etc/ipsec.conf - Openswan IPsec configuration file
 +
 +# This file:  /usr/share/doc/openswan/ipsec.conf-sample
 +#
 +# Manual:     ipsec.conf.5
 +
 +version 2.0     # conforms to second version of ipsec.conf specification
 +
 +# basic configuration
 +config setup
 + # Do not set debug options to debug configuration issues!
 + # plutodebug / klipsdebug = "all", "none" or a combation from below:
 + # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
 + # eg:
 + # plutodebug="control parsing"
 + #
 + # enable to get logs per-peer
 + # plutoopts="--perpeerlog"
 + #
 + # Again: only enable plutodebug or klipsdebug when asked by a developer
 + #
 + # NAT-TRAVERSAL support, see README.NAT-Traversal
 + nat_traversal=yes
 + # exclude networks used on server side by adding %v4:!a.b.c.0/24
 + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24
 + # OE is now off by default. Uncomment and change to on, to enable.
 + oe=off
 + # which IPsec stack to use. auto will try netkey, then klips then mast
 + protostack=netkey
 +
 +conn %default
 + authby=secret
 + pfs=no
 + auto=add
 + keyingtries=3
 + rekey=no
 + ikelifetime=8h
 + keylife=1h
 + type=transport
 + leftprotoport=17/1701
 + rightprotoport=17/%any
 +
 +conn L2TP-PSK-NAT
 + rightsubnet=vhost:%priv
 + left=YOUR_BUYVM_IP
 +
 +conn L2TP-PSK-noNAT
 + left=YOUR_BUYVM_IP
 + right=%any
 +</code>
 +
 +Make sure you update ''YOUR_BUYVM_IP'' with your BuyVM IP.
 +===== Setup xl2tpd.conf =====
 +
 +
 +Open up ''/etc/xl2tpd/xl2tpd.conf'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +[global]
 +;listen-addr = 127.0.0.1                ; Global parameters:
 +port = 1701             ; * Bind to port 1701
 +auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
 +access control = no         ; * Refuse connections without IP match
 +rand source = dev                     ; Source for entropy for random
 +
 +[lns default]             ; Our fallthrough LNS definition
 +exclusive = yes            ; * Only permit one tunnel per host
 +ip range = 10.1.0.2 - 10.1.0.100
 +local ip = 10.1.0.1
 +refuse authentication = yes     ; * Refuse authentication altogether
 +refuse pap = yes            ; * Refuse PAP authentication
 +refuse chap = yes
 +ppp debug = no            ; * Turn on PPP debugging
 +pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
 +</code>
 +
 +**Optional:** Update the ''ip range'' & ''local ip'' to fit your needs.
 +===== Setup options.l2tpd =====
 +
 +Open up ''/etc/ppp/options.l2tpd'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +# Do not support BSD compression.
 +nobsdcomp
 +passive
 +lock
 +
 +# Allow all usernames to connect.
 +name *
 +proxyarp
 +ipcp-accept-local
 +ipcp-accept-remote
 +lcp-echo-failure 10
 +lcp-echo-interval 5
 +nodeflate
 +
 +# Do not authenticate incoming connections. This is handled by IPsec.
 +noauth
 +refuse-chap
 +refuse-mschap
 +refuse-mschap-v2
 +
 +# Set the DNS servers the PPP clients will use.
 +ms-dns 8.8.8.8
 +
 +mtu 1400
 +mru 1400
 +</code>
 +
 +===== Setup ipsec.secrets =====
 +
 +Open up ''/etc/ipsec.secrets'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"
 +</code>
 +
 +The ''mysecretpresharedkeypassword'' is the ''shared key'' you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
 +
 +===== Allow traffic to route out your VPS =====
 +
 +As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
 +
 +<code>
 +iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP
 +</code>
 +
 +
 +===== Apply the configuration files =====
 +
 +You must now restart the ''ipsec'' & ''xl2tpd'' daemons:
 +
 +<code>
 +/etc/init.d/ipsec restart
 +/etc/init.d/xl2tpd restart
 +</code>
 +
 +===== Client side configuration =====
 +
 +From here you must configure your client side.
 +
 +For a good Windows 2012/2016/2019/8/10 guide, please check out [[http://www.x4b.net/wiki/WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform.