L2TP IPSec VPN + NAT on Gentoo Linux with Single Network Adapter

This article describes how I setup an NAT server and an L2TP IPSec VPN server on Gentoo Linux with only one network adapter. Assume

• 12.34.56.78 is the public IP of the server,
• 12.34.56.1 is the gateway of the server,
• 192.168.0.1 is the private IP of the server, and
• 192.168.0.0/24 is the internal network.

Setup NAT Server

The following packages are needed:

• sys-kernel/gentoo-sources
• net-firewall/iptables

The first step is to make sure all needed kernel modules are compiled. My kernel version is 2.6.31-gentoo-r6.

[*] Networking support --->
  Networking options --->
    [*] TCP/IP networking
    [*]   IP: advanced router
    [*] Network packet filtering framework (Netfilter) --->
      Core Netfilter Configuration --->
        <*> FTP protocol support
        <*> IRC protocol support
        -*- Netfilter Xtables support (required for ip_tables)
        <M> "MARK" target support
        <M> "iprange" address range match support
        <M> "mac" address match support
        <M> "multiport" Multiple port match support
      IP: Netfilter Configuration --->
        <*> IPv4 connection tracking support (required for NAT)
        <*> IP tables support (required for filtering/masq/NAT)
        <*>   Packet filtering
        <*>     REJECT target support
        <*>   LOG target support
        <*>   Full NAT
        <*>     MASQUERADE target support
        <M>     REDIRECT target support
        <*>   Packet mangling

A safer way is to enable all features in "Core Netfilter Configuration" and "IP: Netfilter Configuration".

Since my Linux machine has only one adapter, I have to create an alias for the existing interface. First add the private IP 192.168.0.1 to /etc/conf.d/net.

config_eth0=(
    "12.34.56.78/24"
    "192.168.0.1/24"
)
routes_eth0=( "default via 12.34.56.1" )

Restart the network interface.

# /etc/init.d/net.eth0 restart

Now the server has two IPs. I also need to add rules to iptables to translate private addresses.

*filter
-A FORWARD -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j DROP
-A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -d 192.168.0.0/24 -j ACCEPT

*nat
-A POSTROUTING -o eth0 -j MASQUERADE

Add above rules to appropriate places in the file /var/lib/iptables/rules-save created by

# /etc/init.d/iptables save

and then use

# iptables-restore < /var/lib/iptables/rules-save

to restore new rules. Don't forget to save iptable rules again.

Uncomment the following line in /etc/sysctl.conf

net.ipv4.ip_forward = 1

and execute

# echo 1 > /proc/sys/net/ipv4/ip_forward

to enable forwarding.

Setup L2TP IPSec VPN Server

The following packages are needed:

• sys-kernel/gentoo-sources
• net-dialup/ppp
• net-dialup/xl2tpd
• net-misc/openswan

Again, make sure required kernel modules are compiled.

[*] Networking support --->
  Networking options --->
    <M> PF_KEY socket 
    [*] TCP/IP networking 
    <M> IP: tunneling
    <M> IP: AH transformation 
    <M> IP: ESP transformation 
    <M> IP: IPComp transformation 
    <M> IP: IPsec transport mode
    <M> IP: IPSec tunnel mode
Device Drivers --->
  [*] Network device support    
    <M> PPP (point-to-point protocol) support 
    <M>   PPP support for async serial ports 
    <M>   PPP support for sync tty ports 
    <M>   PPP Deflate compression                      
    <M>   PPP BSD-Compress compression                        
    <M>   PPP over Ethernet (EXPERIMENTAL) 
  Character devices --->
    [*] Legacy (BSD) PTY support
-*- Cryptographic API --->
  -*- HMAC support                                          
  <M> Null algorithms
  <M> MD4 digest algorithm                                
  -*- MD5 digest algorithm                                  
  -*- SHA1 digest algorithm                                
  <M> SHA224 and SHA256 digest algorithm                              
  <M> SHA384 and SHA512 digest algorithms 
  <M> Blowfish cipher algorithm 
  -*- DES and Triple DES EDE cipher algorithms 
  <M> Serpent cipher algorithm 
  <M> Twofish cipher algorithm 
  <M> Deflate compression algorithm 

Edit the Openswan configuration file /etc/ipsec/ipsec.conf.

version 2.0

config setup
    nat_traversal=yes
    nhelpers=0
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    interfaces="ipsec0=eth0"

# Add connections here
conn %default
    keyingtries=3
    rekey=no
    pfs=no
    compress=yes
    disablearrivalcheck=no
    authby=secret
    type=tunnel
    keyexchange=ike
    ikelifetime=240m
    keylife=60m

conn L2TP-PSK-NAT
    rightsubnet=vhost:%no,%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    left=12.34.56.78
    leftnexthop=12.34.56.1
    leftsourceip=192.168.0.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    auto=add

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

For machine authentication, I use secret (private shared key). Edit /etc/ipsec/ipsec.secrets.

12.34.56.78 %any: PSK "SECRET"

Replace SECRET with your own secret.

Edit /etc/xl2tpd/xl2tpd.conf.

[global]
listen-addr = 12.34.56.78
port = 1701
ipsec saref = yes

[lns default]
ip range = 192.168.0.200-192.168.0.250
local ip = 192.168.0.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = YOUR_VPN_NAME
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

Here I only assign IPs in 192.168.0.200-192.168.0.250 to VPN clients.

Edit /etc/ppp/options.l2tpd

require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns YOUR_DNS_SERVER
noccp
auth
crtscts
idle 1800
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
logfd 2
logfile /var/log/l2tpd.log

The first line uses MS Chap v2 for user authentication.

Edit /etc/ppp/chap-secrets to add VPN users.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
USER_NAME       *       USER_PASSWORD           192.168.0.0/24

Add firewall rules.

*filter
-A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -o ppp+ -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT

Problems Left

With the configuration described above, my Windows machine, iPhone 3G, and MacBook Pro can establish VPN connections successfully. They can also access other machines in the internal private network. The IP detected by http://whatismyipaddress.com/ on my Windows machine and on iPhone 3G is 12.34.56.78. However, the IP detected on MacBook Pro is the IP of MacBook Pro, which means my MacBook Pro does not communicate with the Internet through 12.34.56.78.

Solution: In the network setting of the L2TP VPN connection in Mac OS X, there is an option "Send all traffic over VPN connection". If this option is on, then my MacBook Pro will communicate with the Internet through 12.34.56.78.

References

• Gentoo Linux - Home Router Guide
• Setting Up an IPSec L2TP VPN server on Ubuntu for Windows clients
• Howto l2tp/IPsec VPNServer (PSK MS-Chap for now)
• ipsec.conf(5) - Linux man page
• Using a Linux L2TP/IPsec VPN server