Differences

This shows you the differences between two versions of the page.

--- ipsec [2013/07/27 21:40]
+++ ipsec [2021/04/24 15:14] (current)
cubebuilder
@@ Line 1: / Line 1: @@
+====== Setting up an IPSEC tunnel ======
+This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
+If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]].
+If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]].
+===== Supported Operating Systems ====
+All operating systems with IPSEC support are, you guessed it, supported.
+===== Prerequisites =====
+   * iptables installed on your BuyVM VPS (included already in most cases)
+===== Setup =====
+First you must install openswan & xl2tpd.
+On Debian/Ubuntu:
+<code>
+apt-get update
+apt-get install openswan xl2tpd
+</code>
+**Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
+On CentOS:
+<code>
+yum -y install xl2tpd openswan
+</code>
+===== Setup ipsec.conf =====
+Open up ''/etc/ipsec.conf'' with your favorite editor. Replace the entire contents with the following:
+<code>
+# /etc/ipsec.conf - Openswan IPsec configuration file
+# This file:  /usr/share/doc/openswan/ipsec.conf-sample
+#
+# Manual:     ipsec.conf.5
+version 2.0     # conforms to second version of ipsec.conf specification
+# basic configuration
+config setup
+	# Do not set debug options to debug configuration issues!
+	# plutodebug / klipsdebug = "all", "none" or a combation from below:
+	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
+	# eg:
+	# plutodebug="control parsing"
+	#
+	# enable to get logs per-peer
+	# plutoopts="--perpeerlog"
+	#
+	# Again: only enable plutodebug or klipsdebug when asked by a developer
+	#
+	# NAT-TRAVERSAL support, see README.NAT-Traversal
+	nat_traversal=yes
+	# exclude networks used on server side by adding %v4:!a.b.c.0/24
+	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24
+	# OE is now off by default. Uncomment and change to on, to enable.
+	oe=off
+	# which IPsec stack to use. auto will try netkey, then klips then mast
+	protostack=netkey
+conn %default
+	authby=secret
+	pfs=no
+	auto=add
+	keyingtries=3
+	rekey=no
+	ikelifetime=8h
+	keylife=1h
+	type=transport
+	leftprotoport=17/1701
+	rightprotoport=17/%any
+conn L2TP-PSK-NAT
+	rightsubnet=vhost:%priv
+	left=YOUR_BUYVM_IP
+conn L2TP-PSK-noNAT
+	left=YOUR_BUYVM_IP
+	right=%any
+</code>
+Make sure you update ''YOUR_BUYVM_IP'' with your BuyVM IP.
+===== Setup xl2tpd.conf =====
+Open up ''/etc/xl2tpd/xl2tpd.conf'' with your favorite editor. Replace the entire contents with the following:
+<code>
+[global]
+;listen-addr = 127.0.0.1                ; Global parameters:
+port = 1701             ; * Bind to port 1701
+auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
+access control = no         ; * Refuse connections without IP match
+rand source = dev                     ; Source for entropy for random
+[lns default]             ; Our fallthrough LNS definition
+exclusive = yes            ; * Only permit one tunnel per host
+ip range = 10.1.0.2 - 10.1.0.100
+local ip = 10.1.0.1
+refuse authentication = yes     ; * Refuse authentication altogether
+refuse pap = yes            ; * Refuse PAP authentication
+refuse chap = yes
+ppp debug = no            ; * Turn on PPP debugging
+pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
+</code>
+**Optional:** Update the ''ip range'' & ''local ip'' to fit your needs.
+===== Setup options.l2tpd =====
+Open up ''/etc/ppp/options.l2tpd'' with your favorite editor. Replace the entire contents with the following:
+<code>
+# Do not support BSD compression.
+nobsdcomp
+passive
+lock
+# Allow all usernames to connect.
+name *
+proxyarp
+ipcp-accept-local
+ipcp-accept-remote
+lcp-echo-failure 10
+lcp-echo-interval 5
+nodeflate
+# Do not authenticate incoming connections. This is handled by IPsec.
+noauth
+refuse-chap
+refuse-mschap
+refuse-mschap-v2
+# Set the DNS servers the PPP clients will use.
+ms-dns 8.8.8.8
+mtu 1400
+mru 1400
+</code>
+===== Setup ipsec.secrets =====
+Open up ''/etc/ipsec.secrets'' with your favorite editor. Replace the entire contents with the following:
+<code>
+YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"
+</code>
+The ''mysecretpresharedkeypassword'' is the ''shared key'' you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
+===== Allow traffic to route out your VPS =====
+As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
+<code>
+iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP
+</code>
+===== Apply the configuration files =====
+You must now restart the ''ipsec'' & ''xl2tpd'' daemons:
+<code>
+/etc/init.d/ipsec restart
+/etc/init.d/xl2tpd restart
+</code>
+===== Client side configuration =====
+From here you must configure your client side.
+For a good Windows 2012/2016/2019/8/10 guide, please check out [[http://www.x4b.net/wiki/WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform.