tutorials questions & answers
by Mark

Setup and Configuration of Strongswan & Accel-PPP on Ubuntu 14.04 64bit

TAGS:
  • pptp
  • vpn
  • ipsec
  • ikev2
  • ubuntu
  • certificate
  • l2tp

Strongswan & Accel-PPP on Ubuntu 14.04

Introduction

strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface.

ACCEL-PPP completly new implementation of PPTP/PPPoE/L2TP which was written from scratch. Userspace daemon has its own PPP implementation, so it does not uses pppd and one process (multi-threaded) manages all connections.
___

Prerequisites

We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty or Bitvise depends on your operating system and liking)

When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.
___

Installing Strongswan

Before installing strongswan we need to update or distro first.
sudo apt-get update
After that we need to install the required applications to build strongswan.
sudo apt-get install libpam0g-dev libssl-dev make gcc curl
Then we need to download strongswan from source. You should always get the latest source since it containts the latest fixes and improvements to the code. The link to the latest source is from here. My current is version -5.3.5. wget https://download.strongswan.org/strongswan-5.3.5.tar.gz
Extract strongswan and enter the folder. tar xzf strongswan*.tar.g
cd /root/strongswan-*/
Then configure strongswan with the required modules. For this guide will will configure strongswan with freeradius that is why we need the --eap-radius module to be installed.
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --disable-gmp

After the configuration we will now install it.
make && make install
___

Generating Certificates for Strongswan

Strongswan has built in certificate generation procedures specifically made for easy certificate generation. To make the certificate we will do the following commands:
Generate the server certificate. ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=US, O=Premium, CN=Premium CA" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=50.31.0.253" --san="50.31.0.253" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
The domain name or IP address of your VPN server, which is later entered in the clients connection properties, MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (--san). If this does not match the clients will fail to connect.

The built in Windows 7 VPN client needs the serverAuth extended key usage flag in your host certificate as shown above, or the client will refuse to connect. In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also add here.

Generate the client certificate.
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=Premium Client" --outform pem > client.cert.pem
A VPN client needs a client certificate, its private key, and the signing CA certificate. The most convenient way is to put everything in a single signed PKCS#12 file and export it with a paraphrase.
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "Premium CA" -out client.cert.p12
Enter a password twice, then you have a .p12. You can send client.cert.p12 and its export paraphrase to the person who's going to install it onto the client.

Copy the generated certificates in ipsec.d folder.
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/ cp -r server.pem /usr/local/etc/ipsec.d/private/ cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/ cp -r client.pem /usr/local/etc/ipsec.d/private/
___

Configuring Strongswan, IPSec & Secret

First let us open ipsec.secrets file.
nano /usr/local/etc/ipsec.secrets
And add the following details.

: RSA server.pem #is the name of the server certificate
: PSK "myPSKkey" #is the pre-shared-key entered by client

Save the file and exit then open ipsec.conf.
nano /usr/local/etc/ipsec.conf
And add the following configuration.

config setup
	uniqueids=never 
	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
	leftsubnet=0.0.0.0/0
	left=%defaultroute
	right=%any
	auto=add
	

conn IKEv1-RSA-XAUTH-RADIUS
	keyexchange=ikev1
	fragmentation=yes
	leftauth=pubkey
	leftcert=server.cert.pem
	rightauth=pubkey
	rightauth2=xauth-radius
	rightsourceip=10.31.1.0/24
	rightcert=client.cert.pem
	fragmentation=yes

conn IKEv1-PSK-XAUTH-RADIUS
	keyexchange=ikev1
	leftauth=psk
	rightauth=psk
	rightauth2=xauth-radius
	rightsourceip=10.31.1.0/24
    fragmentation=yes

conn IKEv2-EAP_MSCHAPv2-RADIUS-iOS
	keyexchange=ikev2
 	ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
  	esp=aes256-sha256,3des-sha1,aes256-sha1!
	leftid=50.31.0.253
	rekey=no
	left=%any
	leftsendcert=always
	leftcert=server.cert.pem
	rightauth=eap-radius
	rightsourceip=10.31.2.0/24
	rightsendcert=never
	rightdns=8.8.8.8,8.8.4.4
	eap_identity=%any

conn IKEv2-EAP_MSCHAPv2-RADIUS
	keyexchange=ikev2
	ike=aes256-sha1-modp1024!
	rekey=no
    leftid=@vpn.com
	leftauth=pubkey
	leftcert=server.cert.pem
	rightauth=eap-radius
	rightsourceip=10.31.2.0/24
	rightsendcert=never
	eap_identity=%any

	
conn L2TP-IKEv1-PSK
	type=transport
	keyexchange=ikev1
	authby=secret
	leftprotoport=17/1701
	left=%any
	right=%any
	rightprotoport=17/%any
 	rekey=no
	forceencaps=yes
	#auto=add

Where: IKEv1-RSA-XAUTH-RADIUS - is used by IPSec-RSA authentication
IKEv1-PSK-XAUTH-RADIUS - is used by IPSec-PSK authentication which is pre-shared key based type. We already know our PSK key since we added this in the ipsec.secrets file earlier.
IKEv2-EAP_MSCHAPv2-RADIUS-iOS - is used by IKEv2 iOS only. The leftid line is the ip address of your server.
IKEv2-EAP_MSCHAPv2-RADIUS - is ued by IKEv2 vpn protocol. It is used by windows, linux and android.
L2TP-IKEv1-PSK - is used by L2TP/IPSec protocol which we will discuss later on.

Save the file and exit.

Next, we will add our radius details in the strongswan.conf file. Open strongswan.conf.
nano /usr/local/etc/strongswan.conf And make sure that the below line is duplicated in your file.

#for radius configuration details see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
 charon {
        load_modular = yes
        duplicheck.enable = no
        compress = yes
        plugins {
                include strongswan.d/charon/*.conf
		eap-radius {
			accounting = yes
			servers {
				#credetials for radius servers. can be 1 more more.
				server-a {
					# credentials for server a radius
					secret = this_is_radius_secret
		            address = 50.31.1.57
					auth_port = 1812		
					acct_port = 1813
				}			
			}
		}
        }
        dns1 = 8.8.8.8
        dns2 = 8.8.4.4
        nbns1 = 8.8.8.8
        nbns2 = 8.8.4.4
}
include strongswan.d/*.conf

make sure to change the address and secret to reflect your freeradius configuration.
If you have more than one freeradius server you can add another server by:

server_b {  
	secret = your_secret  
	address = your_freeradius_ip  
    auth_port = 1812
    acct_port = 1813
}

Now we will run strongswan.
ipsec start

To see available strongswan commands you can type.
ipsec --help ___

Installation and Configuration of Accel-PPP

Accel-ppp is a high-performance ppp server created from scratch to fill the shortcomings of the ppp protocol. It is easier to use and configure compared to the old and we will use this application to provide pptp and l2tp service to clients.

To install we will have to install the necessary files first.
apt-get install cmake libssl-dev libpcre3-dev libnet-snmp-perl libtritonus-bin
Then we will download the latest source from.
wget http://downloads.sourceforge.net/project/accel-ppp/
cd /usr/src/
make sure to download the latest source from accel-ppp website.
wget http://downloads.sourceforge.net/project/accel-ppp/accel-ppp-1.9.0.tar.bz2
tar -xjf accel-ppp-1.9.0.tar.bz2
mkdir accel-ppp-build
cd accel-ppp-build
Configure accel-ppp with radius support.
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DRADIUS=TRUE -DSHAPER=TRUE ../accel-ppp-1.9.0
Then after that we can now install accel-ppp.
make && make install
Make a new configuration file '/etc/accel-ppp.conf' and paste the below configuration.

[modules]
log_file
log_syslog
pptp
l2tp
auth_mschap_v2
radius
ippool

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[ppp]
verbose=3
min-mtu=1280
mtu=1400
mru=1400
mppe=prefer
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-timeout=120

[pptp]
bind=50.31.0.253
echo-interval=30
mppe=prefer
ip-pool=pool1
verbose=3

[l2tp]
bind=50.31.0.253
hello-interval=60
mppe=prefer
ip-pool=pool2
verbose=3

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=sample_server
nas-ip-address=50.31.0.253
server=50.31.1.57,this_is_radius_secret,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0,weight=1000
acct-interim-interval=500
acct-on=1
verbose=1
interim-verbose=1

[client-ip-range]
0.0.0.0/0

[ip-pool]
gw-ip-address=10.0.0.1
10.31.3.3-254,pool1
10.31.4.3-254,pool2

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
level=5

Save the file and Exit.

To run accel-ppp we execute.
accel-pppd -d -c /etc/accel-ppp.conf


Thats it! all you have to do is connect to the server using IKEv2, IPSec, L2TP/IPSec and PPTP from Windows, iOS, Linux and Android device.

comments (0)

    leave comment

    Please choose login or register to comment in this thread.

    Start now for as low as $4,99 a month!

    • 8 Characters
    • 1 Uppercase Atleast
    • 1 Number Atleast