IPSec/L2TP PSK (Pre Shared Key)
Firstly lets start with the easiest one to setup; this doesn't use certificates so makes it quicker to setup. We need to install strongswan to provide the IPSec, ppp and xl2tpd.
apt-get install strongswan xl2tpd ppp
Once that is installed then we need to configure strongswan first. There are several files to configure. Firstly lets configure /etc/ipsec.conf
You can create many connections in here ("conn") and it gets matched when an incoming connection comes in.
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn %default keyexchange=ike #Set this to "ike" so both IKEv1 (Android only supports this) or IKEv2 for the strongswan application and other devices. # Add connections here. conn L2TP-PSK-noNAT authby=secret #shared secret. Use rsasig for certificates. pfs=no #Disable pfs auto=add #start at boot keyingtries=3 #Only negotiate a conn. 3 times. ikelifetime=8h keylife=1h type=transport #because we use l2tp as tunnel protocol left=SERVER IP #fill in server IP above leftprotoport=17/1701 right=%any rightprotoport=17/%any
Now we need to edit the /etc/ipsec.secrets file, this contains the PSK in this case.
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". SERVER IP : PSK "password"
You can test the IPSec out even though the connection will fail. While tailing the syslog conect via your android device and check if the IPSec connection gets established.
tail -f /var/log/syslog
Choose L2TP/IPSec PSK as the type. Enter the IPSec preshared key entered in the secrets file. Click Save and then tap to connect. When it asks for username and password just enter anything for now.
Once your happy that the IPSec is connecting then we can edit the XL2TPD configuration file /etc/xl2tpd/xl2tpd.conf
I'll just show the bottom bit of config as the rest is comments.
[lns default] ip range = 172.16.20.53-172.16.20.58 local ip = SERVER IP refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
The IP range is the IP's you want to give to clients, make sure you don't override anything in your network. I have a DHCP server configured to not hand out those addresses however they are still in the local network range. I have done this so I can use a internal Bind9 DNS server which I have configured to block Ads. I will write a post about this soon. The local ip is the servers IP.
Now we will configure the PPP part. Edit this file /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 184.108.40.206 auth mtu 1200 mru 1000 crtscts hide-password modem name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
Now we need to edit the /etc/ppp/chap-secrets file which contains the username/password the Android client asked for.
# Secrets for authentication using CHAP # client server secret IP addresses user l2tpd "pass" *
I have used an internal DNS server address here but you could use Googles 220.127.116.11
Restart all the services.
service strongswan restart service xl2tpd restart
Firewall Rules and IP Forwarding
To allow devices to browse the web then we need to enable ip forwarding.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
To protect the L2TP tunnel from anything outside the IPSec layer enter these commands.
iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
Other implementations coming soon