Setup and Configuration of Strongswan & Accel-PPP on Ubuntu 14.04 64bit
Introduction
strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface.
ACCEL-PPP completly new implementation of PPTP/PPPoE/L2TP which was written from scratch. Userspace daemon has its own PPP implementation, so it does not uses pppd and one process (multi-threaded) manages all connections.
Prerequisites
We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty or Bitvise depends on your operating system and liking)
When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.
Installing Strongswan
Before installing strongswan we need to update or distro first.
sudo apt-get update
After that we need to install the required applications to build strongswan.
sudo apt-get install libpam0g-dev libssl-dev make gcc curl
Then we need to download strongswan from source. You should always get the latest source since it containts the latest fixes and improvements to the code. The link to the latest source is from here[1]. My current is version -5.3.5.
wget https://download.strongswan.org/strongswan-5.3.5.tar.gz
Extract strongswan and enter the folder.
tar xzf strongswan*.tar.g
cd /root/strongswan-*/
Then configure strongswan with the required modules. For this guide will will configure strongswan with freeradius that is why we need the --eap-radius module to be installed.
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --disable-gmp
After the configuration we will now install it.
make && make install
Generating Certificates for Strongswan
Strongswan has built in certificate generation procedures specifically made for easy certificate generation. To make the certificate we will do the following commands:
Generate the server certificate.
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=US, O=Premium, CN=Premium CA" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=50.31.0.253" --san="50.31.0.253" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
The domain name or IP address of your VPN server, which is later entered in the clients connection properties, MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (--san). If this does not match the clients will fail to connect.
The built in Windows 7 VPN client needs the serverAuth extended key usage flag in your host certificate as shown above, or the client will refuse to connect. In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also add here.
Generate the client certificate.
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=Premium Client" --outform pem > client.cert.pem
A VPN client needs a client certificate, its private key, and the signing CA certificate. The most convenient way is to put everything in a single signed PKCS#12 file and export it with a paraphrase.
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "Premium CA" -out client.cert.p12
Enter a password twice, then you have a .p12. You can send client.cert.p12 and its export paraphrase to the person who's going to install it onto the client.
Copy the generated certificates in ipsec.d folder.
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem /usr/local/etc/ipsec.d/private/
Configuring Strongswan, IPSec & Secret
First let us open ipsec.secrets file.
nano /usr/local/etc/ipsec.secrets
And add the following details.
: RSA server.pem #is the name of the server certificate
: PSK "myPSKkey" #is the pre-shared-key entered by client
Save the file and exit then open ipsec.conf.
nano /usr/local/etc/ipsec.conf
And add the following configuration.
config setup
uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
leftsubnet=0.0.0.0/0
left=%defaultroute
right=%any
auto=add
conn IKEv1-RSA-XAUTH-RADIUS
keyexchange=ikev1
fragmentation=yes
leftauth=pubkey
leftcert=server.cert.pem
rightauth=pubkey
rightauth2=xauth-radius
rightsourceip=10.31.1.0/24
rightcert=client.cert.pem
fragmentation=yes
conn IKEv1-PSK-XAUTH-RADIUS
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth-radius
rightsourceip=10.31.1.0/24
fragmentation=yes
conn IKEv2-EAP_MSCHAPv2-RADIUS-iOS
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp=aes256-sha256,3des-sha1,aes256-sha1!
leftid=50.31.0.253
rekey=no
left=%any
leftsendcert=always
leftcert=server.cert.pem
rightauth=eap-radius
rightsourceip=10.31.2.0/24
rightsendcert=never
rightdns=8.8.8.8,8.8.4.4
eap_identity=%any
conn IKEv2-EAP_MSCHAPv2-RADIUS
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftid=@vpn.com
leftauth=pubkey
leftcert=server.cert.pem
rightauth=eap-radius
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
conn L2TP-IKEv1-PSK
type=transport
keyexchange=ikev1
authby=secret
leftprotoport=17/1701
left=%any
right=%any
rightprotoport=17/%any
rekey=no
forceencaps=yes
#auto=add
Where:
IKEv1-RSA-XAUTH-RADIUS - is used by IPSec-RSA authentication
IKEv1-PSK-XAUTH-RADIUS - is used by IPSec-PSK authentication which is pre-shared key based type. We already know our PSK key since we added this in the ipsec.secrets file earlier.
IKEv2-EAP_MSCHAPv2-RADIUS-iOS - is used by IKEv2 iOS only. The leftid line is the ip address of your server.
IKEv2-EAP_MSCHAPv2-RADIUS - is ued by IKEv2 vpn protocol. It is used by windows, linux and android.
L2TP-IKEv1-PSK - is used by L2TP/IPSec protocol which we will discuss later on.
Save the file and exit.
Next, we will add our radius details in the strongswan.conf file. Open strongswan.conf.
nano /usr/local/etc/strongswan.conf
And make sure that the below line is duplicated in your file.
#for radius configuration details see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
accounting = yes
servers {
#credetials for radius servers. can be 1 more more.
server-a {
# credentials for server a radius
secret = this_is_radius_secret
address = 50.31.1.57
auth_port = 1812
acct_port = 1813
}
}
}
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
make sure to change the address and secret to reflect your freeradius configuration.
If you have more than one freeradius server you can add another server by:
server_b {
secret = your_secret
address = your_freeradius_ip
auth_port = 1812
acct_port = 1813
}
Now we will run strongswan.
ipsec start
To see available strongswan commands you can type.
ipsec --help
Installation and Configuration of Accel-PPP
Accel-ppp is a high-performance ppp server created from scratch to fill the shortcomings of the ppp protocol. It is easier to use and configure compared to the old and we will use this application to provide pptp and l2tp service to clients.
To install we will have to install the necessary files first.
apt-get install cmake libssl-dev libpcre3-dev libnet-snmp-perl libtritonus-bin
Then we will download the latest source from[2].
wget http://downloads.sourceforge.net/project/accel-ppp/
cd /usr/src/
make sure to download the latest source from accel-ppp website.
wget http://downloads.sourceforge.net/project/accel-ppp/accel-ppp-1.9.0.tar.bz2
tar -xjf accel-ppp-1.9.0.tar.bz2
mkdir accel-ppp-build
cd accel-ppp-build
Configure accel-ppp with radius support.
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DRADIUS=TRUE -DSHAPER=TRUE ../accel-ppp-1.9.0
Then after that we can now install accel-ppp.
make && make install
Make a new configuration file '/etc/accel-ppp.conf' and paste the below configuration.
[modules]
log_file
log_syslog
pptp
l2tp
auth_mschap_v2
radius
ippool
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
[ppp]
verbose=3
min-mtu=1280
mtu=1400
mru=1400
mppe=prefer
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-timeout=120
[pptp]
bind=50.31.0.253
echo-interval=30
mppe=prefer
ip-pool=pool1
verbose=3
[l2tp]
bind=50.31.0.253
hello-interval=60
mppe=prefer
ip-pool=pool2
verbose=3
[dns]
dns1=8.8.8.8
dns2=8.8.4.4
[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=sample_server
nas-ip-address=50.31.0.253
server=50.31.1.57,this_is_radius_secret,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0,weight=1000
acct-interim-interval=500
acct-on=1
verbose=1
interim-verbose=1
[client-ip-range]
0.0.0.0/0
[ip-pool]
gw-ip-address=10.0.0.1
10.31.3.3-254,pool1
10.31.4.3-254,pool2
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
level=5
Save the file and Exit.
To run accel-ppp we execute.
accel-pppd -d -c /etc/accel-ppp.conf
Thats it! all you have to do is connect to the server using IKEv2, IPSec, L2TP/IPSec and PPTP from Windows, iOS, Linux and Android device.
[1]: https://download.strongswan.org/
[2]: http://downloads.sourceforge.net/project/accel-ppp/
Related Tutorials
Setup and Configuration of OpenVPN Server on CentOS 7.2Authenticate OpenVPN Clients Thru the Freeradius Server
Installing and Configuring Wordpress on an Ubuntu 14.04 64bit Server
Install LAMP (Linux Apache, Mysql Server and Php) on an Ubuntu 14.04 64bit VPS Server
Installing ServerPilot and Creating an App on Ubuntu 14.04 LTS 64bit