Set up IPsec
Set up networking
cat <>/etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0
EOF
NOTE: On DigitalOcean, also:
cat <>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF
Reload config:
sysctl -p
Install Libreswan
Install dependencies:
apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools
Build and install Libreswan:
wget https://download.libreswan.org/libreswan-3.12.tar.gz tar zxvf libreswan-3.12.tar.gz cd libreswan-3.12 make programs make install
Set up Libreswan
Set up pre-shared key authentication:
cat </etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT # Use a Preshared Key. Disable Perfect Forward Secrecy. authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time). left=%defaultroute # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any
EOF
cat <>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat </etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets
NOTE: On Ubuntu 14.04, also:
ipsec initnss
Start IPSec
NOTE: On Debian jessie, first:
systemctl enable xl2tpd.service ipsec setup start ipsec verify
Set up PPP
Install PPP
apt-get install -y xl2tpd
Set up PPP
cat </etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes access control = no [lns default] ip range = 10.1.10.2-10.1.10.255 local ip = 10.1.10.1 refuse chap = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/xl2tpd-options length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options cat <>/etc/ppp/xl2tpd-options require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4
EOF
cat </etc/ppp/chap-secrets __USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets
NOTE: May have to use local DNS servers.
Start PPP
On Ubuntu 14.04:
/etc/init.d/xl2tpd start
On Debian jessie:
systemctl enable xl2tpd.service systemctl start xl2tpd.service
Set up firewall
For now:
iptables --table nat --append POSTROUTING --jump MASQUERADE
For later:
cat <>/etc/rc.local iptables --table nat --append POSTROUTING --jump MASQUERADE
EOF