Use L2TP and openswan to build an IPSec VPN (using X.509 certificate authentication)

From the VPN built by openswan itself to the general IPSec VPN formed by Using L2TP and X.509 Certificate at last, many setbacks were encountered, which were written here together.

In the whole process, refer to the following articles:

"Open-source Linux VPN solution-openswan installation and Configuration Guide" in jiuwei yinhu. Address: http://www.entage.net/1/viewspace_8112.html

And "use L2TP and openswan to build IPSec VPN ". This is my name, because it seems that the author Nate. Carlson didn't give it a name. I resend it to http://blog.csdn.net/purewinter/archive/2007/05/23/1623336.aspx. The original Article address is also written in the post.

Then the instruction document written by the Senior Engineer (not posted online ). Later, I wrote another article, which is short and cool. Pai_^

Software used in this article:
Red Hat Enterprise Linux as 4 (Kernel 2.6.9-42el)
OpenSSL 0.97a
Openswan 4.4.7
L2tpd 0.69 (12jdl. i386.rpm)/xl2tpd 1.1.09
OpenSSL is only used for Ca functions, and can be replaced by other CA tools such as openca.
Xl2tpd replaces l2tpd. Recommended for personal use. Of course, it's okay if you use l2tpd. The two software settings are almost identical. After all, they are all L2TP daemon.
OpenSSL only acts as a ca. The installation process is briefly described as follows:
Decompress the package and enter the directory. Enter the following command:
./Config -- prefix =/usr/local/OpenSSL to set the installation folder.
Then make and then make install.

 

Network configuration and topology of the experiment:

Due to restrictions, the vmwarevm is used.
Briefly describe the network settings in the VM. Set vmnet2 to not bridged in host virtual network mapping in the manage network tools provided by Vmware, click ">" on the right-side, and fill in the IP address with 192.168.2.0. OK.
The vpngateway virtual machine needs to add a NIC in the virtual machine settings. Then, in each virtual machine in Linux, set each Nic according to the following table, and
Select the network for the NIC in virtual machine settings. The network card 0 of vpngateway belongs to vmnet0, and the Network Card 1 belongs to vmnet2. The default Nic of network adapter 1 is 192.168.2.1. In addition, the XP host is automatically located in vmnet0 and does not need to be set.

Machine name	Nic 0 (eth0)	Nic 1	Default Gateway	Network	Role description
Purewinter	192.168.0.2		192.168.0.2	Vmnet0	XP Client
Vpngateway	192.168.0.254	192.168.2.1	192.168.0.254	Vmnet0, vmnet2	Vpngateway
Jim	192.168.2.2		192.168.2.1	Vmnet2	Gateway backend server

The CIDR Block 192.168.0.0/24 simulates the internet, and the XP Local computer simulates the VPN Client that dials the internet. The network segment 192.168.2.0/24 simulates the Intranet, and Jim is a machine in the intranet. It can be used as an application server that provides a service.

 

0. Use OpenSSL to issue certificates to each machine

Create a ca working directory: (recommended:/root/CA/democa) Because democa is the default ca working directory of OpenSSL, it stores some information about ca, therefore, we also need a directory to store certificates for each machine. Therefore, we need to create two directories (CA and Ca/democa ). Of course, you can also do this: Ca at/root/democa and certificate at/root/certs.

Create CA: (The following ca. Sh indicates the OpenSSL installation directory/SSL/MISC/CA. Sh)
CA. Sh-newca or command
OpenSSL req-X509-days 3650-newkey RSA: 1024-keyout cakey. pem-out cacert. pem
After you use the OpenSSL command to create a democa directory, run the following command:
Mkdir newcerts
Touch index.txt
Echo "01"> serial
Make sure that the cakey. pem file is in the democa/private directory. If not, copy it.
After the CA is generated, enter OpenSSL ca-gencrl-out CRL. pem in the democa parent directory to generate the certificate revocation list file.

Generate a certificate for vpngateway (run the following command in the upper-level directory of democa, such as/root/CA ):
Run the ca. Sh-newreq command.
Or OpenSSL req-newkey RSA: 1024-keyout vpngateway. Key-out vpngatewayreq. pem
In this way, the vpngateway private key is obtained. Then use the command
CA. Sh-sign
Or OpenSSL ca-In vpngatewayreq. pem-days 365-out vpngateway. cert-notext
Sign it and generate a certificate.
To use ca. Sh, change the generated newreq. pem to vpngateway. Key and change newcert. pem to vpngateway. cert.

We can see from the above that CA operations can use ca. Sh or OpenSSL commands. The difference is that ca. Sh is easy to use, but has simple functions. OpenSSL commands are powerful but complex. It is more convenient to use OpenSSL commands when you need to customize them.

Generating certificates for other machines is similar to generating certificates for vpngateway.

 

1. Install openswan

Before installation, you must modify the configuration. In the/etc/sysctl. conf file, find
Net. ipv4.ip _ forward = 0
Net. ipv4.conf. Default. rp_filter = 1
Changed:
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. Default. rp_filter = 0
Then run sysctl-P to make it take effect.

Download openswan and unzip the tar zxvf openswan-2.4.7.tar.gz
Go to the openswan-2.4.7 directory, compile, generate, and install:
Make programs
Make install
There is not much to say about the installation. However, if the Linux kernel version is earlier than 2.6.9 (such as Red Hat Linux 9), a NAT patch is required. 2.6.9 and later versions (for example, as 4 in my use) do not need to be patched.
Verify the installation after installation: IPSec -- version
And IPSec status verification: IPSec verify.

Main openswan configuration file

/Etc/IPSec. Secrets is used to save private RSA keys and preshared secrets (psks) /Etc/IPSec. conf configuration file (settings, options, ults, connections)

Openswan main configuration directory

/Etc/IPSec. d/cacerts stores the X.509 Certificate (root certificate-"Root Certificates ") /Etc/IPSec. d/certs store X.509 client certificates (X.509 client certificates) /Etc/IPSec. d/private stores the X.509 Certificate private key (X.509 Certificate private keys) /Etc/IPSec. d/crls stores the X.509 Certificate Revocation List (X.509 Certificate Revocation Lists) /Etc/IPSec. d/ocspcerts store X.500 OCSP certificate (Online Certificate Status Protocol certificates) /Etc/IPSec. d/passwd Xauth password file (XAUTH Password File) /Etc/IPSec. d/policies stores opportunistic Encryption Policy Group (the opportunistic Encryption Policy Groups)

 

2. Use openswan to test and build an IPsec channel (skip)

This step is only used for testing. Openswan can build an IPsec channel normally before L2TP is used for verification.

Openswan provides two modes: net-to-net mode and roadwarrior mode. To put it simply, net-to-net is the interconnection of two VPN gateways, providing a secure channel mode for the Intranet interconnection between the two sides, while roadwarrior is a client connected to a VPN gateway, provides the security channel mode for the Intranet after the client and VPN gateway. For details about the two modes and the settings of the net-to-net mode, refer to the nine-tailed silver fox post or other online instructions. The following describes the settings in roadwarrior.
Client (LAPTOP): Jim. VPN Server: vpngateway. Intranet after the server: No or any machine located in vmnet1, such as purewinter
Openswan must be installed on Jim and vpngateway machines. Other machines are not required.

Copy the certificate (ensure security when copying certificates between machines ):
CP cacert. PEM/etc/IPSec. d/cacerts
CP vpngateway. Cert/etc/IPSec. d/certs
CP vpngateway. Key/etc/IPSec. d/private
On the Jim machine, in addition to the preceding three files, you also need to copy Jim. Cert to/etc/IPSec. d/Certs and copy Jim. Key to/etc/IPSec. d/private.

Edit/etc/IPSec. secerts:
Add a line at the end of this file (using vpngateway as an example)
: RSA/etc/IPSec. d/private/vpngateway. Key "password for reading this key"
The Jim machine is similar. Note that there is a colon Before RSA. Replace the password entered when you generate the key in quotation marks.

Edit the/etc/IPSec. conf file of vpngateway:

Version 2.0: Config setup Interfaces = % defaultroute Nat_traversal = Yes Virtual_private = % V4: 192.168.0.0/16, % V4: 10.0.0.0/8, % V4: 172.16.0.0/12, % V4 :! 192.168.0.0/24 Conn % default Compress = Yes Authby = rsasig Leftrsasigkey = % Cert Rightrsasigkey = % Cert   Conn roadwarrior Left = 192.168.2.1 Leftcert = vpngateway. Cert Leftsubnet = 192.168.0.0/24 Right = % Any Auto = add Include/etc/IPSec. d/examples/no_oe.conf

Edit the/etc/IPSec. conf file of Jim: Except for the roadwarrior section, the configuration file of vpngateway is the same.

Conn roadwarrior Left = 192.168.2.2 Leftcert = Jim. Cert Right = 192.168.2.1 Rightcert = vpngateway. Cert Rightsubnet = 192.168.0.0/24 Auto = add

Run IPSec auto -- up roadwarrior on Jim to start IPSec.
Enter the command tcpdump-I eth1 on vpngateway to listen to data packets. The data packets must be encrypted. However, in this way, data packets are encrypted only when Jim wants to access the Intranet machine after vpngateway. packets accessed by Jim and vpngateway are not encrypted. Run the ping 192.168.0.254 command on Jim.
Then ping 192.168.0.2,
View the packets that the tcpdump of vpngateway listens. If you want to encrypt the VPN gateway, put the subnet line in the configuration file of both parties in the new conn roadwarrior-net section, and add the line: Also = roadwarrior. Then run IPSec auto -- up roadwarrior on the Jim machine,
Then execute IPSec auto -- up roadwarrior-net. (Note: If IPSec is enabled, the IPsec service will be restarted after the configuration is modified .)
For more information about roadwarrior and the method for using RSA Authentication, see "using openswan to build Linux IPsec" in toorq. Address: http://www.xfocus.net/articles/200610/891.html

 

3. Install l2tpd

If you only use IPsec of L2TP, l2tpd and openswan, you only need to install them on vpngateway. L2tpd is one of the most painful things in the process. Here I will separate the general situation from the problems I encountered.
Installed l2tpd-0.69-12jdl.i386.rpm: Double-click this RPM package, or enter the command: rpm-I l2tpd-0.69-12jdl.i386.rpm;
The installation is l2tpd-0.69.tar.gzor l2tpd-0.70pre.tar.gz: we strongly recommend that you do not install the 0.69 source package. Decompress the package and enter the directory. Enter the make command. After the l2tpd file is generated, it can be copied to/usr/local/sbin.
The installation is xl2tpd-1.1.09.tar.gz: Decompress the package and enter make, press enter, and then enter make install.

Problem description: in fact, on the current Linux platform, the original l2tpd version, including 0.70pre, cannot be compiled directly. An error will occur before a line of "_ function _" in a file (which seems to be AVP. C. Take a closer look, it is a function call called log, and a comma is missing before "_ function! I really want to faint... 0.70pre only has this problem, while in version 0.69, there are many other GCC errors caused by unexpected carriage returns in strings. It is said that this GCC has become more strict and can be used in the past. However, even if the compilation is successful, a considerable number of bugs in the 0.69 original version still need to be patched. In particular, there is a Pty (TTY) Bug. Although it may not always be a problem on every machine, it is a problem on me, and whether it is an rpm version or 0.70pre, changing the Pty patch does not help. Finally, the problem is solved using xl2tp.

Configuration File Path description:
In the/etc/l2tpd/l2tpd. conf file of the rpm version
The common configuration file is in/etc/L2TP/l2tpd. conf.
The xl2tpd configuration file or the common version path and name, or in/etc/xl2tpd/xl2tpd. conf

 

4. settings of vpngateway

First, describe how to configure the certificate as an IPsec authentication method.
Settings related to L2TP:
/Etc/PPP/chap-secrets file: add the last line

Test * "test123456 "*

The password of user test is test123456. The last "*" number can be changed to an IP address or CIDR Block, indicating that the user can only dial at this address or CIDR block; otherwise, the user is invalid. This user name address is the user name and password that you need to fill in before dialing, just like the user name and password when dialing a broadband connection.

/Etc/PPP/options. L2TP file: replace all with the following content:

Ipcp-Accept-Local Ipcp-Accept-remote # MS-DNS 202.96.209.6 # If you need to set DNS, remove the # number in the previous line. MS-wins 192.168.0.2 # Noccp Auth Crtscts Idle 1800 MTU 1200 MRU 1200 # MTU must be smaller than 1500. You can also set it to another value, such as 1300. Nodefaultroute Debug Lock Connect-delay 5000 Logfile/var/log/l2tpd. Log Proxyarp

/Etc/l2tpd/l2tpd. conf file (or/etc/xl2tpd. conf or/etc/L2TP/l2tpd. conf): Note that the semicolon is used for commenting on this file.

[Global] Listen-ADDR = 192.168.0.254 Port = 1701 Auth file =/etc/PPP/chap-secrets [LNS default] ; Exclusive = No IP range = 192.168.2.128-192.168.2.254 IP Range: the IP address range allocated to the client after the L2TP dial is successful. Local IP = 192.168.0.254 ; LAC = 0.0.0.0-255.255.255.255 Require chap = Yes Refuse PAP = Yes Require Authentication = Yes Name = vpngateway Ppp debug = Yes Pppoptfile =/etc/PPP/options. L2TP Length bit = Yes

Note: The original l2tpd0.69 does not have the listen-ADDR setting item. This setting is available in other versions (rpm, 0.70pre, xl2tpd.

Openswan-related settings:
/Etc/IPSec. secerts file:2. Use openswan to test and build an IPsec Channel.

/Etc/IPSec. conf file: (you can modify it by referring to the file in 2. You need to comment out the entire conn roadwarrior segment)

Version 2.0: Config setup Interfaces = % defaultroute Nat_traversal = Yes Virtual_private = % V4: 192.168.0.0/16, % V4: 10.0.0.0/8, % V4: 172.16.0.0/12, % V4 :! 192.168.0.0/24 Conn % default Compress = Yes Authby = rsasig Disablearrivalcheck = No Leftrsasigkey = % Cert Rightrsasigkey = % Cert Keyingtries = 1 Conn l2tpx509 PFS = No Auto = add Left = 192.168.0.254 Leftcert = vpngateway. Cert Leftprotoport = 17/1701 Right = % Any Rightca = % same Rightprotoport = 17/% Any   Include/etc/IPSec. d/examples/no_oe.conf

Enter the Command Service IPSec restart to restart the IPsec service.
Enter the command l2tpd-D to start the l2tpd service in the previous mode. Use xl2tpd to enter xl2tpd-D. If the-D parameter is not added, l2tpd will be run in the future service mode, and the connection information will not be displayed in real time.
Enter the command tcpdump-I eth0 to monitor data packets. You may need to add the host 192.168.0.254 parameter to narrow the monitoring information range.

 

5. Windows Settings

Export Ca and win certificates:

In the upper-level directory of the democa of vpngateway, run the following command to export the CA certificate as the p12 file:
OpenSSL PKCS12-export-In democa/cacert. pem-inkey democa/private/cakey. pem-out democa. p12
Enter the password for reading the CA key, specify the password required for exporting the certificate in the p12 file, and then confirm the password.
Then export the win certificate:
OpenSSL PKCS12-export-In purewinter. cert-inkey purewinter. Key-out purewinter. p12
Copy these two files to the Windows client securely.

Import Certificate:

Run MMC, add or delete a Management Unit, and click Add> certificate> Computer Account> local computer.
In certificate: on the Local Computer, choose personal> all tasks> Import to import two p12 certificates. Drag the CA certificate from an individual to the Trusted Root Certificate Authority.

Add a dial-up connection:

Network Connection-> Create a new connection-> connect to my workplace network-> virtual private network connection-> enter a name at Will-> do not dial the initial connection-> 192.168.0.254-> complete.
Right-click the connection, select Properties-Network-VPN type to select L2TP IPSec VPN, select TCP/IP protocol, properties-advanced, remove the "use default gateway on a remote network" check box. OK. (This step prevents the IPSec VPN dial-up connection from taking away the original broadband dial-up Route, resulting in bandwidth dial-up false disconnection. Skip this step if the bandwidth access method is not dialing .)
Double-click the connection and enter the user name test and password test123456. Dial. If the dial is successful, the dial is successful. In the tcpdump of vpngateway, the encrypted information is transmitted, and the call established with 192.168.0.2... is displayed in the l2tpd output.
Enter service httpd start on Jim to start the apache service, and then enter http: // 192.168.2.2 in the browser of the win client to see the website set up on Jim. If it is not set up, you may see the default page of Apache, or the 403 forbidden access information of Apache 2. x. x. So far, the IPSec VPN of L2TP has been set up successfully.

 

6. Use the pre-shared key's IPSec settings

Vpngateway end:
/Etc/IPSec. secerts file: add the last line: Where 123456 is the pre-shared key.

192.168.0.254% Any: PSK "123456"

/Etc/IPSec. conf file: Comment out all rows in the conn l2tpx509 segment. Add the following lines:

Conn L2TP Authby = secret PFS = No Auto = add Type = transport Left = 192.168.0.254 Leftprotoport = 17/1701 Right = % Any Rightprotoport = 17/% Any

Enter service IPSec restart to restart IPSec.

Win end:

Right-click VPN dial-up connection, choose Properties> Security> IPSec Settings> enter pre-shared key "123456 ". OK.
Then try dialing. If it succeeds, it should be successful directly.