This document explains in brief how to set up a vpn gateway with linux and frreeswan and connect windows clients with authentication using certificate.
We will be used the native shitty L2TP over IPSEC client os M$ Windows 2000 and XP
We need : one machine running a patched linux kernel 2.4 with freeswan and l2tp, and a windows client.
You need a running openssl installation
If compiling seems to hard, just take a look at my apache page, see the link to download openssl and look at the Makefile I provide to compil openssl.
Yet openssl is working and installed in /usr/local/ssl
See this page for generating certificates and CRLs
I downloaded FreeSwan 1.99, and patched it with : notify_delete-freeswan-1.98b-020904, NAT-Traversal-0.5a, x509patch-0.9.26-freeswan-1.99
My kernel was 2.4.20. I provide here my config. I suggest kernel sources are located in /usr/src/linux. Copy my config to .config in this dir. Run make dep; make bzImage, make kernel_install. This builds a monolithic kernel for networking. Adjust this as you like.
I provide here a tar of my patched freeswan installation. Edit the Makefile in /usr/src/linux and adjust EXTRAVERSION = -freeswan. then return to the freeswan dir and exec a make programs, make oldgo, make kinstall. This should install a patched freeswan kernel.
Here is my /etc/ipsec.conf :
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
disablearrivalcheck=no
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn VPN
right=%any
left=%defaultroute
#leftprotoport=17/1701
#leftnexthop=%defaultroute
leftcert=VPN.pem
#rightprotoport=17/0
auto=add
pfs=yes
Here is my /etc/ipsec.secrets :
: RSA VPN.key "mykeypassword"
I used l2tpd from l2tpd.org, version 0.69. I must have a ppp installed
Untar it and just type make. Copy l2tpd to /usr/sbin. Create an init script to load it automatically at boot time.
Here is my /etc/l2tp/l2tpd.conf :
[global]
access control = no
[lns]
lac = 0.0.0.0-255.255.255.255 ; authorized clients
ip range = 10.1.2.242-10.1.2.254 ; my range for allocating ip to the clients.
local ip = 10.1.2.241 ;my local ip address of my end tunnel
require chap = yes ; chap authentication
require authentication = yes ; ppp authentication...
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
Here is my /etc/ppp/options.l2tpd :
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.1.0.91
ms-wins 10.1.0.200
auth
crtscts
idle 1800
debug
lock
proxyarp
connect-delay 5000
Here is my /etc/ppp/chap-secrets :
winclient * "MyWindowsClientPassword" *
My gateway has only one eth card
Here is my iptables policy :
# Accepting admin connections
-A INPUT -s 10.0.0.0/255.0.0.0 -p tcp -m multiport --dports ssh -j ACCEPT
# Accepting ipsec connections from anywhere
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
# Protecting l2tpd port from external connections
-A INPUT -i eth0 -p udp -m udp --dport 1701 -j DROP
# Accepting ike, l2tp (internal...)
-A INPUT -p udp -m multiport --dports ike,l2tp -j ACCEPT
# Accepting snmp monitoring from admin net
-A INPUT -s 10.0.0.0/255.0.0.0 -p udp -m multiport --dports snmp -j ACCEPT
# Minimal icmp acceptation for debugging
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Accepting local connections
-A INPUT -i lo -j ACCEPT
# drop all
-A INPUT -j DROP
# Forwarding between my local net and clients only. dropping the rest/
-A FORWARD -s 10.0.0.0/255.0.0.0 -d 10.1.2.240/255.255.255.240 -j ACCEPT
-A FORWARD -s 10.1.2.240/255.255.255.240 -d 10.0.0.0/255.0.0.0 -j ACCEPT
-A FORWARD -j DROP
Create a new network connection. Type is VPN. adjust VPN type to L2TP (windows will always try ipsec for securing). IP is the address of your gateway. uncheck the box 'require crypto' (no crypto at l2tp stage, only at ipsec one...). In IP protocol advanced setting check "use the remote default gateway".
Username is "winclient" and password is "MyWindowsClientPassword"