tutorials questions & answers
by Mark

Setup and Configuration of Strongswan & Accel-PPP on Ubuntu 14.04 64bit

TAGS:
  • pptp
  • vpn
  • ipsec
  • ikev2
  • ubuntu
  • certificate
  • l2tp

Strongswan & Accel-PPP on Ubuntu 14.04

Introduction

strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface.

ACCEL-PPP completly new implementation of PPTP/PPPoE/L2TP which was written from scratch. Userspace daemon has its own PPP implementation, so it does not uses pppd and one process (multi-threaded) manages all connections.


Prerequisites

We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty or Bitvise depends on your operating system and liking)

When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.


Installing Strongswan

Before installing strongswan we need to update or distro first.

sudo apt-get update

After that we need to install the required applications to build strongswan.

sudo apt-get install libpam0g-dev libssl-dev make gcc curl

Then we need to download strongswan from source. You should always get the latest source since it containts the latest fixes and improvements to the code. The link to the latest source is from here[1]. My current is version -5.3.5.

wget https://download.strongswan.org/strongswan-5.3.5.tar.gz

Extract strongswan and enter the folder.

tar xzf strongswan*.tar.g
cd /root/strongswan-*/ 

Then configure strongswan with the required modules. For this guide will will configure strongswan with freeradius that is why we need the --eap-radius module to be installed.

 ./configure  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --disable-gmp

After the configuration we will now install it.

make && make install

Generating Certificates for Strongswan

Strongswan has built in certificate generation procedures specifically made for easy certificate generation. To make the certificate we will do the following commands:
Generate the server certificate.

ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=US, O=Premium, CN=Premium CA" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=50.31.0.253" --san="50.31.0.253" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

The domain name or IP address of your VPN server, which is later entered in the clients connection properties, MUST be contained either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (--san). If this does not match the clients will fail to connect.

The built in Windows 7 VPN client needs the serverAuth extended key usage flag in your host certificate as shown above, or the client will refuse to connect. In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also add here.

Generate the client certificate.

ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=Premium Client" --outform pem > client.cert.pem

A VPN client needs a client certificate, its private key, and the signing CA certificate. The most convenient way is to put everything in a single signed PKCS#12 file and export it with a paraphrase.

openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "Premium CA"  -out client.cert.p12

Enter a password twice, then you have a .p12. You can send client.cert.p12 and its export paraphrase to the person who's going to install it onto the client.

Copy the generated certificates in ipsec.d folder.

cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/  
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/  
cp -r server.pem /usr/local/etc/ipsec.d/private/  
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/  
cp -r client.pem  /usr/local/etc/ipsec.d/private/

Configuring Strongswan, IPSec & Secret

First let us open ipsec.secrets file.

nano /usr/local/etc/ipsec.secrets

And add the following details.

: RSA server.pem #is the name of the server certificate
: PSK "myPSKkey" #is the pre-shared-key entered by client

Save the file and exit then open ipsec.conf.

nano /usr/local/etc/ipsec.conf

And add the following configuration.

config setup
    uniqueids=never 
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    leftsubnet=0.0.0.0/0
    left=%defaultroute
    right=%any
    auto=add


conn IKEv1-RSA-XAUTH-RADIUS
    keyexchange=ikev1
    fragmentation=yes
    leftauth=pubkey
    leftcert=server.cert.pem
    rightauth=pubkey
    rightauth2=xauth-radius
    rightsourceip=10.31.1.0/24
    rightcert=client.cert.pem
    fragmentation=yes

conn IKEv1-PSK-XAUTH-RADIUS
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth-radius
    rightsourceip=10.31.1.0/24
    fragmentation=yes

conn IKEv2-EAP_MSCHAPv2-RADIUS-iOS
    keyexchange=ikev2
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    leftid=50.31.0.253
    rekey=no
    left=%any
    leftsendcert=always
    leftcert=server.cert.pem
    rightauth=eap-radius
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    rightdns=8.8.8.8,8.8.4.4
    eap_identity=%any

conn IKEv2-EAP_MSCHAPv2-RADIUS
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftid=@vpn.com
    leftauth=pubkey
    leftcert=server.cert.pem
    rightauth=eap-radius
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    eap_identity=%any


conn L2TP-IKEv1-PSK
    type=transport
    keyexchange=ikev1
    authby=secret
    leftprotoport=17/1701
    left=%any
    right=%any
    rightprotoport=17/%any
    rekey=no
    forceencaps=yes
    #auto=add

Where: IKEv1-RSA-XAUTH-RADIUS - is used by IPSec-RSA authentication
IKEv1-PSK-XAUTH-RADIUS - is used by IPSec-PSK authentication which is pre-shared key based type. We already know our PSK key since we added this in the ipsec.secrets file earlier.
IKEv2-EAP_MSCHAPv2-RADIUS-iOS - is used by IKEv2 iOS only. The leftid line is the ip address of your server.
IKEv2-EAP_MSCHAPv2-RADIUS - is ued by IKEv2 vpn protocol. It is used by windows, linux and android.
L2TP-IKEv1-PSK - is used by L2TP/IPSec protocol which we will discuss later on.

Save the file and exit.

Next, we will add our radius details in the strongswan.conf file. Open strongswan.conf.

nano /usr/local/etc/strongswan.conf

And make sure that the below line is duplicated in your file.

#for radius configuration details see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
 charon {
        load_modular = yes
        duplicheck.enable = no
        compress = yes
        plugins {
                include strongswan.d/charon/*.conf
        eap-radius {
            accounting = yes
            servers {
                #credetials for radius servers. can be 1 more more.
                server-a {
                    # credentials for server a radius
                    secret = this_is_radius_secret
                    address = 50.31.1.57
                    auth_port = 1812        
                    acct_port = 1813
                }           
            }
        }
        }
        dns1 = 8.8.8.8
        dns2 = 8.8.4.4
        nbns1 = 8.8.8.8
        nbns2 = 8.8.4.4
}
include strongswan.d/*.conf

make sure to change the address and secret to reflect your freeradius configuration.
If you have more than one freeradius server you can add another server by:

server_b {  
    secret = your_secret  
    address = your_freeradius_ip  
    auth_port = 1812
    acct_port = 1813
}

Now we will run strongswan.

ipsec start

To see available strongswan commands you can type.

ipsec --help

Installation and Configuration of Accel-PPP

Accel-ppp is a high-performance ppp server created from scratch to fill the shortcomings of the ppp protocol. It is easier to use and configure compared to the old and we will use this application to provide pptp and l2tp service to clients.

To install we will have to install the necessary files first.

apt-get install cmake libssl-dev libpcre3-dev libnet-snmp-perl libtritonus-bin

Then we will download the latest source from[2].

wget http://downloads.sourceforge.net/project/accel-ppp/
cd /usr/src/

make sure to download the latest source from accel-ppp website.

wget http://downloads.sourceforge.net/project/accel-ppp/accel-ppp-1.9.0.tar.bz2
tar -xjf accel-ppp-1.9.0.tar.bz2
mkdir accel-ppp-build
cd accel-ppp-build

Configure accel-ppp with radius support.

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DRADIUS=TRUE -DSHAPER=TRUE ../accel-ppp-1.9.0

Then after that we can now install accel-ppp.

make && make install

Make a new configuration file '/etc/accel-ppp.conf' and paste the below configuration.

[modules]
log_file
log_syslog
pptp
l2tp
auth_mschap_v2
radius
ippool

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[ppp]
verbose=3
min-mtu=1280
mtu=1400
mru=1400
mppe=prefer
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-timeout=120

[pptp]
bind=50.31.0.253
echo-interval=30
mppe=prefer
ip-pool=pool1
verbose=3

[l2tp]
bind=50.31.0.253
hello-interval=60
mppe=prefer
ip-pool=pool2
verbose=3

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=sample_server
nas-ip-address=50.31.0.253
server=50.31.1.57,this_is_radius_secret,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0,weight=1000
acct-interim-interval=500
acct-on=1
verbose=1
interim-verbose=1

[client-ip-range]
0.0.0.0/0

[ip-pool]
gw-ip-address=10.0.0.1
10.31.3.3-254,pool1
10.31.4.3-254,pool2

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
level=5

Save the file and Exit.

To run accel-ppp we execute.

accel-pppd -d -c /etc/accel-ppp.conf

Thats it! all you have to do is connect to the server using IKEv2, IPSec, L2TP/IPSec and PPTP from Windows, iOS, Linux and Android device.

[1]: https://download.strongswan.org/
[2]: http://downloads.sourceforge.net/project/accel-ppp/

comments (0)

    Start now for as low as $3,99 a month!

     
    Open livechat