-
-
Save codebylove/f5f82e8c0d5ab18f469c72e6f691b077 to your computer and use it in GitHub Desktop.
Revisions
-
mietek revised this gist
Feb 20, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,7 +48,7 @@ Install dependencies: apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools ``` Build and install Libreswan: ``` wget https://download.libreswan.org/libreswan-3.12.tar.gz -
Feb 20, 2015 . 1 changed file with 12 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,9 +24,6 @@ net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0 EOF ``` **NOTE:** On DigitalOcean, also: @@ -36,13 +33,23 @@ net.ipv4.conf.ip_vti0.rp_filter=0 EOF ``` Reload config: ``` sysctl -p ``` ### Install Libreswan Install dependencies: ``` apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools ``` Build and install Libreswan ``` wget https://download.libreswan.org/libreswan-3.12.tar.gz tar zxvf libreswan-3.12.tar.gz @@ -54,6 +61,8 @@ make install ### Set up Libreswan Set up pre-shared key authentication: ``` cat <<EOF >/etc/ipsec.d/l2tp-psk.conf conn L2TP-PSK-NAT -
Feb 20, 2015 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -143,6 +143,7 @@ apt-get install -y xl2tpd cat <<EOF >/etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes access control = no [lns default] ip range = 10.1.10.2-10.1.10.255 -
Feb 20, 2015 . 1 changed file with 4 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,21 +33,20 @@ sysctl -p ``` cat <<EOF >>/etc/sysctl.conf net.ipv4.conf.ip_vti0.rp_filter=0 EOF ``` ### Install Libreswan ``` apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools ``` ``` wget https://download.libreswan.org/libreswan-3.12.tar.gz tar zxvf libreswan-3.12.tar.gz cd libreswan-3.12 make programs make install ``` -
Feb 20, 2015 . 1 changed file with 14 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,7 +23,8 @@ net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0 EOF ``` ``` sysctl -p ``` @@ -42,9 +43,11 @@ net.ipv4.conf.ip_vti0.rp_filter=0 wget https://download.libreswan.org/libreswan-3.12.tar.gz tar zxvf libreswan-3.12.tar.gz cd libreswan-3.12 ``` ``` apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools ``` ``` make programs make install ``` @@ -92,11 +95,13 @@ conn L2TP-PSK-noNAT # high port. rightprotoport=17/%any EOF ``` ``` cat <<EOF >>/etc/ipsec.conf include /etc/ipsec.d/l2tp-psk.conf EOF ``` ``` cat <<EOF >/etc/ipsec.secrets %any: PSK "__PRE_SHARED_KEY__" EOF @@ -117,7 +122,6 @@ ipsec initnss ``` systemctl enable xl2tpd.service ``` ``` ipsec setup start ipsec verify @@ -150,14 +154,16 @@ require authentication = yes pppoptfile = /etc/ppp/xl2tpd-options length bit = yes EOF ``` ``` cp /etc/ppp/options /etc/ppp/xl2tpd-options cat <<EOF >>/etc/ppp/xl2tpd-options require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 EOF ``` ``` cat <<EOF >/etc/ppp/chap-secrets __USERNAME__ * __PASSWORD__ * EOF -
Feb 20, 2015 . 1 changed file with 9 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,14 +22,19 @@ net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0 EOF sysctl -p ``` **NOTE:** On DigitalOcean, also: ``` cat <<EOF >>/etc/sysctl.conf net.ipv4.conf.ip_vti0.rp_filter=0 ``` ### Install Libreswan @@ -159,7 +164,7 @@ EOF chmod 600 /etc/ppp/chap-secrets ``` **NOTE:** May have to use local DNS servers. ### Start PPP -
Feb 20, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,208 @@ Set up L2TP/IPsec VPN on Debian =============================== Set up IPsec ------------ ### Set up networking ``` cat <<EOF >>/etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0 # NOTE: Only on DigitalOcean: # net.ipv4.conf.ip_vti0.rp_filter=0 EOF sysctl -p ``` ### Install Libreswan ``` wget https://download.libreswan.org/libreswan-3.12.tar.gz tar zxvf libreswan-3.12.tar.gz cd libreswan-3.12 apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools make programs make install ``` ### Set up Libreswan ``` cat <<EOF >/etc/ipsec.d/l2tp-psk.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT # Use a Preshared Key. Disable Perfect Forward Secrecy. authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time). left=%defaultroute # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any EOF cat <<EOF >>/etc/ipsec.conf include /etc/ipsec.d/l2tp-psk.conf EOF cat <<EOF >/etc/ipsec.secrets %any: PSK "__PRE_SHARED_KEY__" EOF chmod 600 /etc/ipsec.secrets ``` **NOTE:** On Ubuntu 14.04, also: ``` ipsec initnss ``` ### Start IPSec **NOTE:** On Debian `jessie`, first: ``` systemctl enable xl2tpd.service ``` ``` ipsec setup start ipsec verify ``` Set up PPP ---------- ### Install PPP ``` apt-get install -y xl2tpd ``` ### Set up PPP ``` cat <<EOF >/etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 10.1.10.2-10.1.10.255 local ip = 10.1.10.1 refuse chap = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/xl2tpd-options length bit = yes EOF cp /etc/ppp/options /etc/ppp/xl2tpd-options cat <<EOF >>/etc/ppp/xl2tpd-options require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 EOF cat <<EOF >/etc/ppp/chap-secrets __USERNAME__ * __PASSWORD__ * EOF chmod 600 /etc/ppp/chap-secrets ``` NOTE: May have to use local DNS servers. ### Start PPP On Ubuntu 14.04: ``` /etc/init.d/xl2tpd start ``` On Debian `jessie`: ``` systemctl enable xl2tpd.service systemctl start xl2tpd.service ``` Set up firewall --------------- For now: ``` iptables --table nat --append POSTROUTING --jump MASQUERADE ``` For later: ``` cat <<EOF >>/etc/rc.local iptables --table nat --append POSTROUTING --jump MASQUERADE EOF ``` References ---------- - http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html - http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-wheezy.html - https://libreswan.org/man/ipsec.conf.5.html - https://github.com/libreswan/libreswan/blob/master/README - https://github.com/libreswan/libreswan/blob/master/docs/examples/sysctl.conf - https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf