How to setup L2TP on CentOS

Description: In this tutorial we’ll explain the installation and configuration of the L2TP on CentOS in steps.

Step 1:

First install the repo’s:

For 64bit CentOS 6:

rpm -ivh http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest

yum -y install ipsec-tools

For 64bit CentOS 5:

rpm -ivh http://flexbox.sourceforge.net/centos/5/x86_64/ipsec-tools-0.7.3-4.el5.x86_64.rpm

Step 2:

Next step we create the script /etc/racoon/init.sh:

#!/bin/sh

# set security policies

echo -e “flush;\n\

spdflush;\n\

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P

in ipsec esp/transport//require;\n\

spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P

out ipsec esp/transport//require;\n”\

| setkey -c

# enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Change the permission of the file:

chmod  750 /etc/racoon/init.sh

Step 3:

Now call the script to  rc.local by using the following command:

sed –in-place ‘/\/etc\/racoon\/init.sh/d’ /etc/rc.d/rc.local

echo /etc/racoon/init.sh >> /etc/rc.d/rc.local

Step 4:

Now create the file /etc/racoon/racoon.conf or if it already exist edit it as following:

path include “/etc/racoon”;

path pre_shared_key “/etc/racoon/psk.txt”;

path certificate “/etc/racoon/certs”;

path script “/etc/racoon/scripts”;

remote anonymous

{

exchange_mode aggressive,main;

passive on;

proposal_check obey;

support_proxy on;

nat_traversal on;

ike_frag on;

dpd_delay 20;

proposal

          {

                encryption_algorithm aes;

               hash_algorithm sha1;

               authentication_method pre_shared_key;

                dh_group modp1024;

           }

               proposal

                               {

                                       encryption_algorithm 3des;

                                       hash_algorithm sha1;

                                       authentication_method pre_shared_key;

                                       dh_group modp1024;

                               }

           }

sainfo anonymous

{

           encryption_algorithm aes,3des;

           authentication_algorithm hmac_sha1;

           compression_algorithm deflate;

           pfs_group modp1024;

}

After this change the permission:

chmod 600 /etc/racoon/racoon.conf

Step 5:

Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.

This is the needed entry in /etc/racoon/psk.txt for Android clients:

myhomelan mysecret

This is the needed entry in /etc/racoon/psk.txt for iPhone and iPad iOS clients:

* mysecret

Set permissions:

chmod 600 /etc/racoon/psk.txt

Now we need to install repo’s and XL2TPD and dependencies from the following:

For 64bit CentOS 5:

rpm -Uvh http://mirror.bytemark.co.uk/fedora/epel/5/x86_64/epel-release-5-4.noarch.rpm

For 64bit CentOS 6:

rpm -Uvh http://mirror.bytemark.co.uk/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

And run this command for some dependencies:

yum install libpcap-devel ppp -y

Now install the xl2tpd by typing this command:

yum install xl2tpd -y

Step 6:

Now open /etc/ppp/options.xl2tpd file and add the following lines mention below:

crtscts

idle 1800

mtu 1200

mru 1200

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

auth

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

plugin radius.so

plugin radattr.so

Step 7:

Now you need to add the following and changing the values of the server in /etc/xl2tpd/xl2tpd.conf file:

[global]

force userspace = yes

[lns default]

ip range = 10.1.2.2-10.1.2.255

local ip = 10.1.2.1

refuse chap = yes

refuse pap = yes

require authentication = yes

name = l2tp

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

Step 8:

Now its time to run the commands for IP tables:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i eth0 -p udp –dport 1701 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m udp –dport 4500 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m udp –dport 500 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –dport 1701 -j ACCEPT

And save the tables by following command:

service iptables save

Step 9:

Restart the services for any error:

service xl2tpd restart

service racoon restart

Step 10:

Now you need to edit the /etc/sysctl.conf file and change the ipforwading to 1:

net.ipv4.ip_forward = 0

TO

net.ipv4.ip_forward = 1

And add these lines to at the bottom of the same file.

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.eth0.send_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.lo.send_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

And save it by using  sysctl -p command.

If you want to setup the radius client to have authenticate the user using radius client rather than the L2TP.

Step 11:

For CentOS 5 and 6:

wget http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Install by using this command:

rpm -i radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Step 12:

Open the /etc/radiusclient/servers file and change the values as mention below:

#Server Name or Client/Server pair Key
#—————- —————
#portmaster.elemental.net hardlyasecret
#portmaster2.elemental.net donttellanyone
YOUR_RADIUS_SERVER_HOSTNAME_OR_IP YOUR_RADIUS_SERVER_SECRET

This is as same as you specified in the /etc/raddb/clients.conf on your freeradius server.

Step 13:

Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below:

auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver RADIUS_SERVER_IP_OR_HOSTNAME:1812
acctserver RADIUS_SERVER_IP_OR_HOSTNAME:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login

Save the file and open the directory /etc/radiusclient you find the dictionary file, at the bottom of it add this line:

INCLUDE /etc/radiusclient/dictionary.microsoft

dictionary.microsoft, is not included in the radius client by default but you can download it from this link and upload into /etc/radiusclient/ directory.

Now edit the /etc/ppp/options.xl2tpd file for the adding the lines at the bottom.

plugin radius.so

plugin radattr.so

Step 14:

Now restart all the services:

service racoon restart

service xl2tpd restart

/etc/racoon/init.sh

chkconfig racoon on

chkconfig xl2tpd on

Comments
  1. 1 year ago

Leave a Reply

Your email address will not be published. Required fields are marked *