networking – serveur vpn l2tp ipsec
Au travers de ce tutoriel, vous déployez un serveur linux vous permettant d’accéder à distance (via un tunnel L2TP over IPsec) à votre réseau. L2TP over IPsec est une combinaison du protocole de tunnel de couche 2 et du protocole standard IPsec.
Avant de pourvoir installer le serveur VPN vous devez au préalable, ouvrir sur votre firewall les ports 1701 TCP, 4500 UDP et 500 UDP et les forwarder vers votre serveur linux.
# apt-get install openswan xl2tpd ppp
Activer le routage et le forwarding
# iptables --table nat --append POSTROUTING --jump MASQUERADE
Editer le fichier /etc/sysctl.conf :
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# sysctl -p /etc/sysctl.conf
Editer le fichier /etc/rc.local :
# vi /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
Editer le fichier /etc/ipsec.conf :
config setup
protostack=netkey
nat_traversal=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.2
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
Editer le fichier /etc/ipsec.secrets :
include /var/lib/openswan/ipsec.secrets.inc
192.168.0.2 %any: PSK "mapassphrase"
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Editer le fichier /etc/ppp/options.xl2tpd
;#Do not support BSD compression.
nobsdcomp
passive
lock
;#Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate
;#Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2
;#Set the DNS servers the PPP clients will use.
ms-dns 192.168.0.1
ms-dns 8.8.8.8
mtu 1400
mru 1400
Relancer les services suivants :
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
Editer le fichier /etc/pam.d/ppp afin d’insérer le bloc suivant :
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
@include common-auth
@include common-account
@include common-session