IPSEC VPN server setup on centos 6

To get access to my internal home network, i built a vpn sever as an entry point into my network, heres the configuration required.

IPSEC on CentOS 6


Install the Nikoforge Repository –

rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest


Install EPEL Repo –

yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm


Install IPSEC Tools –

yum -y install ipsec-tools


*The ipsec-tools package from the nikoforge repo is a patched version that allow the use of a wildcard ‘*’ as the IPSec identifier [1]. Not needed for Android, but iOS.*

Install Layer 2 Tunneling Protocol Daemon –

yum -y install xl2tpd


Create script ”/etc/racoon/init.sh”

Insert the following –

#!/bin/sh
# set security policies
echo -e “flush;\n\
spdflush;\n\
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;\n\
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;\n”\
| setkey -c
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


Then set the correct permissions –

chmod 750 /etc/racoon/init.sh


Add a call of the script to rc.local –

sed –in-place ‘/\/etc\/racoon\/init.sh/d’ /etc/rc.d/rc.local
echo /etc/racoon/init.sh >> /etc/rc.d/rc.local


IPSEC CONFIGURATION

Racoon Config ”/etc/racoon/racoon.conf” (If there is one already there, bcack it up to .old)

path include “/etc/racoon”;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
path script “/etc/racoon/scripts”;
remote anonymous
{
exchange_mode aggressive,main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}


Set the relevant permissions

chmod 600 /etc/racoon/racoon.conf


Racoon Pre shared Keys

Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.

”/etc/racoon/psk.txt”

ANDROID –

myhomelan d41d8cd98f00b204e980


IOS –

* d41d8cd98f00b204e980


Set the correct permissions –

chmod 600 /etc/racoon/psk.txt


CONFIGURING L2TP DAEMON

Create file ”/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
force userspace = yes
[lns default]
local ip = 10.203.123.200
ip range = 10.203.123.201-10.203.123.210
refuse pap = yes
require authentication = yes
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd


CONFIGURING PPP

Create PPP option file ”/etc/ppp/options.xl2tpd

ms-dns 10.203.120.41
ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 10
lcp-echo-failure 100


Create the CHAP Secrets file ”/etc/ppp/chap-secrets”

# client server secret IP addresses
janedoe * jd480227 *


Set the Correct permissions

chmod 600 /etc/ppp/chap-secrets


START THE SERVICES

chkconfig racoon on
chkconfig xl2tpd on
service racoon start
service xl2tpd start
/etc/racoon/init.sh


ANDROID CLIENT SETUP

NAME – ANYTHING
TYPE – L2TP/IPSec PSK
SERVER ADDRESS – IP or hostname of server
L2TP SECRET – NOT USED
IPSec IDENTIFIER – what was set in first colum of racoon psk file
PRE-SHARED KEY – What was in the second column of racoon psk file


For my VPS to pass traffic through i had to execute the following

iptables -t nat -A POSTROUTING -j MASQUERADE

echo “net.ipv4.ip_forward = 1″ | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.accept_redirects = 0″ | tee -a /etc/sysctl.conf
echo “net.ipv4.conf.all.send_redirects = 0″ | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables –table nat –append POSTROUTING –jump MASQUERADE

Using FreeIPA to authenticate OpenVPN users on pfSense

I have been fiddling with multiple different authentication methods to centralise the authentication across all my devices and services. ...… Continue reading

Zen Internet, IPv6 and pfsense

Published on February 19, 2017

Basic Telegraf, InfluxDB and Grafana setup

Published on January 26, 2017