September 6, 2016

Tutorial for how to setup L2TP/IPSec to Authenticate off FreeRADIUS on CentOS 6

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to Setup L2TP VPN over IPSect and authenticate with FreeRadius

If you need tutorial for how to setup FreeRadius please Click Here

This is a simple tutorial about how to setup L2TP over IPSec VPN and configure it to authenticate off your FreeRADIUS database. This tutorial works perfect with our VPS and Dedicated Servers  with no special changes needed:

First we need to install a couple of repo’s:

CentOS 6 64Bit:

rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest
yum -y install ipsec-tools

CentOS 5 64Bit:

rpm -ivH http://flexbox.sourceforge.net/centos/5/x86_64/ipsec-tools-0.7.3-4.el5.x86_64.rpm

Create the script /etc/racoon/init.sh:

#!/bin/sh
# set security policies
echo -e "flush;\n\
        spdflush;\n\
        spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;\n\
        spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;\n"\
        | setkey -c
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod 750 /etc/racoon/init.sh

Add a call of the script to rc.local:

sed --in-place '/\/etc\/racoon\/init.sh/d'  /etc/rc.d/rc.local
echo /etc/racoon/init.sh >> /etc/rc.d/rc.local

Create or edit the racoon configuration file /etc/racoon/racoon.conf with the following:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote anonymous
{
        exchange_mode    aggressive,main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;
        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}
sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}

Set permissions:

chmod 600 /etc/racoon/racoon.conf

Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.

This is the needed entry in /etc/racoon/psk.txt for Android clients:

myhomelan mysecret

This is the needed entry in /etc/racoon/psk.txt for iPhone and iPad iOS clients:

* mysecret

Set permissions:

chmod 600 /etc/racoon/psk.txt

Now lets install xl2tpd and some dependancies, first we need to install the repo:

CentOS 5 64Bit:

rpm -Uvh http://mirror.bytemark.co.uk/fedora/epel/5/x86_64/epel-release-5-4.noarch.rpm

CentOS 6 64Bit:

rpm -Uvh http://mirror.bytemark.co.uk/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install some dependancies:

yum install libpcap-devel ppp -y

And now install xl2tpd:

yum install xl2tpd -y

Open up /etc/ppp/options.xl2tpd and add the following:

crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
auth
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
plugin radius.so
plugin radattr.so

Open up /etc/xl2tpd/xl2tpd.conf and add the following and changing the values for your server:

[global]
force userspace = yes
[lns default]
        ip range = 10.1.2.2-10.1.2.255
        local ip = 10.1.2.1
        refuse chap = yes
        refuse pap = yes
        require authentication = yes
        name = l2tp
        ppp debug = yes
        pppoptfile = /etc/ppp/options.xl2tpd
        length bit = yes

We need to run these iptable commands for things to work as planned:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1701 -j ACCEPT

And so we don’t loose them in future lets save them to iptables:

service iptables save

Test to see if xl2tpd and racoon are running OK:

service xl2tpd restart
service racoon restart

And now we need to edit /etc/sysctl.conf and do the following edits:

Change:

net.ipv4.ip_forward = 0

To:

net.ipv4.ip_forward = 1

Now add the following to the very bottom of this file:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0

Save these edits by running this command:

sysctl -p

Now after all that we need to setup the radiusclient to have L2TP authenticate off Radius, lets grab the radius client package:

wget http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Install it:

rpm -i radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Now open up /etc/radiusclient/servers it should look like below, changing the values to your radius servers hostname or IP and it’s secret which is specified in /etc/raddb/clients.conf on your radius server:

#Server Name or Client/Server pair		Key		
#----------------				---------------
#portmaster.elemental.net			hardlyasecret
#portmaster2.elemental.net	    		donttellanyone
YOUR_RADIUS_SERVER_HOSTNAME_OR_IP  YOUR_RADIUS_SERVER_SECRET

Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below (I stripped all the remarks out):

auth_order	radius,local
login_tries	4
login_timeout	60
nologin /etc/nologin
issue	/etc/radiusclient/issue
authserver 	RADIUS_SERVER_IP_OR_HOSTNAME:1812
acctserver 	RADIUS_SERVER_IP_OR_HOSTNAME:1813
servers		/etc/radiusclient/servers
dictionary 	/etc/radiusclient/dictionary
login_radius	/usr/sbin/login.radius
seqfile		/var/run/radius.seq
mapfile		/etc/radiusclient/port-id-map
default_realm
radius_timeout	10
radius_retries	3
login_local	/bin/login

Now save it, in the /etc/radiusclient directory there is a file called dictionary, add this line at the very bottom of it:

INCLUDE /etc/radiusclient/dictionary.microsoft

The file, dictionary.microsoft, is not included in the radius client package, you can Click Here to download it, just upload this file into the /etc/radiusclient/ directory.

Next modify the /etc/ppp/options.xl2tpd file to include these two lines at the very bottom of the file (if they are not already there):

plugin radius.so
plugin radattr.so

And lastly lets restart all services and run the init.sh to make sure all changes have taken effect:

service racoon restart
service xl2tpd restart
/etc/racoon/init.sh
chkconfig racoon on
chkconfig xl2tpd on

That should be it, you should now have your own L2TP/IPSec VPN server up and running and authenticating off FreeRADIUS

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

2 thoughts on “Tutorial for how to setup L2TP/IPSec to Authenticate off FreeRADIUS on CentOS 6

  1. Jack

    Hi,
    I have successfully installed L2tp VPN on my vps. Does it mean the only other thing I have to do is to install radius client and modify options.xl2tpd?
    Thanks

     
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *