Benutzer:Leo/IPSec Test-Konfigurationsanleitung
Aus Opennet
Hier wird beschrieben, wie man testweise
- L2TP installieren/konfigurieren
- IPSec installieren/konfigurieren
kann.
Inhaltsverzeichnis |
Anleitung
Tasks
a) L2TP Server auf gai aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/options.l2tpd)
b)* Linux Client aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/options.l2tpd)
-- start Client mit:
xl2tpd -D
echo "c gai" > /var/run/xl2tpd/l2tp-control
-- nun ist ppp0 Interface vorhandenmit fe80::1/10 auf gai und fe80:......./10 auf client
-- Test vom client: ping6 -I ppp0 fe80::1
c) IPv6 globale IPs konfigurieren
gai: ip -6 addr add 2001:67c:1400:2431::245/64 dev ppp0
client: ip -6 addr add 2001:67c:1400:2431::99/64 dev ppp0
d)* Um IPSec erweitern: (siehe Beispiel https://wiki.archlinux.org/index.php/StrongSwan)
-- certs generieren, siehe Tutorial
-- starten von ipsec im Vordergrund: ipsec start --nofork
e)* OpenWRT hinzunehmen: https://wiki.openwrt.org/doc/howto/vpn.ipsec.basics
-- strongswan compiliert auf minato ~/trunk/tmp/. Von hier erstmal neue Firmware installieren und strongswan per opkg installieren
scp -r minato:/home/leo/trunk/tmp/on_firmware/openwrt/bin/ar71xx/packages .
folgende opkg Zeile einfügen:
src/gz oni_chaos_calmer_base http://172.16.0.207/packages/base
src/gz oni_chaos_calmer_packages http://172.16.0.207/packages/packages
src/gz oni_chaos_calmer_routing http://172.16.0.207/packages/routing
src/gz oni_chaos_calmer_luci http://172.16.0.207/packages/luci
-- strongswan-default installieren (viele Packet aber dies scheint nötig - charon, hashs, crypto algos,...), siehe auch f)
-- erster Konfigurationsversuch (siehe e) ) gescheitert, weil OpenWRT Luci config nur PSK unterstützt laut https://wiki.openwrt.org/doc/uci/ipsec ; TODO überprüfen im Detail
-- Test ob x509 eincompiliert ist. Auf Automatismen verzichten und alles per Hand machen. ipsec.conf per Handerstellen (siehe Vorlage auf Linux PC). Firewall temporär aktivieren/deaktivieren
-- ipsec test
scp /etc/ipsec.d/certs/ClientCert.pem defgw:/etc/ipsec.d/certs/ClientCert.pem
scp /etc/ipsec.d/cacerts/strongswanCert.pem defgw:/etc/ipsec.d/cacerts/strongswanCert.pem
sudo scp /etc/ipsec.secrets defgw:/etc/ipsec.secrets (hier root Rechte nötig)
scp /tmp/ClientKey.pem defgw:/etc/ipsec.d/private/ClientKey.pem
chmod 600 /etc/ipsec.d/private/ClientKey.pem
09[IKE] configured DH group ECP_256 not supported
ipsec.conf crypto algos geändert auf
ike=aes128-sha256-modp2048
esp=aes128-sha256-modp2048
ip6tables -A input_rule -p esp -j ACCEPT
ip6tables -A input_rule -p udp --dport 500 -j ACCEPT
ip6tables -A input_rule -p udp --dport 4500 -j ACCEPT
02[KNL] received netlink error: Function not implemented (89)
02[KNL] unable to add SAD entry with SPI ca1c6bd4
-- https://wiki.strongswan.org/issues/718
crypto algos in ipsec.conf geändert auf (nodp2048 wird anscheinend vom Kernel nicht unterstützt):
ike=aes128-sha1-modp1536
esp=aes128-sha1-modp1536
jetzt wird der Tunnel auch erfolgreich aufgebaut!!!! YEAH!!!
-- xl2tp test
Configuring kmod-udptunnel4.
Configuring kmod-udptunnel6.
Configuring kmod-l2tp.
Configuring kmod-lib-crc-ccitt.
Configuring kmod-slhc.
Configuring kmod-ppp.
Configuring kmod-pppox.
Configuring resolveip.
Configuring kmod-pppol2tp.
Configuring ppp-mod-pppol2tp.
Configuring xl2tpd.
-- alte Anleitung siehe https://wiki.openwrt.org/inbox/openswanxl2tpvpn
d2) um OLSRv2 erweitern
e2) überprüfen: läuft l2tp im kernel space? Müsste man beim Start von xl2tpd sehen (siehe logread)
g)* Mehrere Knoten in Reihe.
zu a)
----------
root@gai:/etc# cat xl2tpd/xl2tpd.conf
[global]
port = 1701
auth file = /etc/l2tpd/l2tp-secrets
rand source = dev
[lns default]
assign ip = no ; * Only permit one tunnel per host
require chap = yes
refuse pap = yes
require authentication = yes
unix authentication = no
name = gai
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
----------
root@gai:/etc# cat xl2tpd/l2tp-secrets
gai lini XXXXXXXXX
--------------
root@gai:/etc# cat ppp/options.l2tpd
refuse-eap
noccp
noauth
nodefaultroute
crtscts
idle 1800
mtu 1410
mru 1410
lock
connect-delay 5000
+ipv6
ipv6 ::1,::2
ipv6cp-accept-local
zu b)
-----------------
leo@lini:/etc/xl2tpd$ cat xl2tpd.conf
[lac gai]
lns = gai.on-i.de
redial = yes
redial timeout = 15
require authentication = yes
refuse pap = yes
require chap = yes ; * Require CHAP auth. by peer
name = lini ; * Report this as our hostname
ppp debug = no ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd
---------------------
leo@lini:/etc/xl2tpd$ sudo cat l2tp-secrets
lini gai XXXXXX
---------------------
leo@lini:/etc/xl2tpd$ cat ../ppp/options.l2tpd
refuse-eap
noccp
noauth
nodefaultroute
crtscts
idle 1800
mtu 1410
mru 1410
lock
connect-delay 5000
+ipv6
ipv6cp-accept-local
debug
zu c)
zu e)
#/etc/config/ipsec
config 'ipsec'
# option 'zone' 'wan'
option 'debug' '1'
config 'remote' 'gai'
option 'enabled' '1'
option 'gateway' '2001:67c:1400:2430::1'
#laut https://wiki.openwrt.org/doc/uci/ipsec is psk derzeit das einzig unterstuetzte :(
#TODO nochmal gegenpruefen
option 'authentication_method' 'psk'
option 'pre_shared_key' 'yourpasswordhere'
list 'p1_proposal' 'pre_g2_aes_sha1'
list 'sainfo' 'acme_dmz'
list 'sainfo' 'acme_lan'
#werden folgende Optionen unterstuetzt?
type=transport
keyexchange=ikev2
auto=route
config 'p1_proposal' 'pre_g2_aes_sha1'
option 'encryption_algorithm' 'aes128'
option 'hash_algorithm' 'sha1'
option 'dh_group' 'modp1024'
config 'tunnel' 'acme_lan'
option 'local_subnet' '192.168.2.64/26'
option 'remote_subnet' '10.1.2.0/24'
option 'p2_proposal' 'g2_aes_sha1'
config 'p2_proposal' 'g2_aes_sha1'
option 'pfs_group' 'modp1024'
option 'encryption_algorithm' 'aes 128'
option 'authentication_algorithm' 'sha1'
--------------------------------
zu f)
Configuring kmod-crypto-aead.
Configuring kmod-crypto-hash.
Configuring kmod-crypto-pcompress.
Configuring kmod-crypto-manager.
Configuring kmod-crypto-rng.
Configuring kmod-crypto-wq.
Configuring kmod-crypto-iv.
Configuring kmod-lib-zlib.
Configuring kmod-crypto-deflate.
Configuring kmod-crypto-md5.
Configuring kmod-crypto-authenc.
Configuring kmod-crypto-des.
Configuring kmod-crypto-hmac.
Configuring kmod-crypto-sha1.
Configuring kmod-crypto-cbc.
Configuring kmod-ipsec.
Configuring kmod-iptunnel4.
Configuring kmod-ipsec4.
Configuring kmod-iptunnel6.
Configuring kmod-ipsec6.
Configuring kmod-ipt-ipsec.
Configuring iptables-mod-ipsec.
Configuring strongswan.
Configuring strongswan-mod-constraints.
Configuring strongswan-mod-sha1.
Configuring strongswan-mod-sha2.
Configuring strongswan-mod-pem.
Configuring strongswan-mod-rc2.
Configuring strongswan-mod-aes.
Configuring strongswan-mod-pgp.
Configuring strongswan-mod-sshkey.
Configuring strongswan-mod-xcbc.
Configuring strongswan-mod-random.
Configuring strongswan-mod-pkcs1.
Configuring strongswan-mod-dnskey.
Configuring strongswan-utils.
Configuring strongswan-mod-hmac.
Configuring strongswan-charon.
Configuring strongswan-mod-des.
Configuring strongswan-mod-fips-prf.
Configuring strongswan-mod-socket-default.
Configuring strongswan-mod-resolve.
Configuring strongswan-mod-pubkey.
Configuring strongswan-mod-kernel-netlink.
Configuring strongswan-mod-attr.
Configuring libgmp.
Configuring strongswan-mod-gmp.
Configuring strongswan-mod-md5.
Configuring strongswan-mod-nonce.
Configuring strongswan-mod-revocation.
Configuring strongswan-mod-stroke.
Configuring strongswan-mod-updown.
Configuring strongswan-mod-x509.
Configuring strongswan-mod-xauth-generic.
Configuring strongswan-default.
------------------------------
Dateien L2TP/PPP
Client
Client: /etc/xl2tpd/xl2tpd.conf
[lac gai] lns = gai.on-i.de redial = yes redial timeout = 15 require authentication = yes refuse pap = yes require chap = yes ; * Require CHAP auth. by peer name = lini ; * Report this as our hostname ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd
Client: /etc/xl2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop lini gai ............
Client: /etc/ppp/options.l2tpd
refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6cp-accept-local debug
Server
Server: /etc/xl2tpd/xl2tpd.conf
[global] port = 1701 auth file = /etc/l2tpd/l2tp-secrets rand source = dev ; Source for entropy for random ; ; numbers, options are: ; ; dev - reads of /dev/urandom ; ; sys - uses rand() ; ; egd - reads from egd socket ; ; egd is not yet implemented [lns default] assign ip = no ; * Only permit one tunnel per host require chap = yes refuse pap = yes require authentication = yes unix authentication = no name = gai ppp debug = no pppoptfile = /etc/ppp/options.l2tpd
Server: /etc/xl2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop gai lini ......insert-pwd-here...
Server: /etc/ppp/options.l2tpd
refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6 ::1,::2 ipv6cp-accept-local
Dateien IPSec
Server
cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add config setup # By default only one client can connect at the same time with an identical # certificate and/or password combination. Enable this option to disable # this behavior. # uniqueids=never # # Slightly more verbose logging. Very useful for debugging. #charondebug="cfg 2, dmn 2, ike 2, net 2" charondebug="cfg 4, dmn 4, ike 4, net 4" # Default configuration options, used below if an option is not specified. # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection conn %default # Use IKEv2 by default keyexchange=ikev2 # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! # # Dead Peer Discovery dpdaction=clear dpddelay=300s # # Do not renegotiate a connection if it is about to expire rekey=no # # Server side left=2001:67c:1400:2430::1 leftid=@gai.on-i.de leftcert=vpnHostCert.pem # # Client side right=%any type=transport # IKEv2: Newer version of the IKE protocol conn IPSec-IKEv2 keyexchange=ikev2 auto=add
Server: /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnHostKey.pem
Client Linux-Ubuntu
Client: leo@lini:/etc/xl2tpd$ cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # By default only one client can connect at the same time with an identical # certificate and/or password combination. Enable this option to disable # this behavior. # uniqueids=never # # Slightly more verbose logging. Very useful for debugging. charondebug="cfg 2, dmn 2, ike 2, net 2" # Default configuration options, used below if an option is not specified. # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection conn %default # # Use IKEv2 by default keyexchange=ikev2 # # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) #for OpenWRT there has to be found supported crypto algos (see long description above) ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! # # Dead Peer Discovery dpdaction=clear dpddelay=300s # # Do not renegotiate a connection if it is about to expire rekey=no # # Server side #left=%any left=2001:67c:1400:2430::1 leftid=@gai.on-i.de # #setting not needed on client side #leftcert=vpnHostCert.pem # # Client side #right=%any # #IPv6 of tunnel interface gai #right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 # #IPv6 of client right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 # rightcert=ClientCert.pem type=transport # IKEv2: Newer version of the IKE protocol conn IPSec-IKEv2 keyexchange=ikev2 auto=route
client: cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : RSA ClientKey.pem
