Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:ipsec:openswan:openswanxl2tpvpn [2020/03/17 16:12] – [Openswan L2TP/IPsec Configuration] fix intro lukepiccidocs:guide-user:services:vpn:libreswan:openswanxl2tpvpn [2023/09/02 10:10] (current) – [Notes] vgaetera
Line 1: Line 1:
-<color #ed1c24>Out of Date Package openswan No Longer Available</color>+====== Libreswan L2TP/IPsec ====== 
 +This how-to explains how to configure an openwrt router to act as an L2TP/IPsec gateway (vpn server) using xl2tpd (for L2TP) and Libreswan (for IPsec).
  
-====== Openswan L2TP/IPsec Configuration ====== +The new [[docs:guide-user:services:vpn:strongswan:start|strongSwan documentation]] is currently missing an L2TP/IPsec page. 
-This howto explains how to configure an openwrt router to act as an L2TP/IPsec gateway (vpn server) using xl2tpd (for L2TP) and openswan (for IPsec).+Use this one as a reference for the **xl2tpd** part. 
 +===== Deprecation Note ===== 
 +As of OpenWrt version 20.x.x, ipsec-tools was removed for security reasons (project abandoned http://ipsec-tools.sourceforge.net/) and will not be coming back.
  
-:!: This page is about Openswan, which is deprecatedThe new [[docs:guide-user:services:vpn:ipsec:strongswan:start|strongSwan documentation]] is currently missing an L2TP/IPsec page. Use this one as a reference for the **xl2tpd** part.+See the discussion of OpenWrt developers here https://github.com/openwrt/packages/issues/7832.
  
-===== Introduction ===== +Please use [[docs:guide-user:services:vpn:strongswan:start|strongswan]] for ipsec in OpenWrt.
- +
- +
- +
-==== Required Packages ==== +
-=== Server (OpenWrt) === +
- +
-The openwrt vpn server needs the following packages installedUse opkg or a webinterface to install the packages +
- +
-<code> +
-ipsec-tools we +
-iptables-mod-ipsec +
-kmod-crc-ccitt  +
-kmod-crc16  +
-kmod-crypto-aes  +
-kmod-crypto-arc4  +
-kmod-crypto-authenc  +
-kmod-crypto-core  +
-kmod-crypto-des  +
-kmod-crypto-hmac  +
-kmod-crypto-md5  +
-kmod-crypto-sha1  +
-kmod-ipsec  +
-kmod-ipsec4  +
-kmod-ppp +
-openswan +
-ppp +
-xl2tpd+
  
 +If you try to install Libreswan using this manual on OpenWRT > 19.07.9, you'll get an error:
 +<code bash>
 +opkg_install_cmd: Cannot install package ipsec-tools.
 </code> </code>
- 
-The openswan package might try to drag with it the kmod-openswan package, if it does manually uninstall it as we are not going  to use it and it might interfere with the default in kernel mod-ipsec module. 
- 
- 
-=== Client === 
- 
-Ipsec/l2tp support is installed per default on android and windows devices. For linux clients please consult your distributions documentation in order to find what packages they recommend. 
  
 ===== Installation ===== ===== Installation =====
-Use opkg or whatever prefered tool like webif to install the following packages.+=== Server === 
 +Install the required packages.
  
 <code bash> <code bash>
-ipsec-tools we +opkg update 
-iptables-mod-ipsec +opkg install ipsec-tools iptables-mod-ipsec kmod-crc-ccitt \ 
-kmod-crc-ccitt  +kmod-crc16 kmod-crypto-aes kmod-crypto-arc4 kmod-crypto-authenc \ 
-kmod-crc16  +kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 \ 
-kmod-crypto-aes  +kmod-crypto-sha1 kmod-ipsec kmod-ipsec4 kmod-ppp libreswan ppp xl2tpd
-kmod-crypto-arc4  +
-kmod-crypto-authenc  +
-kmod-crypto-core  +
-kmod-crypto-des  +
-kmod-crypto-hmac  +
-kmod-crypto-md5  +
-kmod-crypto-sha1  +
-kmod-ipsec  +
-kmod-ipsec4  +
-kmod-ppp +
-openswan +
-ppp +
-xl2tpd+
 </code> </code>
  
-The openswan package might try to bring in the kmod-openswan package, if it does you will have to manualy remove it so it doesnt interfere with kmod-ipsec, wich is the ipsec kernel implementation we use.+The libreswan package might try to drag with it the kmod-libreswan package, if it does manually uninstall it as we are not going to use it and it might interfere with the default in kernel mod-ipsec module. 
 + 
 +=== Client === 
 +IPsec/L2TP support is installed per default on android and windows devices. 
 +For Linux clients please consult your distributions documentation in order to find what packages they recommend.
  
 ===== Configuration ===== ===== Configuration =====
-==== Xl2tpd configuration ====+==== xl2tpd configuration ==== 
 +The L2TP protocol is related to ppp and xl2tpd makes use of pppd. 
 +So the configuration of xl2tpd includes both configuring xl2tpd as well as pppd.
  
-The l2tp protocol is related to ppp and xl2tpd makes use of pppd. So the configuration of xl2tpd includes both configuring xl2tpd as well as pppd +<code bash> 
- +/etc/xl2tpd/xl2tpd.conf
-The config file for xl2tpd is ''/etc/xl2tpd/xl2tpd.conf''+
  
-<code> 
 [global] [global]
 port = 1701 port = 1701
Line 96: Line 60:
 </code> </code>
  
-Here follows some explanations of some of the options. ''port'' tells xl2tpd what port to listen on, the default port for l2tp is 1701. ''access control'' allows us to enable or disable l2tp authentication. We disable that as the l2tp authentication is pretty weak and its redundant because we use chap auth via pppd and ipsec. +Here follows some explanations of some of the options. 
-''ip range'' tells xl2tpd what ip numbers to hand out to connecting clients. ''local ip'' the ip the openwrt server will use. ''require chap'' and ''refuse pap'' is used to disable pap and require chap authentication. ''name'' is the name of the vpn connection, this is used later on XXXXXX. ''ppp debug'' is used to toggle debug output, leave it on until it all works. ''pppoptfile'' tells xl2tpd what ppp options file it should use.+  * ''port'' tells xl2tpd what port to listen on, the default port for l2tp is 1701. 
 +  * ''access control'' allows us to enable or disable l2tp authentication. We disable that as the l2tp authentication is pretty weak and its redundant because we use chap auth via pppd and ipsec. 
 +  ''ip range'' tells xl2tpd what ip numbers to hand out to connecting clients. 
 +  * ''local ip'' the ip the openwrt server will use. 
 +  * ''require chap'' and ''refuse pap'' is used to disable pap and require chap authentication. 
 +  * ''name'' is the name of the vpn connection, this is used later on XXXXXX. 
 +  * ''ppp debug'' is used to toggle debug output, leave it on until it all works. 
 +  * ''pppoptfile'' tells xl2tpd what ppp options file it should use.
  
 The file ''/etc/ppp/options.xl2tpd'' should contain this. The file ''/etc/ppp/options.xl2tpd'' should contain this.
  
-<code>+<code bash>
 lock lock
 noauth noauth
Line 117: Line 88:
 </code> </code>
  
-The option ''ms-dns'' tells xl2tpd what dns-server it should configure clients to use, so alter this to suit your setup. The options ''mtu'' and ''mru'' might need som tweaking to suit your setup, so you avoid ip fragmentation. ''lcp-echo-failure'' and ''lcp-echo-interval'' tells xl2tpd how many echo request failures it should accept before terminating the client, and how often it should send echo requests. The option ''require-mschap-v2'' tells xl2tpd to require mschap-v2 authentication. ''nomppe'' instructs xl2tpd to reject mppe encryption as its of no use as we encapsulate the l2tp traffic in ipsec packets. +  * ''ms-dns'' tells xl2tpd what dns-server it should configure clients to use, so alter this to suit your setup. 
- +  * ''mtu'' ''mru'' might need som tweaking to suit your setup, so you avoid ip fragmentation. 
 +  * ''lcp-echo-failure'' ''lcp-echo-interval'' tells xl2tpd how many echo request failures it should accept before terminating the client, and how often it should send echo requests. 
 +  * ''require-mschap-v2'' tells xl2tpd to require mschap-v2 authentication. 
 +  * ''nomppe'' instructs xl2tpd to reject mppe encryption as its of no use as we encapsulate the L2TP traffic in IPsec packets.
  
 Add usernames and passwords and ipadresses to ''/etc/ppp/chap.secrets'' Add usernames and passwords and ipadresses to ''/etc/ppp/chap.secrets''
  
-<code>+<code bash>
 #USERNAME  PROVIDER  PASSWORD  IPADDRESS #USERNAME  PROVIDER  PASSWORD  IPADDRESS
 username vpn secret 10.1.20.32 username vpn secret 10.1.20.32
 </code> </code>
  
-Here each client needs a line, with the login username, the provider columns is the same as the name option se in ''/etc/xl2tpd/xl2tpd.conf''. A separate password for each client and then the ip address the client should have, it should be in the range configured in ''/etc/xl2tpd/xl2tpd.conf'' with the ''ip range'' option.+Here each client needs a line, with the login username, the provider columns is the same as the name option se in ''/etc/xl2tpd/xl2tpd.conf''. 
 +A separate password for each client and then the ip address the client should have, it should be in the range configured in ''/etc/xl2tpd/xl2tpd.conf'' with the ''ip range'' option.
  
-==== Openswan configuration =====+==== Libreswan configuration ===== 
 +The Libreswan configuration is pretty straightforward. 
 +The exact default config file entries have changed a bit in recent releases, but the syntax has remained the same. 
 +Libreswan is picky about whitespaces so be careful and follow the conventions as described in the ipsec.conf manpage. 
 +The config setup section contains generic settings and should only contain the following options.
  
-The openswan configuration is pretty straightforward. The exact default config file entries have changed a bit in recent releases, but the syntax has remained the same. Openswan is picky about whitespaces so be carefull and follow the conventions as described in the ipsec.conf manpage. The config setup section contains generic settings and should only contain the following options. +<code bash> 
 +# /etc/ipsec.conf
  
-''/etc/ipsec.conf'' 
- 
-<code> 
 config setup config setup
         dumpdir=/var/run/pluto         dumpdir=/var/run/pluto
Line 144: Line 120:
 </code> </code>
  
-The key options here are ''oe=off'', as android clients dont seem to support this option. The other important option is ''protostack=netkey'' that instructs openswan to use the default kernel ipsec implementation.+  * ''oe=off'', as android clients dont seem to support this option. 
 +  * ''protostack=netkey'' that instructs Libreswan to use the default kernel IPsec implementation.
  
 Then there should be a section that defines the actual ipsec connection, such as this. Then there should be a section that defines the actual ipsec connection, such as this.
  
-''/etc/ipsec.conf''+<code bash> 
 +/etc/ipsec.conf
  
-<code> 
 conn myvpn conn myvpn
  auto=add  auto=add
Line 164: Line 141:
 </code> </code>
  
-Here, ''auto=add'' tells openswan we want this connection to be active at start. ''authby=secret'' specifies that we want to use PSK, Pre Shared Key, authentication. ''pfs=no'' disables perfect forward security, android seems not to support this so i disable it. ''type=transport'' the type of ipsec connection we want, as l2tp does the tunneling all we need is transport mode to provide encryption. ''left=xxx.xxx.xxx.xx'' should be altered to reflect the public ip address of the openwrt router. ''leftprotoport=17/1701'' defines the connection to handle ip type 17, UDP and port 1701, the port used by l2tp traffic. ''right=%any'' allows the client to use any ip address. ''rightprotoport=17/%any'' allows the client to use UDP but any port, some l2tp implementations seem to use different sourceports so the %any covers that. ''rekey=no'' tells openswan NOT to initiate a rekeying, as some mobile clients seem unable to handle rekeying well. Openswan will still reply to rekeying if the client initiates it. ''keyingtries=5'' tells openswan to only try to reconnect/rekey to a client five times. This stops openswan from forever trying to bring back a failed connection.+  * ''auto=add'' tells Libreswan we want this connection to be active at start. 
 +  * ''authby=secret'' specifies that we want to use PSK. 
 +  * ''pfs=no'' disables perfect forward security, android seems not to support this so i disable it. 
 +  * ''type=transport'' the type of IPsec connection we want, as L2TP does the tunneling all we need is transport mode to provide encryption. 
 +  * ''left=xxx.xxx.xxx.xx'' should be altered to reflect the public ip address of the openwrt router. 
 +  * ''leftprotoport=17/1701'' defines the connection to handle IP type 17, UDP and port 1701, the port used by L2TP traffic. 
 +  * ''right=%any'' allows the client to use any IP address. 
 +  * ''rightprotoport=17/%any'' allows the client to use UDP but any port, some L2TP implementations seem to use different source ports so the %any covers that. 
 +  * ''rekey=no'' tells Libreswan NOT to initiate a rekeying, as some mobile clients seem unable to handle rekeying well. Libreswan will still reply to rekeying if the client initiates it. 
 +  * ''keyingtries=5'' tells Libreswan to only try to reconnect/rekey to a client five times. This stops Libreswan from forever trying to bring back a failed connection.
  
 ==== Network configuration ===== ==== Network configuration =====
 +Each client L2TP connection get its own PPP interface, so we start by defining a bunch of interfaces.
 +In this case four are defined but you can define as many as you need.
 +You do this by adding the following lines.
  
-Each client l2tp connection get its own ppp interface, so we start by defining a bunch of interfaces. In this case four are defined but you can define as many as you need. You do this by adding the following lines. +<code bash> 
- +/etc/config/network
-''/etc/config/network''+
  
-<code> 
 config 'interface' 'vpn0' config 'interface' 'vpn0'
  option 'ifname' 'ppp0'  option 'ifname' 'ppp0'
Line 194: Line 181:
 </code> </code>
  
-The next step is to group these interfaces together and allow traffic to and from the vpn. This is done by creating a zone that is made up by the vpn interfaces, and then allow traffic to flow to and form this zone. Add the following lines.+The next step is to group these interfaces together and allow traffic to and from the VPN. 
 +This is done by creating a zone that is made up by the VPN interfaces, and then allow traffic to flow to and form this zone. 
 +Add the following lines.
  
-''/etc/config/firewall''+<code bash> 
 +/etc/config/firewall
  
-<code> 
 config 'zone' config 'zone'
  option 'name' 'vpn'  option 'name' 'vpn'
Line 218: Line 207:
  option 'src' 'vpn'  option 'src' 'vpn'
  option 'dest' 'wan'  option 'dest' 'wan'
- 
 </code> </code>
  
-for a deeper understanding of what these lines do please consult the OpenWrt documentation.+For a deeper understanding of what these lines do please consult the OpenWrt documentation.
  
-In order to allow ipsec traffic trough the firewall add the following rules.+In order to allow IPsec traffic trough the firewall add the following rules. 
 + 
 +<code bash> 
 +# /etc/config/firewall
  
-''/etc/config/firewall'' 
-<code> 
 config 'rule' config 'rule'
  option 'target' 'ACCEPT'  option 'target' 'ACCEPT'
Line 252: Line 241:
  option 'proto' 'udp'  option 'proto' 'udp'
  option 'dest_port' '4500'  option 'dest_port' '4500'
- 
 </code> </code>
  
-This basicly lets ip type 50 and 51 packets trough, this is ipsec ah and esp packets. It also opens up port 500 for udp traffic, this is used for the IKE protocol that is used by ipsec to manage encryption keys. Lastly udp port 4500 is opened, this is used when ipsec operates in nat traversal mode, eg when the client is behind a nat.+This basically lets IP type 50 and 51 packets trough, this is IPsec ah and esp packets. 
 +It also opens up port 500/udp traffic, this is used for the IKE protocol that is used by IPsec to manage encryption keys. 
 +Lastly port 4500/udp is opened, this is used when ipsec operates in NAT traversal mode, e.g. when the client is behind a NAT.
  
-The last thing we need to do is allow l2tp traffic through the firewall. We can not just open up udp port 1702 like we have done for the ipsec traffic. This would allow pure l2tp traffic trough and that is not acceptable as l2tp is unencrypted and uses somewhat weak mschapv2 authentication.+The last thing we need to do is allow L2TP traffic through the firewall. 
 +We can not just open up udp port 1702 like we have done for the ipsec traffic. 
 +This would allow pure l2tp traffic trough and that is not acceptable as l2tp is unencrypted and uses somewhat weak mschapv2 authentication.
  
 The solution is to add a custom firewall rule that only allows udp traffic on port 1702 that have been delivered with ipsec encryption. The solution is to add a custom firewall rule that only allows udp traffic on port 1702 that have been delivered with ipsec encryption.
  
-''/etc/firewall.user'' +<code bash> 
- +/etc/firewall.user
-<code>+
 iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT iptables -I INPUT 1 -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
 </code> </code>
  
-Backfire have had some issues with automatically bringing up the vpn zone in the firewall, but it seems to work in trunk. In order to fix this i have just used a simple line in rc.local that brings up the vpn zone. After it has been brought up once it seems to work just fine.+Backfire have had some issues with automatically bringing up the VPN zone in the firewall, but it seems to work in trunk. 
 +In order to fix this i have just used a simple line in ''rc.local'' that brings up the VPN zone. 
 +After it has been brought up once it seems to work just fine.
  
-''/etc/rc.local'' +<code bash> 
- +/etc/rc.local 
-<code> +Apply for each VPN interface to make firewall work properly with VPN connections
-needed to make firewall work ok with vpn connections+
 ifup vpn0 ifup vpn0
 </code> </code>
- 
-Each vpn[x] interface that has been added needs to be activated using "ifup". Not only "vpn0". 
- 
- 
  
 ==== Client configuration ==== ==== Client configuration ====
-=== Linux === 
 Mount manually: Mount manually:
-<code>+ 
 +<code bash>
 sudo mount 192.168.1.254:/mnt/share1 /home/sandra/nfs_share sudo mount 192.168.1.254:/mnt/share1 /home/sandra/nfs_share
 </code> </code>
  
-Or mount permanently with entries in the ''/etc/fstab'' on each client PC: +Or mount permanently with entries on each client PC: 
-<code>+<code bash> 
 +# /etc/fstab
 # Intranet # Intranet
 192.168.1.254:/mnt/sda2 /media/openwrt    nfs     ro,async,auto    0       0 192.168.1.254:/mnt/sda2 /media/openwrt    nfs     ro,async,auto    0       0
Line 295: Line 284:
 </code> </code>
  
-Check the [[http://linux.die.net/man/8/mount|manpage for mount]]. +Check the [[man>mount]].
- +
-=== Windows === +
- +
-=== Mac OS X === +
- +
- +
-===== Examples ===== +
- +
-   * [[doc:howto:packet.scheduler:packet.scheduler.example1|Example1: Traffic Prioritizing with PRIO]] +
-   * [[doc:howto:packet.scheduler:packet.scheduler.example3|Example3: traffic shaping and prioriziting for multiple users with HFSC]] +
- +
-===== Start on boot ===== +
-To enable/disable start on boot:\\ +
-''/etc/init.d/umurmur enable''  this simply creates a symlink: ''/etc/rc.d/S90umurmur -> /etc/init.d/umurmur''\\ +
-''/etc/init.d/umurmur disable'' this removes the symlink again\\ +
- +
-===== Administration ===== +
-TODO+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-If you get something like this: +<code bash
-<code> +nft list ruleset
-Try `iptables -h' or 'iptables --help' for more information.+
 </code> </code>
-then bla bla bla 
  
 ===== Notes ===== ===== Notes =====
-  * The Project Homepage: [[http://mumble.sourceforge.net/]] +  * The Project Homepage: [[https://libreswan.org/]] 
-  * very good tutorial: [[http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html]]+  * Configuration examples: [[https://libreswan.org/wiki/Configuration_examples]] 
 +  * very good tutorial: [[http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html]]
  
  • Last modified: 2023/09/02 10:10
  • by vgaetera