ipsec

Setting up an IPSEC tunnel

This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.

If you're needing a tunnel between a EidolonHost Linux-based virtual server and a Linux-based destination, we highly recommend you use a GRE tunnel documented here: GRE tunnelling your filtered IP.

If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: Redirecting your filtered IP.

All operating systems with IPSEC support are, you guessed it, supported.

We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.

Please note, if you're setting this up on an OpenVZ with us, you must use a 64bit based template.

  • iptables installed on your EidolonHost VPS (included already in most cases)
  • A 64-bit based distribution if you're doing this on OpenVZ. This can't be stressed enough and will not work on a 32-bit distribution (for the time being).

First you must install openswan & xl2tpd.

On Debian/Ubuntu:

apt-get update
apt-get install openswan xl2tpd

Note: During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.

On CentOS:

yum -y install xl2tpd openswan

Open up /etc/ipsec.conf with your favorite editor. Replace the entire contents with the following:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	protostack=netkey

conn %default
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	leftprotoport=17/1701
	rightprotoport=17/%any

conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	left=YOUR_EidolonHost_IP

conn L2TP-PSK-noNAT
	left=YOUR_EidolonHost_IP
	right=%any

Make sure you update YOUREidolonHostIP with your EidolonHost IP.

Open up /etc/xl2tpd/xl2tpd.conf with your favorite editor. Replace the entire contents with the following:

[global]
;listen-addr = 127.0.0.1                ; Global parameters:
port = 1701             ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
access control = no         ; * Refuse connections without IP match
rand source = dev                     ; Source for entropy for random

[lns default]             ; Our fallthrough LNS definition
exclusive = yes            ; * Only permit one tunnel per host
ip range = 10.1.0.2 - 10.1.0.100
local ip = 10.1.0.1
refuse authentication = yes     ; * Refuse authentication altogether
refuse pap = yes            ; * Refuse PAP authentication
refuse chap = yes
ppp debug = no            ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

Optional: Update the ip range & local ip to fit your needs.

Open up /etc/ppp/options.l2tpd with your favorite editor. Replace the entire contents with the following:

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 8.8.8.8

mtu 1400
mru 1400

Open up /etc/ipsec.secrets with your favorite editor. Replace the entire contents with the following:

YOUR_EidolonHost_IP %any: "mysecretpresharedkeypassword"

The mysecretpresharedkeypassword is the shared key you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.

As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:

iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_EidolonHost_IP

You must now restart the ipsec & xl2tpd daemons:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

From here you must configure your client side.

For a good Windows 2008/2012/7/8 guide, please check out http://www.x4b.net/wiki/WindowsVPNConnecting. Follow all the steps except 9 & 10 as it's specific to their platform.

  • ipsec.txt
  • Last modified: 2022/10/13 09:11
  • by 127.0.0.1