Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
ipsec [2013/07/27 22:12]
ipsec [2021/04/24 15:14] (current)
cubebuilder
Line 1: Line 1:
 +====== Setting up an IPSEC tunnel ======
  
 +This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
 +
 +If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]].
 +
 +If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]].
 +===== Supported Operating Systems ====
 +
 +All operating systems with IPSEC support are, you guessed it, supported.
 +
 +===== Prerequisites =====
 +
 +   * iptables installed on your BuyVM VPS (included already in most cases)
 +
 +===== Setup =====
 +
 +First you must install openswan & xl2tpd. 
 +
 +On Debian/Ubuntu:
 +
 +<code>
 +apt-get update
 +apt-get install openswan xl2tpd
 +</code>
 +
 +**Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
 +
 +On CentOS:
 +
 +<code>
 +yum -y install xl2tpd openswan
 +</code>
 +===== Setup ipsec.conf =====
 +
 +Open up ''/etc/ipsec.conf'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +
 +# /etc/ipsec.conf - Openswan IPsec configuration file
 +
 +# This file:  /usr/share/doc/openswan/ipsec.conf-sample
 +#
 +# Manual:     ipsec.conf.5
 +
 +version 2.0     # conforms to second version of ipsec.conf specification
 +
 +# basic configuration
 +config setup
 + # Do not set debug options to debug configuration issues!
 + # plutodebug / klipsdebug = "all", "none" or a combation from below:
 + # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
 + # eg:
 + # plutodebug="control parsing"
 + #
 + # enable to get logs per-peer
 + # plutoopts="--perpeerlog"
 + #
 + # Again: only enable plutodebug or klipsdebug when asked by a developer
 + #
 + # NAT-TRAVERSAL support, see README.NAT-Traversal
 + nat_traversal=yes
 + # exclude networks used on server side by adding %v4:!a.b.c.0/24
 + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24
 + # OE is now off by default. Uncomment and change to on, to enable.
 + oe=off
 + # which IPsec stack to use. auto will try netkey, then klips then mast
 + protostack=netkey
 +
 +conn %default
 + authby=secret
 + pfs=no
 + auto=add
 + keyingtries=3
 + rekey=no
 + ikelifetime=8h
 + keylife=1h
 + type=transport
 + leftprotoport=17/1701
 + rightprotoport=17/%any
 +
 +conn L2TP-PSK-NAT
 + rightsubnet=vhost:%priv
 + left=YOUR_BUYVM_IP
 +
 +conn L2TP-PSK-noNAT
 + left=YOUR_BUYVM_IP
 + right=%any
 +</code>
 +
 +Make sure you update ''YOUR_BUYVM_IP'' with your BuyVM IP.
 +===== Setup xl2tpd.conf =====
 +
 +
 +Open up ''/etc/xl2tpd/xl2tpd.conf'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +[global]
 +;listen-addr = 127.0.0.1                ; Global parameters:
 +port = 1701             ; * Bind to port 1701
 +auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
 +access control = no         ; * Refuse connections without IP match
 +rand source = dev                     ; Source for entropy for random
 +
 +[lns default]             ; Our fallthrough LNS definition
 +exclusive = yes            ; * Only permit one tunnel per host
 +ip range = 10.1.0.2 - 10.1.0.100
 +local ip = 10.1.0.1
 +refuse authentication = yes     ; * Refuse authentication altogether
 +refuse pap = yes            ; * Refuse PAP authentication
 +refuse chap = yes
 +ppp debug = no            ; * Turn on PPP debugging
 +pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
 +</code>
 +
 +**Optional:** Update the ''ip range'' & ''local ip'' to fit your needs.
 +===== Setup options.l2tpd =====
 +
 +Open up ''/etc/ppp/options.l2tpd'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +# Do not support BSD compression.
 +nobsdcomp
 +passive
 +lock
 +
 +# Allow all usernames to connect.
 +name *
 +proxyarp
 +ipcp-accept-local
 +ipcp-accept-remote
 +lcp-echo-failure 10
 +lcp-echo-interval 5
 +nodeflate
 +
 +# Do not authenticate incoming connections. This is handled by IPsec.
 +noauth
 +refuse-chap
 +refuse-mschap
 +refuse-mschap-v2
 +
 +# Set the DNS servers the PPP clients will use.
 +ms-dns 8.8.8.8
 +
 +mtu 1400
 +mru 1400
 +</code>
 +
 +===== Setup ipsec.secrets =====
 +
 +Open up ''/etc/ipsec.secrets'' with your favorite editor. Replace the entire contents with the following:
 +
 +<code>
 +YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"
 +</code>
 +
 +The ''mysecretpresharedkeypassword'' is the ''shared key'' you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
 +
 +===== Allow traffic to route out your VPS =====
 +
 +As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
 +
 +<code>
 +iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP
 +</code>
 +
 +
 +===== Apply the configuration files =====
 +
 +You must now restart the ''ipsec'' & ''xl2tpd'' daemons:
 +
 +<code>
 +/etc/init.d/ipsec restart
 +/etc/init.d/xl2tpd restart
 +</code>
 +
 +===== Client side configuration =====
 +
 +From here you must configure your client side.
 +
 +For a good Windows 2012/2016/2019/8/10 guide, please check out [[http://www.x4b.net/wiki/WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform.