Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

Install LibreSWAN and Xl2tpd: Difference between revisions

From COCNM
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
==System Prep==
==System Prep==
*apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libpcap-dev libnss3-tools ppp libradius1
*apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libpcap-dev libnss3-tools ppp libevent-dev libradius1
*apt-get install --no-install-recommends xmlto
*echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
*echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
*echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
*echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
Line 10: Line 11:
*<b>Find latest downloads here: </b>http://libreswan.org/
*<b>Find latest downloads here: </b>http://libreswan.org/
*cd /usr/src
*cd /usr/src
*wget https://download.libreswan.org/libreswan-3.9.tar.gz
*wget https://download.libreswan.org/libreswan-3.12.tar.gz
*tar zxf libreswan-3.9.tar.gz
*tar zxf libreswan-3.12.tar.gz
*cd libreswan-3.9/
*cd libreswan-3.12/
*make programs
*make programs
*make install
*make install
Line 26: Line 27:


==Configure Libreswan==
==Configure Libreswan==
*<b>BIG FAT NOTE:</b>certificate handling changed.  see: https://libreswan.org/wiki/3.14_X509
*scp -r root@192.168.26.10:/var/CA/computerisms.com/porchlian.computerisms.com/porchlian.computerisms.com.p12 root@192.168.26.10:/var/CA/computerisms.com/CA/Computerisms.Certificate.Authority.p12 root@192.168.26.10:/var/CA/computerisms.com/Computerisms.Certificate.Authority.crl ~
*scp -r root@192.168.26.10:/var/CA/computerisms.com/porchlian.computerisms.com/porchlian.computerisms.com.p12 root@192.168.26.10:/var/CA/computerisms.com/CA/Computerisms.Certificate.Authority.p12 root@192.168.26.10:/var/CA/computerisms.com/Computerisms.Certificate.Authority.crl ~
*certutil -N -d /etc/ipsec.d
*certutil -N -d /etc/ipsec.d
Line 41: Line 43:
*vi [[/etc/xl2tpd/xl2tpd.conf]]
*vi [[/etc/xl2tpd/xl2tpd.conf]]
*vi [[/etc/xl2tpd/ppp-options.xl2tpd]]
*vi [[/etc/xl2tpd/ppp-options.xl2tpd]]
*touch /etc/xl2tpd/xl2tpd.control


==Configure RadiusClient==
==Configure RadiusClient==
Line 50: Line 53:
==Start IPSec and Xl2tpd==
==Start IPSec and Xl2tpd==
*ipsec setup start; tail -f /var/log/auth.log <b><= Check for errors</b>
*ipsec setup start; tail -f /var/log/auth.log <b><= Check for errors</b>
*xl2tpd -C /etc/xl2tpd/l2tp-control
*xl2tpd -c /etc/xl2tpd/xl2tpd.conf -C /etc/xl2tpd/l2tp-control
*systemctl enable ipsec
*systemctl enable ipsec



Latest revision as of 14:52, 23 November 2015

System Prep

  • apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libpcap-dev libnss3-tools ppp libevent-dev libradius1
  • apt-get install --no-install-recommends xmlto
  • echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
  • echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
  • echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
  • sysctl -p
  • for i in $(ls /proc/sys/net/ipv4/conf/); do echo 0 > /proc/sys/net/ipv4/conf/$i/accept_redirects; echo 0 > /proc/sys/net/ipv4/conf/$i/send_redirects; done

Obtain and Install Libreswan

Obtain and Install Xl2tpd

Configure Libreswan

  • BIG FAT NOTE:certificate handling changed. see: https://libreswan.org/wiki/3.14_X509
  • scp -r root@192.168.26.10:/var/CA/computerisms.com/porchlian.computerisms.com/porchlian.computerisms.com.p12 root@192.168.26.10:/var/CA/computerisms.com/CA/Computerisms.Certificate.Authority.p12 root@192.168.26.10:/var/CA/computerisms.com/Computerisms.Certificate.Authority.crl ~
  • certutil -N -d /etc/ipsec.d
    • Enter password B0bsGates
  • pk12util -i /root/Computerisms.Certificate.Authority.p12 -d /etc/ipsec.d
  • certutil -M -n "Computerisms.Certificate.Authority" -d /etc/ipsec.d -t "TC,,"
  • pk12util -i /root/porchlian.computerisms.com.p12 -d /etc/ipsec.d
  • > /etc/ipsec.conf; vi /etc/ipsec.conf
  • vi /etc/ipsec.secrets
  • vi /etc/ipsec.d/nsspassword
  • cp /root/Computerisms.Certificate.Authority.crl /etc/ipsec.d/crls/

Configure Xl2tpd

Configure RadiusClient

Start IPSec and Xl2tpd

  • ipsec setup start; tail -f /var/log/auth.log <= Check for errors
  • xl2tpd -c /etc/xl2tpd/xl2tpd.conf -C /etc/xl2tpd/l2tp-control
  • systemctl enable ipsec

Finalize netup.sh script

Configure Adminlian for Testing

  • Use winscp to obtain /var/CA/computerisms.com/BobMiller/bob.miller.p12 and put it on adminlian
  • start=>run mmc=>file=>Add/Remove Snapin
  • In the left pane, double click certificates=>in new window select computer account=>next=>Local computer=>Finish=>OK
  • In the left pane, expand certificates=>right-click personal=>all tasks=>import
  • Next=>Click browse button=>Select all file types (bottom right)=>navigate to bob.miller.p12=>open=>next=>enter password (S0ns0fB0b)=>Next=>Automatically Place=>Next=>Finish
  • navigate to Network and Sharing center=>set up a new connection=>connect to a workplace=>create new connection=>use my internet=>set internet address as 192.168.25.15=>Set destination name as Computerisms=>Select the box that allows other people to use this connection=>Next=>Enter username (this is the user's name and password from Active Directory)=>Select remember password=>connect
  • Let it spin and fail=>Set up the connection anyway
  • navigate to change adapter settings=>right-click Computerisms Icon=>properties
  • Security tab=>type of vpn is l2tp/IPSec=>Advanced Settings=>deselect Verify Name and Usage=>OK=>Set Data encryption to Option=>OK

Do the Testing With Adminlian

  • Test VPN works/No NAT:
    on worklian, disconnect the wireless connection from the .26 network and connect it to the .25 network
    Test that you can connect to the vpn, ping 192.168.26.10 should work.
  • Test Domain Logon over VPN/No NAT: Log out of the machine, click switch user, then click the icon by the power button in the bottom right corner
    enter your credentials, your logon script should run.
  • Test Domain Logon over VPN/With NAT:
    Shutdown the virtual machine and configure the network connection to use nat instead of bridging, boot up
    start the logon process and click the network icon
    Logon and make sure your logon script runs