This is a only version

Found at: raymii.org:70/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.txt

This is a text-only version of the following page on https://raymii.org:
Title       : 	IPSEC L2TP VPN on CentOS 6 / Red Hat Enterprise Linux 6 / Scientific Linux 6
Author      : 	Remy van Elst
Date        : 	01-12-2014
URL         : 	https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html
Format      : 	Markdown/HTML

This is a guide on setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat Enterprise
Linux 6 or Scientific Linux 6 using Openswan as the IPsec server, xl2tpd as the
l2tp provider and ppp for authentication. We choose the IPSEC/L2TP protocol
stack because of recent vulnerabilities found in pptpd VPN's.

IPSec encrypts your IP packets to provide encryption and authentication, so no
one can decrypt or forge data between your clients and your server. L2TP
provides a tunnel to send data. It does not provide encryption and
authentication though, that is why we need to use it together with IPSec.

### Why a VPN?

More than ever, your freedom and privacy when online is under threat.
Governments and ISPs want to control what you can and can't see while keeping a
record of everything you do, and even the shady-looking guy lurking around your
coffee shop or the airport gate can grab your bank details easier than you may
think. A self hosted VPN lets you surf the web the way it was intended:
anonymously and without oversight.

A VPN (virtual private network) creates a secure, encrypted tunnel through which
all of your online data passes back and forth. Any application that requires an
internet connection works with this self hosted VPN, including your web browser,
email client, and instant messaging program, keeping everything you do online
hidden from prying eyes while masking your physical location and giving you
unfettered access to any website or web service no matter where you happen to
live or travel to.

This tutorial is available for the following platforms:

  * [Raspberry Pi with Arch Linux ARM][1]

  * [CentOS 7, Scientific Linux 7 or Red Hat Enterprise Linux 7 (IKEv2,no L2TP)][2]

  * [CentOS 6, Scientific Linux 6 or Red Hat Enterprise Linux 6][3]

  * [Ubuntu 16.04, (IKEv2,no L2TP)][4]

  * [Ubuntu 15.10, (IKEv2,no L2TP)][5]

  * [Ubuntu 15.04, (IKEv2,no L2TP)][6]

  * [Ubuntu 14.04 LTS][7]

  * [Ubuntu 13.10][8]

  * [Ubuntu 13.04][9]

  * [Ubuntu 12.10][10]

  * [Ubuntu 12.04 LTS][11]

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

To work trough this tutorial you should have:

  * 1 CentOS 6 server with at least 1 public IP address and root access
  * 1 (or more) clients running an OS that support IPsec/L2tp vpn's (Ubuntu, Mac OS, Windows, Android).
  * Ports 1701 TCP, 4500 UDP and 500 UDP opened in the firewall.

I do all the steps as the root user. You should do to, but only via `sudo-i` or
`su -`. Do not allow root to login via SSH!

#### Install and downgrade the packages

Install wget and bind-utils (for the host command):

    yum install wget bind-utils

[Install the EPEL repository for the xl2tpd package][13]. ([More info about

    wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
    rpm -ivh ./epel-release-6-8.noarch.rpm

Note that the version of `epel-release` might not be 6.8, but 6.9. Change

Now install the required packages, _openswan_ for ipsec, _xl2tpd_ for the l2tp
and _ppp_ for the authentication:

    yum install openswan xl2tpd ppp lsof

[Because of a bug in openswan 2.6.32 release 19.el6_3][15] we need to downgrade
`openswan` to version `2.6.32 release 16.el6`. We do this by executing the
following command two times (or, until we are on `2.6.32 R 16.el6`):

    yum downgrade openswan
    ---> Package openswan.i686 0:2.6.32-18.el6_3 will be a downgrade
    ---> Package openswan.i686 0:2.6.32-19.el6_3 will be erased
    yum downgrade openswan
    ---> Package openswan.i686 0:2.6.32-16.el6 will be a downgrade
    ---> Package openswan.i686 0:2.6.32-18.el6_3 will be erased

If you cannot downgrade to this version your repo does not have that many older
package versions available. [You can download it from here for x86][16] or [from
here for x64][17]. You can install it afterwards with `rpm -i

#### Firewall and sysctl

We are going to set the firewall and make sure the kernel forwards IP packets:

Execute this command to enable the iptables firewall to allow the vpn:

    iptables --table nat --append POSTROUTING --jump MASQUERADE

Execute the below commands to enable kernel IP packet forwarding and disable ICP

    echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
    echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
    echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
    for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
     sysctl -p

##### /etc/rc.local

To make sure this keeps working at boot you might want to add the following to
_/etc/rc.local_ :

    for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
    iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%

Add it before the `exit 0` line and replace %SERVERIP% with the external IP of
your VPS.

#### Configure Openswan (IPSEC)

Use your favorite editor to edit the following file:


Below is the contents of mine. Most lines have a comment below it explaining
what it does.

    version 2 # conforms to second version of ipsec.conf specification
    config setup
        #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
        #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
        #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
        #decide which protocol stack is going to be used.
        # Send a keep-alive packet every 60 seconds.
    conn L2TP-PSK-noNAT
        #shared secret. Use rsasig for certificates.
        #Disable pfs
        #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
        #Only negotiate a conn. 3 times.
        # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
        #because we use l2tp as tunnel protocol
        #fill in server IP above
        # Dead Peer Dectection (RFC 3706) keepalives delay
        #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
        # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

##### The shared secret

The shared secret is defined in the _/etc/ipsec.secrets_ file. Make sure it is
long and random:

    %SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

And don't forget to change `%SERVERIP%` to the public IP of your server.

##### Verify

Now to make sure IPSEC works, execute the following command:

     ipsec verify

My output looks like this:

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path                                 [OK]
    Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)
    Checking for IPsec support in kernel                            [OK]
     SAref kernel support                                           [N/A]
     NETKEY:  Testing for disabled ICMP send_redirects              [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
    Testing against enforced SElinux mode                           [OK]
    Checking that pluto is running                                  [OK]
     Pluto listening for IKE on udp 500                             [OK]
     Pluto listening for NAT-T on udp 4500                          [OK]
    Two or more interfaces found, checking IP forwarding            [OK]
    Checking NAT and MASQUERADEing                                  [OK]
    Checking for 'ip' command                                       [OK]
    Checking /bin/sh is not /bin/dash                               [OK]
    Checking for 'iptables' command                                 [OK]
    Opportunistic Encryption Support                                [DISABLED]

#### Configure xl2tpd

Use your favorite editor to edit the following file:


Below is the contents of mine. Most lines have a comment below it explaining
what it does.

    ipsec saref = yes
    force userspace = yes
    [lns default]
    ip range =
    local ip =
    refuse pap = yes
    require authentication = yes
    ppp debug = no
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes

  * force userspace = because of the bug which why we also need to downgrade ipsec
  * ip range = range of IP's to give to the connecting clients
  * local ip = IP of VPN server
  * refuse pap = refure pap authentication
  * ppp debug = yes when testing, no when in production

#### Local user (PAM//etc/passwd) authentication

To use local user accounts via pam (or /etc/passwd), and thus not having plain
text user passwords in a text file you have to do a few extra steps. Huge thanks
to `Sascha Scandella` for the hard work and troubleshooting.

In your `/etc/xl2tpd/xl2tpd.conf` add the following line:

    unix authentication = yes

and remove the following line:

    refuse pap = yes

In the file `/etc/ppp/options.xl2tpd` make sure you do not add the following
line (below it states to add it, but not if you want to use UNIX


Also in that file (`/etc/ppp/options.xl2tpd`) add the following extra line:


Change `/etc/pam.d/ppp` to this:

    auth    required        pam_nologin.so
    auth    required        pam_unix.so
    account required        pam_unix.so
    session required        pam_unix.so

Add the following to `/etc/ppp/pap-secrets`:

    *       l2tpd           ""              *

(And, skip the `chap-secrets` file below (adding users).)

#### Configuring PPP

Use your favorite editor to edit the following file:


Below is the contents of mine. Most lines have a comment below it explaining
what it does.

    mtu 1200
    mru 1000
    name l2tpd
    lcp-echo-interval 30
    lcp-echo-failure 4

  * ms-dns = The dns to give to the client. I use google's public DNS.
  * proxyarp = Add an entry to this system's ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
  * name l2tpd = is used in the ppp authentication file.

#### Adding users

Every user should be defined in the _/etc/ppp/chap-secrets_ file. Below is an
example file.

    # Secrets for authentication using CHAP
    # client       server  secret                  IP addresses
    alice          l2tpd   0F92E5FC2414101EA            *
    bob            l2tpd   DF98F09F74C06A2F             *

  * client = username for the user
  * server = the name we define in the ppp.options file for xl2tpd
  * secret = password for the user
  * IP Address = leave to * for any address or define addresses from were a user can login.

#### Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

    /etc/init.d/ipsec restart;  
    /etc/init.d/xl2tpd restart

On the client connect to the server IP address (or add a DNS name) with a valid
user, password and the shared secret. Test if you have internet access and which
IP you have (via for example [whatsmyip.org][18]. ). If it is the VPN servers IP
then it works.

Another nice test is to connect multiple clients of which one has a webserver.
Make sure it only listens on a VPN IP (172.16.1.xxx in above example). Test if
you can access it only via the VPN.

If you experience problems make sure to check the client log files and the
ubuntu _/var/log/secure_ file. If you google the error messages you most of the
time get a good answer.

   [1]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_a_Raspberry_Pi_with_Arch_Linux.html
   [2]: https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
   [3]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html
   [4]: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
   [5]: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_15.10.html
   [6]: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_15.04.html
   [7]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
   [8]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_13.10.html
   [9]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_13.04.html
   [10]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_12.10.html
   [11]: https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_12.04.html
   [12]: https://www.digitalocean.com/?refcode=7435ae6b8212
   [13]: http://download.fedoraproject.org/pub/epel/6/i386/repoview/epel-release.html
   [14]: https://fedoraproject.org/wiki/EPEL
   [15]: http://bugs.centos.org/view.php?id=5832
   [16]: https://raymii.org/s/inc/software/openswan-2.6.32-16.el6.i686.rpm
   [17]: https://raymii.org/s/inc/software/openswan-2.6.32-16.el6.x86_64.rpm
   [18]: http://whatsmyip.org


All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see .

Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.