Linux optimize

SolutionBase: Setting up a VPN server with OpenSWAN

If you want to set up a VPN, you don't need to buy an expensive VPN appliance or invest in Windows Server 2003. Here's how you can set up a Linux-based VPN using OpenSWAN.
This article is also available as a TechRepublic download.

Linux can be the platform for almost any network service you might want to offer your organization's users. You can use it for file and printer sharing, or as a Web server, among other things.

One of the most popular network services needed in business is remote access for mobile users. Linux can answer that need as well; you just have to set up a VPN server using OpenSWAN. Here's how it works.

What's OpenSWAN?

OpenSWAN is an Open Source implementation of IPSec for the Linux OS; it's a code fork of the FreeS/WAN project, started by a few developers frustrated with the politics surrounding that project. OpenSWAN is, without question, the easiest of all the Linux VPN solutions to get operational; but that's not saying much, because the other solutions can be a nightmare. Fortunately, this article outlines a very simple method of getting a Linux-based VPN server up and running.

Installing OpenSWAN

Although I usually recommend installing by any method you prefer, I believe installing from the RPM is the best way, because the RPMs available contain the necessary patches to the system being installed upon. NOTE: On Fedora Core 5 and later, you do not have to patch the kernel for l2tp to work. Download the following:

Create a new directory (we'll call this vpnsource) and move all of the downloaded files into that directory. Before you move on to installing the files, check to make sure you don't already have OpenSWAN installed. Run the command:

rpm -qa|grep openswan

If the above command returns anything, the package is not installed. Also run the command:

rpm -qa|grep ppp

to ensure you have PPP installed. Nearly all distributions come complete with PPP installed, so this shouldn't be a problem.

If your RPM query on OpenSWAN returns that you already have an installation on your system, remove it. You can do that with the command:

rpm -e openswan

Now we'll install the packages. From within the directory housing the files, run the commands:

rpm -ivhopenswan-XXX.rpm (where XXX is the release number)

rpm -ivhopenswan-doc-XXX.rpm (where XXX is the release number)

The installation of OpenSWAN comes with a sample IPSec configuration file. We're going to overwrite that with our own information, so back up that file with the following command:

cp /etc/ipsec.conf /etc/ipsec.conf_OLD

Now, open the /etc/ipsec.conf file in your favorite text editor, delete all the information in it, and paste the following code into that file:

version 2.0

config setup

     interfaces=%defaultroute

     klipsdebug=none

     plutodebug=none

     overridemtu=1410

     nat_traversal=yes

     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default

     keyingtries=3

     compress=yes

     disablearrivalcheck=no

     authby=secret

     type=tunnel

     keyexchange=ike

ikelifetime=240m

     keylife=60m

conn roadwarrior-net

     leftsubnet=192.168.0.0/16

     also=roadwarrior

connroadwarrior-all

     leftsubnet=0.0.0.0/0

     also=roadwarrior

conn roadwarrior-l2tp

     leftprotoport=17/0

     rightprotoport=17/1701

     also=roadwarrior

conn roadwarrior-l2tp-updatedwin

     leftprotoport=17/1701

     rightprotoport=17/1701

     also=roadwarrior

connroadwarrior

     pfs=no

     left=XXX.XXX.XXX.XXX

     leftnexthop=YYY.YYY.YYY.YYY

     right=%any

     rightsubnet=vhost:%no,%priv

     auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

Author’s Note:

This configuration file was cobbled together from various open sources. (No mice or penguins were harmed in its making.) Replace XXX.XXX.XXX.XXX with the external IP address. Also, replace YYY.YYY.YYY.YYY with your default gateway address.

Now, open /etc/ipsec.secrets and add the following line:

150.150.150.150 %any: PSK "this_is_your_psk_key_phrase"

Change 150.150.150.150 to the external IP address.

If you want access to the network from anywhere on the Internet, keep %any intact. For security reasons, consider specifying the address of the machine connecting.

Make sure the PSK key phrase is long. This is the string users will have to enter to gain access; longer is better.

Installing l2tp

As I mentioned before, if you're running Fedora Core 5 or later, you will not have to patch the kernel for l2tp to work. All you need to do, as root, is run the command:

yum install l2tpd

If you are installing l2tp from source, you will need to download the l2tp source to /usr/local/src. After that, run these commands:

cd /usr/local/src

tar zxf l2tpd-0.69.tar.gz

mv l2tpd-0.69.sysv.patch l2tpd-0.69/

mv l2tpd /etc/rc.d/init.d/

cd l2tpd-0.69

patch < l2tpd-0.69.sysv.patch

make

cp l2tpd /usr/sbin

chmod 755 /usr/sbin/l2tpd

l2tp should be properly installed.

Before you move on, it's best to take care of the start-up environment for l2tp by issuing the following commands:

chmod 755 /etc/rc.d/init.d/l2tpd

chkconfig --add l2tpd

chkconfig l2tpd on

Now it’s time to configure l2tp. The configuration files for l2tp will be located in /etc/l2tp. If the installation didn't create this directory automatically (it should), create it.

Open /etc/l2tp/l2tp.conf and add the following:

[global]

port = 1701

[lns default]

ip range = 192.168.1.101-192.168.1.254

local ip = 192.168.1.100

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

The ip range configuration is the range of IP addresses that clients will be given when a connection is established. The local ip line is the server address. These lines can be configured to accommodate your network configuration.

PPP configuration

The VPN setup is almost done, but first configure PPP, because l2tp uses this to tunnel into the server. The l2tpd configuration we just edited specifies /etc/ppp/options.l2tpd as pppoptfile (PPP options file). Create this file, and paste the following:

ipcp-accept-local

ipcp-accept-remote

ms-dns 192.168.1.2

ms-wins 192.168.1.3

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

silent

NOTE: Change ms-dns to your DNS server and ms-wins to your WINS server (if used.)

Now for the authentication files: CHAP will be used for PPP authentication. Open up /etc/ppp/chap-secrets in your favorite text editor for configuration. The format of this file will be:

Client     server     secret     IP addresses

Here is an example:

# Secrets for authentication using CHAP

# client     server     secret         IP addresses

username     *          "password"     192.168.1.0/24

*            username   "password"     192.168.1.0/24

For each username, you will need two lines of configuration, because this is two-sided authentication. One line is from client-to-server; the other, server-to-client. Both IP addresses and password should be the same on both lines. The IP addresses configuration will be the range of IP addresses handed out to clients, so make sure this is configured correctly.

Start it up

The order of starting will be l2tp followed by OpenSWAN. First, run the command:

/etc/rc.d/init.d/l2tpd start

You should not receive any errors.

Next, fire up OpenSWAN with the command:

/etc/rc.d/init.d/ipsec start

If there are any errors they will be reported in /var/log/messages and /var/log/secure.

Now that you have OpenSWAN and l2tp up and running you will have to configure your firewall to route packets from your external to internal interfaces. In order to do this, Packet Forwarding must be switched on. To switch it on, open /etc/sysctl.conf and change:

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Make sure the UDP 500 and 4500 and TCP 4500 ports are all open. Without these ports open, your VPN will not allow traffic in.

If you use iptables as your firewall, add the following rules to the /etc/sysconfig/iptables file:

-A RH-Firewall-1-INPUT -ippp+ -j ACCEPT

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

Client configuration

I assume most reading this article understand the particulars of setting up Windows clients to connect to a VPN. The only caveat to setting these connections up is remembering the PSK string used in the IPSec settings of the Windows VPN configuration (in Pre-shared Key Configuration.) Make sure you select L2TP IPSec VPN from the Type Of VPN setting. Finally, go to TCP/IP Settings | Advanced Settings | General and uncheck Use Default Gateway On Remote Network.

Instant, cheap, and reliable VPN service is now at your fingertips.

Final thoughts

VPNs are a tricky prospect. You can either go with the simple-but-costly solution with Microsoft or the complex-but-economical solution with OpenSWAN. Either way, you'll have challenges. So, before you plop down your IT department’s hard-earned budget on a proprietary solution, give OpenSWAN a try. You'll spend a little extra time with it in the beginning, but the payoff is worth not having to baby-sit your VPN server.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

13 comments
joelparker
joelparker

This is a great article on setting up a Server but my question is how do I setup a site to site openswan vpn between redhat machines ? What would be different in the server configuration and what is needed for the other machines configuration.

cvitalos
cvitalos

For providing a VPN solution between IOS devices and linux based VPN servers. I have been struggling with this challenge for awhile. These configs worked for me after making the obvious changes. Thanks again !

rak_ttsl
rak_ttsl

Plz suggest any alternet setting for the same

VVKS
VVKS

Plz let me know which Linux OS you are using and kernel version for openswan-2.6.30 and also L2tpd version.And is patching of L2tpd required.

ctcconnections
ctcconnections

After installing openswan-2.6.31. I spent many hours trying to resolve the error below when attempting to establish an IPSec tunnel, I found that installing openswan-2.6.30 fixed this error. Error "030 messge from whack contains bad string" Below find the steps used to setup openswan on centos 5.5 # wget http://www.openswan.org/download/openswan-2.6.30.tar.gz tar -xzf openswan-2.6.30.tar.gz # cd openswan-2.6.30 # make programs # make install KLIPS install for 2.0, 2.2, 2.4 or 2.6 kernels (2.6.18-194.3.1.el5-x86_64) # export KERNELSRC=/usr/src/kernels/2.6.18-194.3.1.el5-x86_64/ # make module # make module_install # depmod -a # modprobe ipsec # service ipsec start # chkconfig ipsec on # ipsec verify Other errors/fixes NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! Run # sudo sysctl -a | grep 'ipv4.conf.*redirect' should list the variables you need to set. (Note: set them all to 0). in /etc/sysctl.conf Copy the errors onto /etc/sysctl.conf and set all variables to 0 # vi /etc/sysctl.conf To process changes # sysctl -p # ipsec restart

ddang
ddang

Dear all, I am trying with the guide on RHEL4 x386, but i don't know how to download other packages except openswan that i downloaded and installed well on this linux box. If you have a binary package or any ways to help me overcome this. It could be appreciated highly Thanks, Bryan De

TravisFx
TravisFx

Not exactly the most secure. Can it do any better?

ty.connell
ty.connell

Are we talking about OpenVPN or OpenSwan here - they are 2 different things ...

VVKS
VVKS

Want to use Ipsec VPN with PSK with Help of Openswan on Fedora core 5.Please suggest.Getting error no 792 while connecting.

jmoore
jmoore

IPSEC is really providing the security. CHAP and the psk are being required by the MS VPN client which uses l2tp. Alternatively, you can use x.509 certificates for authentication. See Nate Carlson's and Jacco de Leeuw's excellent web sites for more detail on setting this up. It took me a while to get it working but it works great now. BTW, I think the package for l2tp is now xl2tpd using yum.

paulz1
paulz1

also, rpm -qa|grepppp should be rpm -qa|grep ppp this article needs an edit. it was geared toward a non-savvy user implementing it, so anything that can eliminate confusion would be good.

NOW LEFT TR
NOW LEFT TR

OK there is a mistake at the end but come on.....

ty.connell
ty.connell

And I knew what you *meant* to say. Just pointing out a needed edit in a rather roundabout fashion :-) Great article, btw. I intend to try it out this evening.