[Openswan Users] L2TP/IPsec

Giovani Moda - MR Informática giovani at mrinformatica.com.br
Tue Aug 30 18:55:19 CEST 2005


I just finished an l2tp/ipsec configuration on a Fedora Core 2 (kernel 
2.6.10-1.771_FC2 recompiled with KLIPS and NAT-T patch), openswa-2.4.0rc4 
and l2tpd rpm from Jacco.

The IPSEC part went just fine, with both PSK and x509 certs. No problem at 
all there. I was having some problem with stalls in the tunnel when 
transfering large amounts of data. As Paul mentioned before, aftwer lowering 
MTU to 500 and MRU to 1410 in options.lt2p, everything seems to work fine.

Currently I'm using XP SP2 IPSEC/L2TP and pap-secrets. Why? Because I'm 
authenticating users throug pam in a Samba PDC server, and AFAIK 
chap-secrets won't work due to the encrypted password database of samba. 
It's not the way I want it yet, I want to use chap-secrets, so I'm trying to 
use ppp-2.4.3 and winbind plugin. So far I had no luck. I get a strange 
error when trying to authenticate throug winbind, and I can't find any 
reference of it anywhere. I'll keep digging. If anyone had any luck with 
that, please, show me the way!

So far it's only running inside my local network. I'll run some stability 
tests now, and later I'll test it in an real scenario (public ips, firewall 
rules, nated XP and everything else). One problem I have already noticed 
when using Arno's Iptables Firewall is that after stabilishing the LT2P 
connection, it complains that the IP from ppp0 is being spoofed, and drops 
it. I had to comment out this rule from the script script in order to test 
it. Anyone has a better suggestion of firewall for this specific 
configuration?

In my tests, the VPN server is 192.168.1.4 with internal net 192.168.0.0/24. 
L2TPD listens in internal interface 192.168.0.100. The XP client is 
192.168.1.173.

Bellow is my configuration. Check it out:

ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        klipsdebug=none
        plutodebug=none
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        uniqueids=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/24,%v4

conn %default
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn inet-XP
        type=transport
        pfs=no
        left=192.168.1.4
        leftcert=gateway.pem
        leftprotoport=17/1701
        leftsendcert=yes
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=1

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----------------------------------------------------------------------------------------------------------------------------

options.l2tp

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.0.100
ms-wins 192.168.0.100
auth
crtscts
idle 1800
mtu 500
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
require-pap
refuse-chap
refuse-mschap
require-mschap-v2
noccp
nobsdcomp
logfile /var/log/l2tpd.log
#plugin winbind.so
#ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

----------------------------------------------------------------------------------------------------------------------------
l2tpd.conf

[global]
listen-addr = 192.168.0.100

[lns default]
ip range = 192.168.0.128-192.168.0.254
local ip = 192.168.0.120
require chap = yes
refuse pap = yes
require authentication = yes
name = MRVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

---------------------------------------------------------------------------------------------------------
pap-secrets

# Secrets for authentication using PAP
# client        server  secret                  IP addresses
*               *       ""                      192.168.0.0/24

----------------------------------------------------------------------------------------------------------
/etc/pam.d/ppp

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_smb_auth.so debug
auth       required     pam_nologin.so

Cheers,

Giovani 



More information about the Users mailing list