Install the software
First, we start with installing all required software:
apt-get install strongswan xl2tpd ppp
Config StrongSwan
vi /etc/strongswan.conf
charon {
load_modular = yes
install_routes = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon.log {
time_format = %b %e %T
ike_name = yes
#append = no
#default = 2
flush_line = yes
}
stderr {
# default loglevel.
#ike = 4
#knl = 3
}
}
}
include strongswan.d/*.confConfigure IPSec
Now we start with configuring the software. First we start with IPSec:
vi /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
uniqueids = yes
# default for connections
conn %default
pfs=yes
aggressive = no
#installpolicy=yes
mobike = no
ikelifetime=8h
keyingtries=3
keylife=3h
keyingtries=%forever
rekey=no
rekeymargin=3m
dpddelay=30
dpdtimeout=120
dpdaction=clear
#VPN IPSec-over-L2TP Roadworrior
conn IPSec-L2TP-Roadworrier
### CONECTION SETTINGS ###
forceencaps=yes
type=transport
auto=add
### PROPOSAL ###
keyexchange=ikev1
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
### SERVER SIDE ###
left=%defaultroute
leftfirewall = yes
leftprotoport=udp/1701
### CLIEND SIDE ###
right=%any
rightfirewall = yes
rightprotoport=udp/%any
### PHASE II SELECTORS ###
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0Some notes about this configuration:
- We use a secret or password for authentication. Sources on the internet seem to suggest that the iPhone cannot handle certificates.
- we must configure the dead peer detection rules at the bottom or else you cannot reconnect to the VPN when returning from sleep.
IPSec Secrets
We thus also need to configure an encryption secret (password) for the IPSec tunnel.
vi /etc/ipsec.secrets
%any %any: PSK “this-is-my-super-secret-password”
It is smart to choose a strong (long) password.
Also possible Options:
- RSA defines an RSA private key
- ECDSA defines an ECDSA private key
- PSK defines a pre-shared key
- EAP defines EAP credentials
- NTLM defines NTLM credentials
- XAUTH defines XAUTH credentials
- PIN defines a smartcard PIN
Example:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.1 %any : PSK "v+NkxY9L-$Fd4qCC2o/gGr9QwF2d21jL"
: RSA moonKey.pem
: EAP "x3.dEhgN"
carol : XAUTH "4iChxLT3"
dave : XAUTH "ryftzG4A"
# get secrets from other files
include ipsec.*.secretsConfigure L2TP
Inside the directory /etc/xl2tpd you have to edit xl2tpd.conf like this:
vi /etc/xl2tpd/xl2tpd.conf
[global]
auth file = /etc/l2tpd/l2tp-secrets
port = 1701
access control = no
ipsec saref = yes
[lns default]
ip range = 192.168.254.100-192.168.254.150
local ip = 192.168.254.254
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = L2TP
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yesThe “ip range” is within your internal network. It is a range outside of your DHCP-scope. The “ip range” must not include the “local ip”. This IP address is dedicated to your Linux host. Important: once the VPN setup is working properly Turn off all debugging options (set them to ‘no’). Otherwise, your logs will fill up very quickly because every time a packet is transmitted, this is logged.
Configure PPP
Now we must configure PPP. Edit /etc/ppp/options.xl2tpd and make it look like this:
vi /etc/ppp/options.xl2tpd
persist
ipparam portunity
# Allow all usernames to connect.
proxyarp
ipcp-accept-local
ipcp-accept-remote
# Set the DNS servers the PPP clients will use.
#ms-dns 192.168.254.254
#ms-dns 2a03:4000:6:d0f1::
ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
lock
connect-delay 5000
# Enable IPv6
+ipv6Note that you must enter a valid DNS server that must be reachable by the VPN client (iPhone) through the tunnel. We are almost there. Now we must also configure a password for the PPP connection.
CHAP Secrets
Edit /etc/ppp/chap-secrets and make it look like this:
vi /etc/ppp/chap-secrets
USERNAME * PASSWORD *
This password is not related to the IPSec password. I think it is wise to configure different passwords for IPSec and PPP.
Configuring the firewall
Using UFW
An IPSec + L2TP + PPP VPN requires the following ports to be opened:
500/udp
4500/udp
1701/udp
Using IPTables
Configuring traffic forwarding rules
If you use a Linux box with IPtables, you may already have a functioning configuration. However, this line is required for traffic forwarding to work:
iptables -t nat -A POSTROUTING -s 192.168.248.0/24 -o eth0 -j MASQUERADE
You can also Add a Interface and an Up/Down-IPTables-Condition
#VPN Network (VLAN 1, Port eth1)
auto eth1:1
iface eth1:1 inet static
address 192.168.254.254
netmask 255.255.255.0
### VPN Forward RoadWarrior IPSec-over-L2TP ###
post-up iptables -t nat -A POSTROUTING -s '192.168.254.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.254.0/24' -o eth0 -j MASQUERADE
### Allow Access to other networks
post-up iptables -t nat -I POSTROUTING -s '192.168.254.0/24' -d '192.192.0.0/22' -j ACCEPT
post-down iptables -t nat -D POSTROUTING -s '192.168.254.0/24' -d '192.192.0.0/22' -j ACCEPTYou must replace the correct IP addresses according to your configuration.
Traffic Forwarding
You may also have to enable traffic forwarding like this:
vi /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1