====== Setting up an IPSEC tunnel ======

This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.

If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]].

If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]].
===== Supported Operating Systems ====

All operating systems with IPSEC support are, you guessed it, supported.

===== Prerequisites =====

   * iptables installed on your BuyVM VPS (included already in most cases)

===== Setup =====

First you must install openswan & xl2tpd. 

On Debian/Ubuntu:

<code>
apt-get update
apt-get install openswan xl2tpd
</code>

**Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.

On CentOS:

<code>
yum -y install xl2tpd openswan
</code>
===== Setup ipsec.conf =====

Open up ''/etc/ipsec.conf'' with your favorite editor. Replace the entire contents with the following:

<code>

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	protostack=netkey

conn %default
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	leftprotoport=17/1701
	rightprotoport=17/%any

conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	left=YOUR_BUYVM_IP

conn L2TP-PSK-noNAT
	left=YOUR_BUYVM_IP
	right=%any
</code>

Make sure you update ''YOUR_BUYVM_IP'' with your BuyVM IP.
===== Setup xl2tpd.conf =====


Open up ''/etc/xl2tpd/xl2tpd.conf'' with your favorite editor. Replace the entire contents with the following:

<code>
[global]
;listen-addr = 127.0.0.1                ; Global parameters:
port = 1701             ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
access control = no         ; * Refuse connections without IP match
rand source = dev                     ; Source for entropy for random

[lns default]             ; Our fallthrough LNS definition
exclusive = yes            ; * Only permit one tunnel per host
ip range = 10.1.0.2 - 10.1.0.100
local ip = 10.1.0.1
refuse authentication = yes     ; * Refuse authentication altogether
refuse pap = yes            ; * Refuse PAP authentication
refuse chap = yes
ppp debug = no            ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
</code>

**Optional:** Update the ''ip range'' & ''local ip'' to fit your needs.
===== Setup options.l2tpd =====

Open up ''/etc/ppp/options.l2tpd'' with your favorite editor. Replace the entire contents with the following:

<code>
# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 8.8.8.8

mtu 1400
mru 1400
</code>

===== Setup ipsec.secrets =====

Open up ''/etc/ipsec.secrets'' with your favorite editor. Replace the entire contents with the following:

<code>
YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"
</code>

The ''mysecretpresharedkeypassword'' is the ''shared key'' you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.

===== Allow traffic to route out your VPS =====

As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:

<code>
iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP
</code>


===== Apply the configuration files =====

You must now restart the ''ipsec'' & ''xl2tpd'' daemons:

<code>
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
</code>

===== Client side configuration =====

From here you must configure your client side.

For a good Windows 2012/2016/2019/8/10 guide, please check out [[http://www.x4b.net/wiki/WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform.