, Johann Schmitz

Mit der folgenden Anleitung kann man sich unter Gentoo ein IPSEC-fähigen VPN- Client bauen:

Benötigte Einstellungen im Kernel

Loadable module support --->
  [*] Enable loadable module support
  [*]   Module unloading
  [*]     Forced module unloading
  [*]   Module versioning support
  [*]   Source checksum for all modules
  [*]   Automatic kernel module loading

Networking --->
  Networking options --->
    <*> Packet socket
    <*> Unix domain sockets
    <M> IPsec user configuration interface
    <M> PF_KEY sockets
    [*] TCP/IP networking
    [*] IP: multicasting
    [*] IP: advanced router
    [*] IP: TCP syncookie support (disabled per default)
    <M> IP: ESP transformation
    <M> IP: IPComp transformation
    <M> IP: tunnel transformation
    <M> INET: socket monitoring interface
    [*] Network packet filtering (replaces ipchains) --->

Device Drivers --->
  Network device support --->
    [*] Network device support
    <M> PPP (point-to-point protocol) support
    <M>   PPP support for async serial ports
    <M>   PPP support for sync tty ports
    <M>   PPP Deflate compression
    <M>   PPP BSD-Compress compression

Cryptographic options --->
  --- Cryptographic API
  ---   HMAC support
  <M>   MD5 digest algorithm
  <M>   DES and Triple DES EDE cipher algorithms
  <M>   AES cipher algorithms
  <M>   AES cipher algorithms (i586)
  <M>   SHA1 digest algorithm

Benötigte Pakete

  • net-misc/openswan
  • net-firewall/ipsec-tools
  • net-dialup/xl2tpd

Konfiguration

Zunächst konfigurieren wir IPSEC mittels der /etc/ipsec/ipsec.conf:

# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.15/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 private"
    # eg: plutodebug="control parsing"
    #
    # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    #
    # enable this if you see "failed to find any available worker"
    nhelpers=0


# Add connections here

conn my-vpn
        #
        # ----------------------------------------------------------
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        # Initiate rekeying.
        # Connection type _must_ be Transport Mode.
        #
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=transport
        #
        # ----------------------------------------------------------
        # The local Linux machine that connects as a client.
        #
        # The external network interface is used to connect to the server.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=your.ip.addr.ess
        left=%defaultroute
        leftid=@my-access
        leftnexthop=**<LOKALES-GATEWAY>**
        #
        leftprotoport=17/1701
        #
        # ----------------------------------------------------------
        # The remote server.
        #
        # Connect to the server at this IP address.
        right=88.198.54.131
        #
        rightprotoport=17/1701
        # ----------------------------------------------------------
        #
        # Change 'ignore' to 'add' to enable this configuration.
        #
        auto=start



# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

Als nächstes konfigurieren die Preshared-Keys (PSK) für die IPSEC-Ebene ind /etc/ipsec/ipsec.secrets.

@my-access **<EXTERNE-IP-DES-SERVERS>**: PSK "**<PSK-VOM-SERVER>**"

Im nächsten Schritt werden wir den Tunnel konfigurieren. Zuerst passen wir dafür die /etc/xl2tpd/xl2tpd.conf an:

[lac my-vpn]
lns = **<EXTERNE-IP-DES-SERVERS>**
require chap = yes
refuse pap = yes
require authentication = yes
; Name should be the same as the username in the PPP authentication!
name = **<USER>**
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes
autodial = yes
redial = yes
redial timeout = 5

Die Datei /etc/ppp/options:

debug
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
#idle 1800
mtu 1410
mru 1410
#defaultroute
nodefaultroute
#usepeerdns
noipdefault
lock
#proxyarp
connect-delay 5000

In der Datei /etc/ppp/chap-secrets werden nun noch abschliessend die Benutzer konfiguriert:

# Secrets for authentication using CHAP
# client    server  secret          IP addresses

user1 * "pass1"
* user1 "pass1"

Abschliessend noch die Daemons xl2tpd und ipsec starten.