Set up the simplest VPN System in linux

Source: Internet
Author: User
Tags secure vpn
Set up the simplest VPN System in linux-Linux Enterprise Application-Linux server application information. The following is a detailed description. This article is based on the actual application of our company, but it can be applied to many places with a slight modification. The system has been running for two months and proved to be safe, reliable, and stable...

My company is located in Beijing, but the main equipment is located in a major IDC of Nanjing Telecom. There are two of our PIX525UR there (with Failover), which implements strict access control, therefore, in order to facilitate the company's mobility, business trips, and staff working at home, we had the idea of building a VPN system. so that users with corresponding permissions can connect to the company's VPN Server through an encrypted tunnel supporting MPPE128 from their personal PC, and then forward data to our company's application network in Nanjing IDC through the VPN Server, the connection is also an IPSEC-based secure VPN tunnel. this ensures the security and convenience of all application requirements of our company.

1. hardware resources: one server

One PIX 525UR Firewall

2. Software resources: Mandrake 9.2

Kernelmod

Pptpd

Super-freeswan

Iptables

Public IP Address

Note: After I tested several LINUX systems (including Redhat, SuSE, Mandrake, and Astaro), I feel that Mandrake is the simplest and safest platform.



The installation process is as follows:



1. Operating System installation:

There are no special requirements for the installation process. When selecting and installing components, the installation tool is not selected except for development tools, mainly for security considerations.

2. Install kernelmod:

Tar zxvf kernelmod-0.7.1.tar.gz

Cd/kernelmod

./Kernelmod. sh

3. Install pptpd:

① Upgrade ppp

Rpm? Uvh ppp-2.4.2-0.1b3.i386.rpm

② Install pptpd

Rpm? Ivh pptpd-1.1.4-1b4.fr.i386.rpm

4. Install Super-freeswan:

Rpm? Ivh super-freeswan-1.99.8-8.2.100mdk.i586.rpm

5. Upgrade iptables

Rpm? Uvh iptables-1.2.8-12.i386.rpm

Now, the installation process is complete,

Note: The above software can be found in rpmfind.net!

The following is the main configuration process:



1. Operating System Configuration:

① Upgrade openssh

② Disable unwanted services (sendmail isdn ...)

③ Edit/etc/sysctl. conf

Net. ipv4.ip _ forward = 0 => 1

Net. ipv4.conf. default. rp_filter = 1 => 0

2. Pix configuration file (VPN part ):

Access-list inside_outbound_nat0_acl permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.255.0

Access-list outside_cryptomap_20 permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.0

Nat (inside) 0 access-list inside_outbound_nat0_acl

Sysopt connection permit-ipsec

Crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

Crypto map outside_map 20 ipsec-isakmp

Crypto map outside_map 20 match address outside_cryptomap_20

Crypto map outside_map 20 set peer "IP address of the VPN Server"

Crypto map outside_map 20 set transform-set ESP-3DES-MD5

Crypto map outside_map interface outside

Isakmp enable outside

Isakmp key "password" address "VPN Server IP" netmask 255.255.255.255 no-xauth no-config-mode

Isakmp identity address

Isakmp policy 20 authentication pre-share

Isakmp policy 20 encryption 3des

Isakmp policy 20 hash md5

Isakmp policy 20 group 2

Isakmp policy 20 lifetime 28800

3. PPtP Configuration

①/Etc/pptpd. conf

Speed115200

Option/etc/ppp/options

Localip "company VPN user Gateway (for example, 10.0.1.1 )"

Remoteip "company VPN user's IP segment (for example, 10.0.1.200-250 )"

②/Etc/ppp/chap-secrets

"User Name" "VPN Server IP" "password" 10.0.1.20X (200

③/Etc/ppp/options

Lock

Name "IP address of the VPN Server"

Mtu 1490

Mru 1490

Proxyarp

Auth

-Chap

-Mschap

+ Mschap-v2

Require-mppe

Ipcp-accept-local

Ipcp-accept-remote

Lcp-echo-failure 3

Lcp-echo-interval 5

Ms-dns X. X

Deflate 0

4. Super-freeswan Configuration

①/Etc/freeswan/ipsec. conf

# Basic configuration

Config setup

# This setting must be correct or almost nothing will work;

# % Defaultroute is okay for most simple cases.

Interfaces = "ipsec0 = eth0"

# Debug-logging controls: "none" for (almost) none, "all" for lots.

Klipsdebug = none

Plutodebug = none

# Use auto = parameters in conn descriptions to control startup actions.

Plutoload = % search

Plutostart = % search

# Close down old connection when new one using same ID shows up.

Uniqueids = yes

Nat_traversal = yes

# Defaults for subsequent connection descriptions

# (These defaults will soon go away)

Conn % default

Keyingtries = 0

Disablearrivalcheck = no

Authby = rsasig

# Leftrsasigkey = % dnsondemand

# Rightrsasigkey = % dnsondemand

Conn pix

Left = "IP address of the VPN Server"

Leftnexthop = "VPN Server Gateway"

Leftsubnet = "company VPN user's IP segment (for example, 10.0.1.0/32 )"

Right = "Nanjing PIX525UR IP Address"

Rightnexthop = % direct

Rightsubnet = "Nanjing IP segment"

Authby = secret

Pfs = no

Auto = start

②/Etc/freeswan/ipsec. secrets

"VPN Server IP" "Nanjing PIX525UR IP": PSK "password"

5. iptables configuration (sample) to restrict the access permissions of VPN users:

Iptables-t nat-a postrouting-o eth0-s 10.0.1.201/32-d "Nanjing IP segment"-j MASQUERADE

Service iptables save

Note: 1. Add a user name and change the password/etc/ppp/chap-secrets

2. Edit and modify iptables rules with user permission settings

3. If access-list exists on the company router, add

Permit 47 any host 219.238.213.244

4. Check whether the IPsec service is successfully started.

Ipsec verify
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.