Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki
Install LibreSWAN and Xl2tpd: Difference between revisions
Jump to navigation
Jump to search
| Line 51: | Line 51: | ||
==Start IPSec and Xl2tpd== | ==Start IPSec and Xl2tpd== | ||
*ipsec setup start; tail -f /var/log/auth.log <b><= Check for errors</b> | *ipsec setup start; tail -f /var/log/auth.log <b><= Check for errors</b> | ||
*xl2tpd -C /etc/xl2tpd/l2tp-control | *xl2tpd -c /etc/xl2tpd/xl2tpd.conf -C /etc/xl2tpd/l2tp-control | ||
*systemctl enable ipsec | *systemctl enable ipsec | ||
Revision as of 20:13, 23 December 2014
System Prep
- apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libpcap-dev libnss3-tools ppp libradius1
- echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
- echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
- sysctl -p
- for i in $(ls /proc/sys/net/ipv4/conf/); do echo 0 > /proc/sys/net/ipv4/conf/$i/accept_redirects; echo 0 > /proc/sys/net/ipv4/conf/$i/send_redirects; done
Obtain and Install Libreswan
- Find latest downloads here: http://libreswan.org/
- cd /usr/src
- wget https://download.libreswan.org/libreswan-3.12.tar.gz
- tar zxf libreswan-3.12.tar.gz
- cd libreswan-3.12/
- make programs
- make install
Obtain and Install Xl2tpd
- Find latest downloads here: http://download.openswan.org/xl2tpd/
- cd /usr/src/
- wget http://download.openswan.org/xl2tpd/xl2tpd-1.3.1.tar.gz
- tar zxf xl2tpd-1.3.1.tar.gz
- cd xl2tpd-1.3.1/
- make
- make install
Configure Libreswan
- scp -r root@192.168.26.10:/var/CA/computerisms.com/porchlian.computerisms.com/porchlian.computerisms.com.p12 root@192.168.26.10:/var/CA/computerisms.com/CA/Computerisms.Certificate.Authority.p12 root@192.168.26.10:/var/CA/computerisms.com/Computerisms.Certificate.Authority.crl ~
- certutil -N -d /etc/ipsec.d
- Enter password B0bsGates
- pk12util -i /root/Computerisms.Certificate.Authority.p12 -d /etc/ipsec.d
- certutil -M -n "Computerisms.Certificate.Authority" -d /etc/ipsec.d -t "TC,,"
- pk12util -i /root/porchlian.computerisms.com.p12 -d /etc/ipsec.d
- > /etc/ipsec.conf; vi /etc/ipsec.conf
- vi /etc/ipsec.secrets
- vi /etc/ipsec.d/nsspassword
- cp /root/Computerisms.Certificate.Authority.crl /etc/ipsec.d/crls/
Configure Xl2tpd
- mkdir /etc/xl2tpd
- vi /etc/xl2tpd/xl2tpd.conf
- vi /etc/xl2tpd/ppp-options.xl2tpd
- touch /etc/xl2tpd/xl2tpd.control
Configure RadiusClient
- > /etc/radiusclient/servers; vi /etc/radiusclient/servers
- > /etc/radiusclient/radiusclient.conf; vi /etc/radiusclient/radiusclient.conf
- echo "INCLUDE /etc/radiusclient/dictionary.microsoft" >> /etc/radiusclient/dictionary
- vi /etc/radiusclient/dictionary.microsoft
Start IPSec and Xl2tpd
- ipsec setup start; tail -f /var/log/auth.log <= Check for errors
- xl2tpd -c /etc/xl2tpd/xl2tpd.conf -C /etc/xl2tpd/l2tp-control
- systemctl enable ipsec
Finalize netup.sh script
Configure Adminlian for Testing
- Use winscp to obtain /var/CA/computerisms.com/BobMiller/bob.miller.p12 and put it on adminlian
- start=>run mmc=>file=>Add/Remove Snapin
- In the left pane, double click certificates=>in new window select computer account=>next=>Local computer=>Finish=>OK
- In the left pane, expand certificates=>right-click personal=>all tasks=>import
- Next=>Click browse button=>Select all file types (bottom right)=>navigate to bob.miller.p12=>open=>next=>enter password (S0ns0fB0b)=>Next=>Automatically Place=>Next=>Finish
- navigate to Network and Sharing center=>set up a new connection=>connect to a workplace=>create new connection=>use my internet=>set internet address as 192.168.25.15=>Set destination name as Computerisms=>Select the box that allows other people to use this connection=>Next=>Enter username (this is the user's name and password from Active Directory)=>Select remember password=>connect
- Let it spin and fail=>Set up the connection anyway
- navigate to change adapter settings=>right-click Computerisms Icon=>properties
- Security tab=>type of vpn is l2tp/IPSec=>Advanced Settings=>deselect Verify Name and Usage=>OK=>Set Data encryption to Option=>OK
Do the Testing With Adminlian
- Test VPN works/No NAT:
on worklian, disconnect the wireless connection from the .26 network and connect it to the .25 network
Test that you can connect to the vpn, ping 192.168.26.10 should work. - Test Domain Logon over VPN/No NAT: Log out of the machine, click switch user, then click the icon by the power button in the bottom right corner
enter your credentials, your logon script should run. - Test Domain Logon over VPN/With NAT:
Shutdown the virtual machine and configure the network connection to use nat instead of bridging, boot up
start the logon process and click the network icon
Logon and make sure your logon script runs