User Tools

Site Tools


ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ipsec [2017/03/23 09:22] (current)
Line 1: Line 1:
 +====== Setting up an IPSEC tunnel ======
  
 +This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
 +
 +If you're needing a tunnel between a EidolonHost Linux-based virtual server and a Linux-based destination,​ we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]].
 +
 +If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]].
 +===== Supported Operating Systems ====
 +
 +All operating systems with IPSEC support are, you guessed it, supported.
 +
 +We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.
 +
 +Please note, if you're setting this up on an OpenVZ with us, **you must use a 64bit based template**.
 +===== Prerequisites =====
 +
 +   * iptables installed on your EidolonHost VPS (included already in most cases)
 +   * **A 64-bit based distribution if you're doing this on OpenVZ**. This can't be stressed enough and will not work on a 32-bit distribution (for the time being).
 +
 +===== Setup =====
 +
 +First you must install openswan & xl2tpd. ​
 +
 +On Debian/​Ubuntu:​
 +
 +<​code>​
 +apt-get update
 +apt-get install openswan xl2tpd
 +</​code>​
 +
 +**Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
 +
 +On CentOS:
 +
 +<​code>​
 +yum -y install xl2tpd openswan
 +</​code>​
 +===== Setup ipsec.conf =====
 +
 +Open up ''/​etc/​ipsec.conf''​ with your favorite editor. Replace the entire contents with the following:
 +
 +<​code>​
 +
 +# /​etc/​ipsec.conf - Openswan IPsec configuration file
 +
 +# This file:  /​usr/​share/​doc/​openswan/​ipsec.conf-sample
 +#
 +# Manual: ​    ​ipsec.conf.5
 +
 +version 2.0     # conforms to second version of ipsec.conf specification
 +
 +# basic configuration
 +config setup
 + # Do not set debug options to debug configuration issues!
 + # plutodebug / klipsdebug = "​all",​ "​none"​ or a combation from below:
 + # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"​
 + # eg:
 + # plutodebug="​control parsing"​
 + #
 + # enable to get logs per-peer
 + # plutoopts="​--perpeerlog"​
 + #
 + # Again: only enable plutodebug or klipsdebug when asked by a developer
 + #
 + # NAT-TRAVERSAL support, see README.NAT-Traversal
 + nat_traversal=yes
 + # exclude networks used on server side by adding %v4:​!a.b.c.0/​24
 + virtual_private=%v4:​10.0.0.0/​8,​%v4:​192.168.0.0/​16,​%v4:​172.16.0.0/​12,​%v4:​!172.16.8.0/​24
 + # OE is now off by default. Uncomment and change to on, to enable.
 + oe=off
 + # which IPsec stack to use. auto will try netkey, then klips then mast
 + protostack=netkey
 +
 +conn %default
 + authby=secret
 + pfs=no
 + auto=add
 + keyingtries=3
 + rekey=no
 + ikelifetime=8h
 + keylife=1h
 + type=transport
 + leftprotoport=17/​1701
 + rightprotoport=17/​%any
 +
 +conn L2TP-PSK-NAT
 + rightsubnet=vhost:​%priv
 + left=YOUR_EidolonHost_IP
 +
 +conn L2TP-PSK-noNAT
 + left=YOUR_EidolonHost_IP
 + right=%any
 +</​code>​
 +
 +Make sure you update ''​YOUR_EidolonHost_IP''​ with your EidolonHost IP.
 +===== Setup xl2tpd.conf =====
 +
 +
 +Open up ''/​etc/​xl2tpd/​xl2tpd.conf''​ with your favorite editor. Replace the entire contents with the following:
 +
 +<​code>​
 +[global]
 +;​listen-addr = 127.0.0.1 ​               ; Global parameters:
 +port = 1701             ; * Bind to port 1701
 +auth file = /​etc/​xl2tpd/​l2tp-secrets ​ ; * Where our challenge secrets are
 +access control = no         ; * Refuse connections without IP match
 +rand source = dev                     ; Source for entropy for random
 +
 +[lns default] ​            ; Our fallthrough LNS definition
 +exclusive = yes            ; * Only permit one tunnel per host
 +ip range = 10.1.0.2 - 10.1.0.100
 +local ip = 10.1.0.1
 +refuse authentication = yes     ; * Refuse authentication altogether
 +refuse pap = yes            ; * Refuse PAP authentication
 +refuse chap = yes
 +ppp debug = no            ; * Turn on PPP debugging
 +pppoptfile = /​etc/​ppp/​options.l2tpd ; * ppp options file
 +</​code>​
 +
 +**Optional:​** Update the ''​ip range''​ & ''​local ip''​ to fit your needs.
 +===== Setup options.l2tpd =====
 +
 +Open up ''/​etc/​ppp/​options.l2tpd''​ with your favorite editor. Replace the entire contents with the following:
 +
 +<​code>​
 +# Do not support BSD compression.
 +nobsdcomp
 +passive
 +lock
 +
 +# Allow all usernames to connect.
 +name *
 +proxyarp
 +ipcp-accept-local
 +ipcp-accept-remote
 +lcp-echo-failure 10
 +lcp-echo-interval 5
 +nodeflate
 +
 +# Do not authenticate incoming connections. This is handled by IPsec.
 +noauth
 +refuse-chap
 +refuse-mschap
 +refuse-mschap-v2
 +
 +# Set the DNS servers the PPP clients will use.
 +ms-dns 8.8.8.8
 +
 +mtu 1400
 +mru 1400
 +</​code>​
 +
 +===== Setup ipsec.secrets =====
 +
 +Open up ''/​etc/​ipsec.secrets''​ with your favorite editor. Replace the entire contents with the following:
 +
 +<​code>​
 +YOUR_EidolonHost_IP %any: "​mysecretpresharedkeypassword"​
 +</​code>​
 +
 +The ''​mysecretpresharedkeypassword''​ is the ''​shared key''​ you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
 +
 +===== Allow traffic to route out your VPS =====
 +
 +As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
 +
 +<​code>​
 +iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_EidolonHost_IP
 +</​code>​
 +
 +
 +===== Apply the configuration files =====
 +
 +You must now restart the ''​ipsec''​ & ''​xl2tpd''​ daemons:
 +
 +<​code>​
 +/​etc/​init.d/​ipsec restart
 +/​etc/​init.d/​xl2tpd restart
 +</​code>​
 +
 +===== Client side configuration =====
 +
 +From here you must configure your client side.
 +
 +For a good Windows 2008/​2012/​7/​8 guide, please check out [[http://​www.x4b.net/​wiki/​WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform.
ipsec.txt ยท Last modified: 2017/03/23 09:22 (external edit)