Search:  
Gentoo Wiki

HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory

Contents

Note - Please read :)

I am hugely new to this - So while I try to figure out how to write a wiki this page might look a bit choppy :)

The original and most up to date version of this howto exists at http://sqls.net/?s=article&id=6


Introduction

In this HOWTO you will learn how to configure a L2TP/IPSEC VPN on Gentoo Linux using X.509 certificates and authenticating username/passwords pairs via Active Directory through a radius server. I tried to break each product up into its own section along with each configuration possible. So you can take from this the pieces you actually need. I've used the most basic and minimal configurations in each of these products. It's just enough to get you -working-. Please take time to read though the documentation provided with each tool so you can be sure your servers are setup how you need them to be.

What software is being used here?

Task Package Version

OS Gentoo Linux kernel 2.6.21

PPP Samba PPP 2.4.4-r9

PPTP POPTOP 1.3.4

L2TP XL2TPD 1.1.10

IPSEC StrongS/WAN 2.8.4

X.509 OpenSSL 0.9.8e-r1

SMB/CIFS Samba 3.0.24-r3

Kerberos MIT Kerberos V 1.5.3

RADIUS Freeradius 1.1.6

AD Server Microsoft Windows 2003 Server

Clients Microsoft Windows Vista/XP

Prerequisites

You need PPP daemon installed. It is required for every configuration here. It is quick and simple to install and we can have some instant gradification having accomplished something!

# emerge ppp

okay you're done :)

Setup One - PPTP/PPP

If you don't want to use PPTP you can skip right to the next section. This is the most basic VPN setup. There are pros/cons you can read about else where on the internet. I used this as a stepping stone to the more advanced VPN configurations that we will cover later sections. First install poptop which can be emerged on Gentoo easily.

emerge pptpd rc-update add pptpd default


You need to edit the /etc/pp2pd.conf file to suit your environment. You want to set localip to the IP Address that your machine will use to communite with the client with. It can be your local IP or another IP not currently assigned on your box. I believe it does need to be on the same subnet that is assigned to the vpn client. Change remoteip to the range that will be handed out to the clients.

You can review /etc/ppp/options.pp2pd which holds the options that PPP will use when called by POPTOP. I don't think :) I had to change anything. But I am finishing up this document a bit later on.

You need to edit the file /etc/ppp/chap-secrets and add users

You can use the below format which allows the use joebob to connect to any pp2pd and will be assigned any IP from the pp2pd pool.

joeboe * "password" *


You can have -this- configuration authenticate via radius! Just jump down to the section on configuring PPP and Radius.


Setup Two - L2TP/IPSEC-PSK/PPP

This setup gives you an added layer of security over PPTP. With this you give each user a PSK (a shared key for all VPN users) that they will use to connect to the L2TP/IPSEC layer. They will still use their username/password to connect to the PPP layer. This is pretty good setup that is easily managed and provides good security. The pro's and con's are both that we are using a PSK here for all VPN users. If it's just you and a friend that connect that is problem just fine. If you have a company with 500 employees and one quits, do you reconfigure the other 499 employees with a new PSK or just be happy that since his user account is disabled he wouldn't make it past the PPP layer? That's up to you to decide. Most small groups like this option while larger companies choose X509 certifications that will be covered in the next step. Even if you plan to use X509 certifications you need to follow this section - to get the foundation working.

You need to install xl2tpd, strongswan, and PPP. Assuming you already installed PPP as described in the Prerequisites you should only need xl2tpd and strongswan which can easily be emerged on a gentoo system. You could probably use OpenSwan if you perfered. I toyed with both back and forth and their configuration files are almost identical.

emerge -va xl2tpd strongswan

rc-update add xl2tpd default

rc-update add ipsec default


In the below configuration files. On a 16 bit network.


10.0.25.2-254 = VPN Client IP Range

10.0.25.1 = IP used by VPN Server to talk to clients

10.0.0.4 = Local DNS server

65.212.2.93 = VPN Server's EXTERNAL IP address

65.212.2.89 = VPN Servers default gateway


You can read the man page for xl2tpd for more details on it's configuration, but here's an example. my /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
[lns default]
ip range = 10.0.25.2-254
local ip = 10.0.25.1
require chap = yes
refuse pap = yes
require authentication = yes
name = MyVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

the ip range is the range that will be assigned to VPN clients and the local ip is the IP that will be used by the VPN machien to communicate with the clients. This does not have to be the same IP the VPN server uses for any of it's physical interfaces.

and my /etc/ppp/options.l2tpd and you can read the man page for pppd for more details on these options. These options will be used for PPPD when called by XL2TPD.

ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.4
noccp
auth
crtscts
idle 1800
mtu 1500
mru 1500
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

/etc/ppp/chap-secrets needs to look a little different for the XL2TP PSK setup. Two lines for each user.

joebob * "password" *


My /etc/ipsec/ipsec.conf

version 2.0 # conforms to second version of ipsec.conf specification config setup

 nat_traversal=yes
 plutodebug=none
 interfaces=%defaultroute
 virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24

conn %default

 keyingtries=3
 compress=no
 disablearrivalcheck=no
 keyexchange=ike
 ikelifetime=240m
 keylife=60m

conn roadwarrior

 leftprotoport=17/1701
 rightprotoport=17/%any
 rekey=no
 authby=secret
 pfs=no
 type=tunnel
 left=65.212.2.93
 leftnexthop=65.212.2.89
 right=%any
 rightsubnet=vhost:%no,%priv
 auto=add

Now we need a PSK! That's in /etc/ipsec/ipsec.secrets 65.212.2.93 %any: PSK "thisismypsk"


You can have -this- configuration authenticate via radius! Just jump down to the section on configuring PPP and Radius.


Setup Three - L2TP/IPSEC-X.509/PPP

All we are doing now is taking the work completed in [Setup Two] and moving to X.509 Certifications. So first thing we need is OpenSSL.

impasse ipsec # emerge openssl -va

These are the packages that would be merged, in order:

Calculating dependencies... done! [ebuild R ] dev-libs/openssl-0.9.8e-r1 USE="bindist sse2 zlib -emacs -test" 0 kB



Option - PPP/RAIDUS

Sub-Sect A - PPTPD

To configure PPTPD for Radius you need to

Sub-Sect B - XL2TPD

To configure ``XL2TPD`` for Radius you need to


Option RADIUS/AD

Retrieved from "http://www.gentoo-wiki.info/HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory"

Last modified: Thu, 04 Sep 2008 04:13:00 +0000 Hits: 1,665