Set up the simplest VPN System in linux

This article is based on the actual application of our company, but it can be applied to many places with a slight modification. The system has been running for two months and proved to be safe, reliable, and stable...

My company is located in Beijing, but the main equipment is located in a major IDC of Nanjing Telecom. There are two of our PIX525UR there (with Failover), which implements strict access control, therefore, in order to facilitate the company's mobility, business trips, and staff working at home, we had the idea of building a VPN system. so that users with corresponding permissions can connect to the company's VPN Server through an encrypted tunnel supporting MPPE128 from their personal PC, and then forward data to our company's application network in Nanjing IDC through the VPN Server, the connection is also an IPSEC-based secure VPN tunnel. this ensures the security and convenience of all application requirements of our company.

1. hardware resources: one server
One PIX 525UR Firewall
2. Software resources: Mandrake 9.2
Kernelmod
Pptpd
Super-freeswan
Iptables
Public IP Address

Note: After I tested several LINUX systems (including Redhat, SuSE, Mandrake, and Astaro), I feel that Mandrake is the simplest and safest platform.

　　The installation process is as follows:
1. Operating System installation:
There are no special requirements for the installation process. When selecting and installing components, the installation tool is not selected except for development tools, mainly for security considerations.

2. Install kernelmod:
Tar zxvf kernelmod-0.7.1.tar.gz
Cd/kernelmod
./Kernelmod. sh

3. Install pptpd:
① Upgrade ppp
Rpm-Uvh ppp-2.4.2-0.1b3.i386.rpm
② Install pptpd
Rpm-ivh pptpd-1.1.4-1b4.fr.i386.rpm

4. Install Super-freeswan:
Rpm-ivh super-freeswan-1.99.8-8.2.100mdk.i586.rpm

5. Upgrade iptables
Rpm-Uvh iptables-1.2.8-12.i386.rpm

Now, the installation process is complete,
Note: The above software can be found in rpmfind.net!

　　The following is the main configuration process:

1. Operating System Configuration:
① Upgrade openssh
② Disable unwanted services (sendmail isdn ...)
③ Edit/etc/sysctl. conf
Net. ipv4.ip _ forward = 0 => 1
Net. ipv4.conf. default. rp_filter = 1 => 0

2. Pix configuration file (VPN part ):
Access-list inside_outbound_nat0_acl permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.255.0
Access-list outside_cryptomap_20 permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.0
Nat (inside) 0 access-list inside_outbound_nat0_acl
Sysopt connection permit-ipsec
Crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
Crypto map outside_map 20 ipsec-isakmp
Crypto map outside_map 20 match address outside_cryptomap_20
Crypto map outside_map 20 set peer "IP address of the VPN Server"
Crypto map outside_map 20 set transform-set ESP-3DES-MD5
Crypto map outside_map interface outside
Isakmp enable outside
Isakmp key "password" address "VPN Server IP" netmask 255.255.255.255 no-xauth no-config-mode
Isakmp identity address
Isakmp policy 20 authentication pre-share
Isakmp policy 20 encryption 3des
Isakmp policy 20 hash md5
Isakmp policy 20 group 2
Isakmp policy 20 lifetime 28800

3. PPtP Configuration
①/Etc/pptpd. conf
Speed115200
Option/etc/ppp/options
Localip "company VPN user Gateway (for example, 10.0.1.1 )"
Remoteip "company VPN user's IP segment (for example, 10.0.1.200-250 )"

②/Etc/ppp/chap-secrets
"User Name" "VPN Server IP" "password" 10.0.1.20X (200
③/Etc/ppp/options
Lock
Name "IP address of the VPN Server"
Mtu 1490
Mru 1490
Proxyarp
Auth
-Chap
-Mschap
+ Mschap-v2
Require-mppe
Ipcp-accept-local
Ipcp-accept-remote
Lcp-echo-failure 3
Lcp-echo-interval 5
Ms-dns X. X
Deflate 0

4. Super-freeswan Configuration
①/Etc/freeswan/ipsec. conf

# Basic configuration
Config setup
# This setting must be correct or almost nothing will work;
# % Defaultroute is okay for most simple cases.
Interfaces = "ipsec0 = eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
Klipsdebug = none
Plutodebug = none
# Use auto = parameters in conn descriptions to control startup actions.
Plutoload = % search
Plutostart = % search
# Close down old connection when new one using same ID shows up.
Uniqueids = yes
Nat_traversal = yes

# Defaults for subsequent connection descriptions
# (These defaults will soon go away)
Conn % default
Keyingtries = 0
Disablearrivalcheck = no
Authby = rsasig
# Leftrsasigkey = % dnsondemand
# Rightrsasigkey = % dnsondemand

Conn pix
Left = "IP address of the VPN Server"
Leftnexthop = "VPN Server Gateway"
Leftsubnet = "company VPN user's IP segment (for example, 10.0.1.0/32 )"
Right = "Nanjing PIX525UR IP Address"
Rightnexthop = % direct
Rightsubnet = "Nanjing IP segment"
Authby = secret
Pfs = no
Auto = start

②/Etc/freeswan/ipsec. secrets
"VPN Server IP" "Nanjing PIX525UR IP": PSK "password"

5. iptables configuration (sample) to restrict the access permissions of VPN users:
Iptables-t nat-a postrouting-o eth0-s 10.0.1.201/32-d "Nanjing IP segment"-j MASQUERADE

Service iptables save

Note: 1. Add a user name and change the password/etc/ppp/chap-secrets
2. Edit and modify iptables rules with user permission settings
3. If access-list exists on the company router, add
Permit 47 any host 219.238.213.244
4. Check whether the IPsec service is successfully started.
Ipsec verify
-