Mit der folgenden Anleitung kann man sich unter Gentoo ein IPSEC-fähigen VPN-Client bauen:
Benötigte Einstellungen im Kernel
Loadable module support --->
Networking --->
Networking options --->
<*> Packet socket
<*> Unix domain sockets
<M> IPsec user configuration interface
<M> PF_KEY sockets
[*] TCP/IP networking
[*] IP: multicasting
[*] IP: advanced router
[*] IP: TCP syncookie support (disabled per default)
<M> IP: ESP transformation
<M> IP: IPComp transformation
<M> IP: tunnel transformation
<M> INET: socket monitoring interface
[*] Network packet filtering (replaces ipchains) --->
Device Drivers --->
Network device support --->
[*] Network device support
<M> PPP (point-to-point protocol) support
<M> PPP support for async serial ports
<M> PPP support for sync tty ports
<M> PPP Deflate compression
<M> PPP BSD-Compress compression
Cryptographic options --->
--- Cryptographic API
--- HMAC support
<M> MD5 digest algorithm
<M> DES and Triple DES EDE cipher algorithms
<M> AES cipher algorithms
<M> AES cipher algorithms (i586)
<M> SHA1 digest algorithm
Benötigte Pakete
- net-misc/openswan
- net-firewall/ipsec-tools
- net-dialup/xl2tpd
Konfiguration
Zunächst konfigurieren wir IPSEC mittels der /etc/ipsec/ipsec.conf:
# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
# This file: /usr/share/doc/openswan-2.4.15/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
conn my-vpn
#
# ----------------------------------------------------------
# Use a Preshared Key. Disable Perfect Forward Secrecy.
# Initiate rekeying.
# Connection type _must_ be Transport Mode.
#
authby=secret
pfs=no
rekey=yes
keyingtries=3
type=transport
#
# ----------------------------------------------------------
# The local Linux machine that connects as a client.
#
# The external network interface is used to connect to the server.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
left=%defaultroute
leftid=@my-access
leftnexthop=<LOKALES-GATEWAY>
#
leftprotoport=17/1701
#
# ----------------------------------------------------------
# The remote server.
#
# Connect to the server at this IP address.
right=88.198.54.131
#
rightprotoport=17/1701
# ----------------------------------------------------------
#
# Change 'ignore' to 'add' to enable this configuration.
#
auto=start
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
Als nächstes konfigurieren die Preshared-Keys (PSK) für die IPSEC-Ebene ind /etc/ipsec/ipsec.secrets.
@my-access <EXTERNE-IP-DES-SERVERS>: PSK "<PSK-VOM-SERVER>"
Im nächsten Schritt werden wir den Tunnel konfigurieren. Zuerst passen wir dafür die /etc/xl2tpd/xl2tpd.conf an:
[lac my-vpn]
lns = <EXTERNE-IP-DES-SERVERS>
require chap = yes
refuse pap = yes
require authentication = yes
; Name should be the same as the username in the PPP authentication!
name = <USER>
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes
autodial = yes
redial = yes
redial timeout = 5
Die Datei /etc/ppp/options:
debug
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
#idle 1800
mtu 1410
mru 1410
#defaultroute
nodefaultroute
#usepeerdns
noipdefault
lock
#proxyarp
connect-delay 5000
In der Datei /etc/ppp/chap-secrets werden nun noch abschliessend die Benutzer konfiguriert:
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 * "pass1"
* user1 "pass1"
Abschliessend noch die Daemons xl2tpd und ipsec starten.