ipsec
Differences
This shows you the differences between two versions of the page.
| — |
ipsec [2017/03/23 09:22] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Setting up an IPSEC tunnel ====== | ||
| + | This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows. | ||
| + | |||
| + | If you're needing a tunnel between a EidolonHost Linux-based virtual server and a Linux-based destination, we **highly** recommend you use a GRE tunnel documented here: [[gre_tunnel|GRE tunnelling your filtered IP]]. | ||
| + | |||
| + | If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: [[redirect_traffic|Redirecting your filtered IP]]. | ||
| + | ===== Supported Operating Systems ==== | ||
| + | |||
| + | All operating systems with IPSEC support are, you guessed it, supported. | ||
| + | |||
| + | We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs. | ||
| + | |||
| + | Please note, if you're setting this up on an OpenVZ with us, **you must use a 64bit based template**. | ||
| + | ===== Prerequisites ===== | ||
| + | |||
| + | * iptables installed on your EidolonHost VPS (included already in most cases) | ||
| + | * **A 64-bit based distribution if you're doing this on OpenVZ**. This can't be stressed enough and will not work on a 32-bit distribution (for the time being). | ||
| + | |||
| + | ===== Setup ===== | ||
| + | |||
| + | First you must install openswan & xl2tpd. | ||
| + | |||
| + | On Debian/Ubuntu: | ||
| + | |||
| + | <code> | ||
| + | apt-get update | ||
| + | apt-get install openswan xl2tpd | ||
| + | </code> | ||
| + | |||
| + | **Note:** During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here. | ||
| + | |||
| + | On CentOS: | ||
| + | |||
| + | <code> | ||
| + | yum -y install xl2tpd openswan | ||
| + | </code> | ||
| + | ===== Setup ipsec.conf ===== | ||
| + | |||
| + | Open up ''/etc/ipsec.conf'' with your favorite editor. Replace the entire contents with the following: | ||
| + | |||
| + | <code> | ||
| + | |||
| + | # /etc/ipsec.conf - Openswan IPsec configuration file | ||
| + | |||
| + | # This file: /usr/share/doc/openswan/ipsec.conf-sample | ||
| + | # | ||
| + | # Manual: ipsec.conf.5 | ||
| + | |||
| + | version 2.0 # conforms to second version of ipsec.conf specification | ||
| + | |||
| + | # basic configuration | ||
| + | config setup | ||
| + | # Do not set debug options to debug configuration issues! | ||
| + | # plutodebug / klipsdebug = "all", "none" or a combation from below: | ||
| + | # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" | ||
| + | # eg: | ||
| + | # plutodebug="control parsing" | ||
| + | # | ||
| + | # enable to get logs per-peer | ||
| + | # plutoopts="--perpeerlog" | ||
| + | # | ||
| + | # Again: only enable plutodebug or klipsdebug when asked by a developer | ||
| + | # | ||
| + | # NAT-TRAVERSAL support, see README.NAT-Traversal | ||
| + | nat_traversal=yes | ||
| + | # exclude networks used on server side by adding %v4:!a.b.c.0/24 | ||
| + | virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24 | ||
| + | # OE is now off by default. Uncomment and change to on, to enable. | ||
| + | oe=off | ||
| + | # which IPsec stack to use. auto will try netkey, then klips then mast | ||
| + | protostack=netkey | ||
| + | |||
| + | conn %default | ||
| + | authby=secret | ||
| + | pfs=no | ||
| + | auto=add | ||
| + | keyingtries=3 | ||
| + | rekey=no | ||
| + | ikelifetime=8h | ||
| + | keylife=1h | ||
| + | type=transport | ||
| + | leftprotoport=17/1701 | ||
| + | rightprotoport=17/%any | ||
| + | |||
| + | conn L2TP-PSK-NAT | ||
| + | rightsubnet=vhost:%priv | ||
| + | left=YOUR_EidolonHost_IP | ||
| + | |||
| + | conn L2TP-PSK-noNAT | ||
| + | left=YOUR_EidolonHost_IP | ||
| + | right=%any | ||
| + | </code> | ||
| + | |||
| + | Make sure you update ''YOUR_EidolonHost_IP'' with your EidolonHost IP. | ||
| + | ===== Setup xl2tpd.conf ===== | ||
| + | |||
| + | |||
| + | Open up ''/etc/xl2tpd/xl2tpd.conf'' with your favorite editor. Replace the entire contents with the following: | ||
| + | |||
| + | <code> | ||
| + | [global] | ||
| + | ;listen-addr = 127.0.0.1 ; Global parameters: | ||
| + | port = 1701 ; * Bind to port 1701 | ||
| + | auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are | ||
| + | access control = no ; * Refuse connections without IP match | ||
| + | rand source = dev ; Source for entropy for random | ||
| + | |||
| + | [lns default] ; Our fallthrough LNS definition | ||
| + | exclusive = yes ; * Only permit one tunnel per host | ||
| + | ip range = 10.1.0.2 - 10.1.0.100 | ||
| + | local ip = 10.1.0.1 | ||
| + | refuse authentication = yes ; * Refuse authentication altogether | ||
| + | refuse pap = yes ; * Refuse PAP authentication | ||
| + | refuse chap = yes | ||
| + | ppp debug = no ; * Turn on PPP debugging | ||
| + | pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file | ||
| + | </code> | ||
| + | |||
| + | **Optional:** Update the ''ip range'' & ''local ip'' to fit your needs. | ||
| + | ===== Setup options.l2tpd ===== | ||
| + | |||
| + | Open up ''/etc/ppp/options.l2tpd'' with your favorite editor. Replace the entire contents with the following: | ||
| + | |||
| + | <code> | ||
| + | # Do not support BSD compression. | ||
| + | nobsdcomp | ||
| + | passive | ||
| + | lock | ||
| + | |||
| + | # Allow all usernames to connect. | ||
| + | name * | ||
| + | proxyarp | ||
| + | ipcp-accept-local | ||
| + | ipcp-accept-remote | ||
| + | lcp-echo-failure 10 | ||
| + | lcp-echo-interval 5 | ||
| + | nodeflate | ||
| + | |||
| + | # Do not authenticate incoming connections. This is handled by IPsec. | ||
| + | noauth | ||
| + | refuse-chap | ||
| + | refuse-mschap | ||
| + | refuse-mschap-v2 | ||
| + | |||
| + | # Set the DNS servers the PPP clients will use. | ||
| + | ms-dns 8.8.8.8 | ||
| + | |||
| + | mtu 1400 | ||
| + | mru 1400 | ||
| + | </code> | ||
| + | |||
| + | ===== Setup ipsec.secrets ===== | ||
| + | |||
| + | Open up ''/etc/ipsec.secrets'' with your favorite editor. Replace the entire contents with the following: | ||
| + | |||
| + | <code> | ||
| + | YOUR_EidolonHost_IP %any: "mysecretpresharedkeypassword" | ||
| + | </code> | ||
| + | |||
| + | The ''mysecretpresharedkeypassword'' is the ''shared key'' you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC. | ||
| + | |||
| + | ===== Allow traffic to route out your VPS ===== | ||
| + | |||
| + | As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS: | ||
| + | |||
| + | <code> | ||
| + | iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_EidolonHost_IP | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ===== Apply the configuration files ===== | ||
| + | |||
| + | You must now restart the ''ipsec'' & ''xl2tpd'' daemons: | ||
| + | |||
| + | <code> | ||
| + | /etc/init.d/ipsec restart | ||
| + | /etc/init.d/xl2tpd restart | ||
| + | </code> | ||
| + | |||
| + | ===== Client side configuration ===== | ||
| + | |||
| + | From here you must configure your client side. | ||
| + | |||
| + | For a good Windows 2008/2012/7/8 guide, please check out [[http://www.x4b.net/wiki/WindowsVPNConnecting]]. Follow all the steps except 9 & 10 as it's specific to their platform. | ||
ipsec.txt ยท Last modified: 2017/03/23 09:22 (external edit)
Page Tools
