Install the Nikoforge Repository
rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest
Install EPEL Repo
yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
yum -y install ipsec-tools
The ipsec-tools package from the nikoforge repo is a patched version that allow the use of a wildcard ‘’ as the IPSec identifier [1]. Not needed for Android, but iOS.*
Install Layer 2 Tunneling Protocol Daemon
yum -y install xl2tpd
Create script ”/etc/racoon/init.sh”
Insert the following:
#!/bin/sh
# set security policies
echo -e “flush;n
spdflush;n
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;n
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;n”
| setkey -c
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Then set the correct permissions
chmod 750 /etc/racoon/init.sh
Add a call of the script to rc.local
sed –in-place ‘//etc/racoon/init.sh/d’ /etc/rc.d/rc.local
echo /etc/racoon/init.sh >> /etc/rc.d/rc.local
IPSEC CONFIGURATION
Racoon Config ”/etc/racoon/racoon.conf” (If there is one already there, bcack it up to .old)
path include “/etc/racoon”;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
path script “/etc/racoon/scripts”;
remote anonymous
{
exchange_mode aggressive,main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
Set the relevant permissions
chmod 600 /etc/racoon/racoon.conf
Racoon Pre shared Keys
Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.
”/etc/racoon/psk.txt”
ANDROID
myhomelan d41d8cd98f00b204e980
IOS
* d41d8cd98f00b204e980
Set the correct permissions
chmod 600 /etc/racoon/psk.txt
CONFIGURING L2TP DAEMON
Create file ”/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes
[lns default]
local ip = 10.203.123.200
ip range = 10.203.123.201-10.203.123.210
refuse pap = yes
require authentication = yes
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd
CONFIGURING PPP
Create PPP option file ”/etc/ppp/options.xl2tpd
ms-dns 10.203.120.41
ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 10
lcp-echo-failure 100
Create the CHAP Secrets file ”/etc/ppp/chap-secrets”
# client server secret IP addresses
janedoe * jd480227 *
Set the Correct permissions
chmod 600 /etc/ppp/chap-secrets
START THE SERVICES
chkconfig racoon on
chkconfig xl2tpd on
service racoon start
service xl2tpd start
/etc/racoon/init.sh
ANDROID CLIENT SETUP
NAME – ANYTHING
TYPE – L2TP/IPSec PSK
SERVER ADDRESS – IP or hostname of server
L2TP SECRET – NOT USED
IPSec IDENTIFIER – what was set in first colum of racoon psk file
PRE-SHARED KEY – What was in the second column of racoon psk file
For my VPS to pass traffic through i had to execute the following
iptables –table nat –append POSTROUTING –jump MASQUERADE
echo “net.ipv4.ip_forward = 1? | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.accept_redirects = 0? | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.send_redirects = 0? | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -pfor vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables –table nat –append POSTROUTING –jump MASQUERADE
No comments:
Post a Comment