This post is a tutorial on how to run a L2TP over IPSec VPN Server for proxy purposes on a Ubuntu 10.04 LTS Server machine. Before we start the practice, let us review some theories:
What is VPN?
Virtual Private Network, is a technology, mainly developed to provide creation of virtual local networks with a wide geographic distribution. For example, we have a data-center and a considerable network in Bandar Abbas that requires constant maintenance and connectivity to our main servers and offices back in Tehran. We need a local network which consists of our office networks and the Bandar Abbas network, but since they are geographically distributed, we can’t have them local, so we cheat and virtually create a private (local) network, hence VPN.
Specifically speaking, we start a VPN server on our Bandar Abbas hub server (main.rajaei.abx.ir), then create a VPN connection from our computer (or router) and connect to it, and it would be like we have just plugged an Ethernet cable into our system, directly connected to whole Bandar Abbas network. After that we could simply connect to our surveillance server at 192.168.0.220 (which is a Bandar Abbas network IP, not ours) via any application.
As you might’ve already guessed, since VPN is usually established over the Internet, the most important thing to expect is data transmission security. No third party on the route should be able to sniff on our corporates data, right? VPN security is almost the main issue.
Then what is PPTP, L2TP, IPSec, SSTP, etc. ?
VPN, is a concept. It’s also a technology, but many protocols and mixtures of technologies tend to provide such means. The simplest form is PPTP, the point to point tunneling protocol. It is easily established, easily connected and fast. To setup a PPTP server on Ubuntu, you need less than 5 minutes. The problem with PPTP is data encryption. To encrypt data with PPTP, both parties (VPN Client and Server) have to agree on an encryption key, and any hacker listening while they are discussing it, would be able to read their transfers.
Then there comes OpenVPN, which is totally open source and good, but since there’s no native client on Windows, no body actually uses it. SSTP is also only Windows based, which is based on SSL Tunnels, very like the IPSec underlying layer of L2TP.
The other mostly used VPN technology, is L2TP, which relies on IPSec (lower network layer protocol) for its security. IPSec is a protocol which uses PKI (Public Key Infrastructure), or PSK (Pre-Shared Keys) which both are means to establish Zero-Knowledge connections securely without a third party being able to guess the password.
L2TP is technically called L2TP over IPSec, which is because first IPSec establishes a secure connection between two systems, then layer 2 tunneling protocol takes over for the networking and VPN functionality.
VPN as a means of proxy
In many cases, VPN is used for bypassing certain limitations and/or privacy, as proxy servers are used. Since VPN establishes a low level networking, proxies based on a VPN proxy all sorts of network connections, not just the web or videos. Anything, from peer to peer connections to DNS lookups are performed over the VPN.
To use a VPN for proxy purpose, we simply need to connect to a VPN far away (usually outside filtering region, if we are trying to bypass regional filtering) and use their internet connection. It is as if out Internet gateway, is not our own modem, but the computer over at the VPN.
VPN technologies (all PPTP, L2TP, SSTP, OpenVPN, etc.) work on certain ports and use certain traceable technologies. So blocking VPN usage is pretty simple, as PPTP no longer works more than a few seconds in Iran.
But with SSTP and L2TP, since both use a lower level encryption methodology (IPSec for L2TP), they can not be easily blocked. You might think that it would be pretty easy to prevent all IPSec connections and thus stop L2TP, as well as SSL for SSTP, but the case is, IPSec and SSL are used for all forms of encryption. When you use a banking service on the Internet, you employ SSL. When you transfer a file securely over the network, you employ IPSec. Blocking them would stop half of the Internet functionality.
There’s also no way of peeking into IPSec or SSL encrypted data (which contain the actual VPN packets), hence L2TP and SSTP services could not be stopped that easily.
Lets get dirty
Now I’m going to provide you with instructions on how to setup and use a L2TP VPN on your Ubuntu server for proxy purpose.
First of all, install a few packages:
sudo apt-get install ppp xl2tpd openswan
After having all the necessary daemons, assuming your server’s IP address is 178.162.154.252 (which is actually abiusx.com’s), put the following in /etc/ipsec.conf file
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkeyinclude /etc/ipsec.d/l2tp-psk.conf
Then open up /etc/ipsec.d/l2tp-psk.conf and put the following in it, don’t forget to replace my IP with yours:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNATconn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=178.162.154.252
leftnexthop=178.162.154.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
You also need to open /etc/ipsec.secrets and put your pre-shared secret (e.g 123456789) in it:
178.162.154.252%any: PSK “123456789”
Now restart IPSec, and watch your /var/log/auth.log and you’re done for IPSec on the server. On the client (preferably a Windows machine), create a VPN connection, on its properties dialog, in security tab, there’s “IPSec Settings” which asks you for the pre-shared secret. Provide 123456789. On the networking tab, from Type of VPN, select L2TP IPSec VPN. Now connect and inspect your server:
sudo service ipsec restart
sudo tail -f /var/log/auth.log
You should see something like “IPsec SA established” in middle of some logs, that means IPSec was successfully established. Of course the VPN connection will fail since we haven’t setup L2TP part yet.
L2TP Setup
Now we need to configure xl2tpd, there are three files we need to change, two are xl2tpd config files, and one is username/password file. Let’s start with /etc/xl2tpd/xl2tpd.conf which should have the following:
[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.231-192.168.1.239
local ip = 192.168.1.230
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Then off to /etc/ppp/options.xl2tpd which would have:
require-mschap-v2
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
And finally /etc/ppp/chap-secrets which contains username/password pairs:
username l2tpd 1234 192.168.1.231
l2tpd username 1234 192.168.1.231
user2 l2tpd 123 *
Since the * format crashes on some versions of xl2tpd, preferably use the static user/ip method. To wrap things up, /etc/sysctl.conf should contain “net.ipv4.ip_forward = 1” which enables IP Forwarding. If you just added it, do a networking restart or system reboot.
Oh and you might need to do some routing to route VPN IPs to your gateway.
Have fun using L2TP over IPSec.
2 comments On L2TP on Ubuntu 10.04 LTS
Man could U explain about the way of encryption in protocols like SSL or others?I know U will refer me to wiki but your writing method is better than wiki,and is it the only way for passing over all kinds of filtering(as u explain 3 phases of filtering before) or not?
Tnx for your awesome blogging;)
Hello Abbas,
Great article.
I have a specific situation and need your help desperately with configuring IPSec.
I am planning to host my web-app infrastructure with a Public VPS provider. As the VPS host’s private network is accessible by all the VPSs hosted with him and as many of my infrastructure components do not have any sort of access control/auth, I need to isolate my VPSs from those of others and let only my VPSs connect between themselves.I dont need privacy and encryption.
I figured out that IPsec with just AH and shared secret can do this by dropping packets coming from hosts who do not know the shared secret. I want such a setup to work with any number of Hosts/VPSs and ideally my virtual network should extend to all VPSs/Hosts that know the shared secret.
Any help with configuring IPSec on Ubuntu for the above purpose will be a life saver.
Thank you!