L2TP
Linux Ubuntu

Install L2TP over IPsec with Freeradius on Ubuntu

How to install L2TP over Ipsec with freeradius on Ubuntu 16.04

The open source installation of L2TP over IPsec with Freeradius authentication are StrongSwan and OpenSwan, both are supported on all Linux distributions. This blog is about the layer 2 tunneling protocol (L2TP) with IPsec to provide end-to-end encryption of VPN (virtual Private Network) because safety features are not offered in L2TP alone. 

In this blog, OpenSwan is used to provide the security for L2TP VPN. Freeradius is a well-known open source tool which provides authentication for users. Freeradius is used to authenticate the L2TP VPN user before establishing a secure channel. An android based client will be used for the L2TP based secure tunnel.

Packages require to install L2TP over IPsec with Freeradius on ubuntu.

  • Freeradius Server/Client
  • Poptop Server
  • xl2tpd
  • Openswan for IPsec
  • MySQL Server/client
  • Bison & Flex
  • GMP development library

$ Sudo apt-get update

$ sudo apt-get install -y mysql-server mysql-client freeradius-mysql pptpd xl2tpd

The following screenshot shows how the password for the user “root” of the MySQL database server is being set during the installation process.

Required package for the OpenSwan installation from source on the Ubuntu 16.04 platform.

$ sudo apt-get install -y build-essential libgmp3-dev bison flex

Now download the packages of freeradius and Openswan by using the following command:

$ wget https://github.com/FreeRADIUS/freeradius-client/archive/master.zip

$ unzip master.zip

Rename the dir freeradius-client-master to freeradius-client

$ sudo mv freeradius-client-master freeradius-client

$ cd freeradius-client

Run the configure script with the prefix

./configure –prefix=/

$ make && make install

Now install openswan

$ wget https://download.openswan.org/openswan/openswan-latest.tar.gz

$ tar -xzf openswan-latest.tar.gz

$ cd openswan-*

$ make programs

run this command to compile and install openswan

$ make install

Now we need to define the rules in Iptables:

$ iptables -t nat -I POSTROUTING -s 10.20.30.0/24 -j SNAT –to 192.168.15.4
$ iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -j SNAT –to 192.168.15.4

Above rules should be saved into the /etc/iptables.rc file to apply them at boot time.

$ chmod +x /etc/iptables.rc

$ sed -i “/iptables.rc/d” /etc/rc.local

$ sed -i “1a/etc/iptables.rc” /etc/rc.local

Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine

$ net.ipv4.ip_forward = 1
$ net.ipv4.conf.default.rp_filter = 0
$ net.ipv4.conf.default.accept_source_route = 0
$ net.ipv4.conf.all.send_redirects = 0
$ net.ipv4.conf.default.send_redirects = 0
$ net.ipv4.icmp_ignore_bogus_error_responses = 1

$ sysctl -p

To change the password for freeradius.

$ sed -i “s/PASSWORD(‘radpass’)/PASSWORD(‘test’)/g” /etc/freeradius/sql/mysql/admin.sql

The following MySQL commands will configure the Freeradius server on Ubuntu.

$ mysql –protocol=tcp -h localhost -u root -ptest

create database radius  # create DB radius

mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/cui.sql

Adding a proper date to fix the invalid default value issue in /etc/freeradius/sql/mysql/cui.sql.

After correction in the /etc/freeradius/sql/mysql/cui.sql file and rerun above command to fix the above error.

mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/ippool.sql

mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/nas.sql

mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/schema.sql

mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/wimax.sql

$ sed -i “s/password = \”radpass\”/password = \”test\”/g” /etc/freeradius/sql.conf

in this the rad password is test

Creating a soft link for the sql configuration in the modules directory of the Freeradius server.

ln -sf /etc/freeradius/sql.conf /etc/freeradius/modules/sql

Following files are not present on Ubuntu 16.04, therefore, create all required files with the described content.

  • /etc/freeradius/modules/hourlylytraffic
  • /etc/freeradius/modules/dailytraffic
  • /etc/freeradius/modules/monthlytraffic

/etc/freeradius/modules/hourlytraffic

sqlcounter hourlytrafficcounter {
    counter-name = Hourly-Traffic
    check-name = Hourly-Traffic
    sqlmod-inst = sql
    key = User-Name
    reset = 1h
    query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b'”
}

/etc/freeradius/modules/dailytraffic

sqlcounter dailytrafficcounter {
    counter-name = Daily-Traffic
    check-name = Daily-Traffic
    sqlmod-inst = sql
    key = User-Name
    reset = daily
    query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b'”
}

/etc/freeradius/modules/monthlytraffic

sqlcounter monthlytrafficcounter {
    counter-name = Monthly-Traffic
    check-name = Monthly-Traffic
    sqlmod-inst = sql
    key = User-Name
    reset = monthly
    query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b'”
}

The following file is important for freeradius server configuration. Our running configurations are given below.

/etc/freeradius/sites-enabled/default

authorize {
    preprocess
    chap
    mschap
    digest
    suffix
    eap {
        ok = return
    }
    files
    sql
    expiration
    logintime
    pap
    hourlytrafficcounter
    dailytrafficcounter
    monthlytrafficcounter
}
authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    digest
    unix
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    radutmp
    sql
    exec
    attr_filter.accounting_response
}
session {
    radutmp
    sql
}
post-auth {
    sql
    exec
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}
pre-proxy {
}
post-proxy {
    eap
}

Use the following command to restart the freeradius server and to verify the configuration.

$ /etc/init.d/freeradius restart

Configuration of the Freeradius client

Following command sets the hostname and secret in the “servers” file of the freeradius client. 

echo -e “localhost\ttesting123” >> /etc/radiusclient/servers

Create the dictionary.microsoft configuration file for Windows based clients.

$ sudo nano /etc/radiusclient/dictionary.microsoft

$ sudo nano /etc/radiusclient/dictionary.merit

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8

Add the following lines to the /etc/radiusclient/dictionary file.

INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
ATTRIBUTE Hourly-Traffic 1000 integer
ATTRIBUTE Daily-Traffic 1001 integer
ATTRIBUTE Monthly-Traffic 1002 integer

The following is the run configuration of the radius client.

$ /etc/radiusclient/radiusclient.conf

Configuration of the Poptop server:

Add the following configuration in the /etc/pptpd.conf file.

localip 10.20.30.1
remoteip 10.20.30.2-254

Run  following sed command on the /etc/ppp/pptpd-options file.

sed -i “/^ms-dns/d” /etc/ppp/pptpd-options
sed -i -e “/radius.so/d” -e “/radattr.so/d” /etc/ppp/pptpd-options

Add the following lines in /etc/ppp/pptpd-options file.

ms-dns 8.8.8.8
ms-dns 8.8.4.4
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so

Restart the pptpd service to apply the above changes

$ service pptpd restart

Configuration of xl2tp:

Include following configuration lines in the /etc/xl2tpd/xl2tpd.conf file as shown in following figure.

Configuration of OpenSwan:

Add the following setting of the ipsec secret file in  /etc/ipsec.secrets.

$ nano /etc/ipsec.secrets

$ 192.168.15.4 %any  0.0.0.0: PSK “test”

IPsec configuration for L2TP tunnel is included in /etc/ipsec.conf file.

version 2.0    

config setup
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
        protostack=netkey
        #protostack=mast  # used for SAref + MAST only
        interfaces="%defaultroute"
        oe=off

conn psk-l2tp
        pfs=no
        auto=add
        rekey=no
        # overlapip=yes   # for SAref + MAST
        # sareftrack=yes  # for SAref + MAST
        type=transport
        left=192.168.15.4
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        authby=secret

Configuration of PPP server:

Add the following configuration in /etc/ppp/options.xl2tpd file.

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so

After successful configuration of all required packages, now restart all services to test L2TP VPN.

Restarting IPsec & xl2tp services.

The following figure shows that the freeradius server is running in daemon mode which is helpful to identify that the server is working.

Insert a user account in the MySQL database to test the configuration.

INSERT INTO radius.radcheck (username, attribute, op, value) VALUES (‘username’,’User-Password’,’:=’,’userpassword’);

The following command checks that the Freeradius server is working on localhost.

$ radtest username userpassword localhost 0 testing123

OpenSwan log (/var/log/auth.log) and xl2tp log (/var/log/syslog) also shows the status of L2TP VPN.

tail -f /var/log/auth.log

tail -f /var/log/syslog

Now you can configure Android client for L2TP and connect by giving username and password.

This is how you can install and run L2TP over IPsec with Freeradius on ubuntu.

Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *