[Openswan Users] L2TP/IPsec
Giovani Moda - MR Informática
giovani at mrinformatica.com.br
Tue Aug 30 18:55:19 CEST 2005
I just finished an l2tp/ipsec configuration on a Fedora Core 2 (kernel
2.6.10-1.771_FC2 recompiled with KLIPS and NAT-T patch), openswa-2.4.0rc4
and l2tpd rpm from Jacco.
The IPSEC part went just fine, with both PSK and x509 certs. No problem at
all there. I was having some problem with stalls in the tunnel when
transfering large amounts of data. As Paul mentioned before, aftwer lowering
MTU to 500 and MRU to 1410 in options.lt2p, everything seems to work fine.
Currently I'm using XP SP2 IPSEC/L2TP and pap-secrets. Why? Because I'm
authenticating users throug pam in a Samba PDC server, and AFAIK
chap-secrets won't work due to the encrypted password database of samba.
It's not the way I want it yet, I want to use chap-secrets, so I'm trying to
use ppp-2.4.3 and winbind plugin. So far I had no luck. I get a strange
error when trying to authenticate throug winbind, and I can't find any
reference of it anywhere. I'll keep digging. If anyone had any luck with
that, please, show me the way!
So far it's only running inside my local network. I'll run some stability
tests now, and later I'll test it in an real scenario (public ips, firewall
rules, nated XP and everything else). One problem I have already noticed
when using Arno's Iptables Firewall is that after stabilishing the LT2P
connection, it complains that the IP from ppp0 is being spoofed, and drops
it. I had to comment out this rule from the script script in order to test
it. Anyone has a better suggestion of firewall for this specific
configuration?
In my tests, the VPN server is 192.168.1.4 with internal net 192.168.0.0/24.
L2TPD listens in internal interface 192.168.0.100. The XP client is
192.168.1.173.
Bellow is my configuration. Check it out:
ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug=none
plutodebug=none
interfaces="ipsec0=eth0"
nat_traversal=yes
uniqueids=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/24,%v4
conn %default
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn inet-XP
type=transport
pfs=no
left=192.168.1.4
leftcert=gateway.pem
leftprotoport=17/1701
leftsendcert=yes
right=%any
rightprotoport=17/1701
auto=add
keyingtries=1
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----------------------------------------------------------------------------------------------------------------------------
options.l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.0.100
ms-wins 192.168.0.100
auth
crtscts
idle 1800
mtu 500
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
require-pap
refuse-chap
refuse-mschap
require-mschap-v2
noccp
nobsdcomp
logfile /var/log/l2tpd.log
#plugin winbind.so
#ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
----------------------------------------------------------------------------------------------------------------------------
l2tpd.conf
[global]
listen-addr = 192.168.0.100
[lns default]
ip range = 192.168.0.128-192.168.0.254
local ip = 192.168.0.120
require chap = yes
refuse pap = yes
require authentication = yes
name = MRVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
---------------------------------------------------------------------------------------------------------
pap-secrets
# Secrets for authentication using PAP
# client server secret IP addresses
* * "" 192.168.0.0/24
----------------------------------------------------------------------------------------------------------
/etc/pam.d/ppp
#%PAM-1.0
auth required pam_securetty.so
auth required pam_smb_auth.so debug
auth required pam_nologin.so
Cheers,
Giovani
More information about the Users
mailing list