[Openswan Users] Ipsec can't encryption on L2TP tunnel

Riri Afnita ririafnita95 at gmail.com
Thu Jul 27 21:23:40 EDT 2017


Hi Samir. I'm Riri. I want to ask you about remote access VPN. I have files:


/etc/ipsec.conf:


version 2
#
# Manual:     ipsec.conf.5

# basic configuration
config setup

   protostack=netkey
   dumpdir=/var/run/pluto/
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:
25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn L2TP-PSK
   authby=secret
   pfs=yes
   auto=start
   keyingtries=3
   ikelifetime=8h
   keylife=1h
   ike=aes256-sha1;modp1024!
   phase2alg=aes256-sha1;modp1024
   rekey=no
   type=tunnel
   left=%defaultroute
           leftid=103.19.208.244(IP.vpn server)
leftsubnet=192.168.122.0/24
   right=%any
   rightprotoport=17/1701
   dpddelay=10
   dpdtimeout=90
   dpdaction=clear


/etc/ipsec.secrets:

include /etc/ipsec.d/*.secrets
103.19.208.244   %any:   PSK   "vpnku"

/etc/xl2tpd/xl2tpd.conf
[global]
listen-addr=103.19.208.244
ipsec saref = yes
force userspace = yes


[lns default]
ip range = 192.168.1.2-192.168.1.254
local ip = 192.168.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client   server   secret         IP addresses
lili      l2tpd   R1R11234567891234        *

Scenario:


Server (103.19.208.240) have 2 virtual server using KVM, they are VPN
server and ftp server. For VPN server using bridge from server ( bridge:br0
rctl setting with rctlxx /i'm forget about it but i choose rctl/) and for
FTP server and VPN server, i choose virbr0. virbr0 give dhcp for iP private
with network 192.168.122.0/24.

Client connect to vpn server (103.19.208.244) with ip 103.19.208.243 and
then, VPN server give ip 192.168.1.2 to client.  After connect to VPN
server, i will access 192.168.122.20/24 for access data from FTP. Attacker
will do passive sniffing for look ftp data with wireshark and port
mirroring. Switch using Cisco.

Problem:
1. How to make my client (192.168.1.2/32) can access ftp server (
192.168.122.20/24)?

2. How to make my FTP data can't be sniffing my attacker when i access FTP
data?

I am using  openswan-2.6.32-16.el6.i686.rpm.


The topology:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170728/8daa716f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1501108739829.jpg
Type: image/jpeg
Size: 344283 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20170728/8daa716f/attachment-0001.jpg>


More information about the Users mailing list