Advanced Computer Network Technologies Project Configuration of mvpn. Noha Pavol noh031

Transcription

1 Advanced Computer Network Technologies Project Configuration of mvpn Noha Pavol noh031 January 17, 2012

2 Theme Configuration of mobile VPN: server, 2 client stations, connectivity test Introduction I ve decided to configure SecureIPsec/L2TP VPN on Android Devices because android has a standout built-in VPN connection tool that allows to use various VPN technologies, such 2TP/IPSec PSK, PPTP VPNS and many other. Purpose of that VPN is to keep personal data and credentials used by mobile connection private. Hardware used Client stations: HTC Wildfire S, Huawei Boulder White VPN Server/Gateway station: HP-Pavilion-dv6 notebook Wi-fi Router: Asus Software used OS: Kubuntu Natty Narwhal, amd64 Headers Detail: Linux generic 1

3 Configuration Architecture Figure 1: Schema Main Configuration First of all we need to have a linux server. Narwhal as I mentioned in the beginning. I m using Kubuntu Natty Step 1 We need to install the xl2tpd, openswan and ppp from the apt repository and then download the newest version from the Ubuntu repository, otherwise the VPN won t work. This package update of repository must be done only if kubuntu Natty Narwhal was not installed but upgraded from older version to be sure that we have current packages. # apt get i n s t a l l xl2tpd openswan ppp After installation we need get newest versions: # wget http : / / se. a r c h i v e. ubuntu. com/ubuntu/ pool / u n i v e r s e /o/openswan/ openswan dfsg 5 amd64. deb : 5 9 : 4 7 (541 KB/ s ) openswan dfsg 5 amd64. deb saved [ / ] # wget http : / / ubuntu. linux bg. org /ubuntu // pool / u n i v e r s e /x/ xl2tpd / x l 2 t p d dfsg 1 amd64. deb 2

4 : 0 0 : 2 8 (124 KB/ s ) x l 2 t p d dfsg 1 amd64. deb saved [ 72606/72606] And then make replacement: # dpkg i openswan dfsg 5 amd64. deb # dpkg i x l 2 t p d dfsg 1 amd64. deb Step 2 In the /etc/ipsec.conf file copy: c o n f i g setup n a t t r a v e r s a l=yes v i r t u a l p r i v a t e=%v4 : / 8, % v4 : / 1 6, % v4 : / 1 2, %v4 :! / 2 4 oe=o f f p r o t o s t a c k=netkey conn L2TP PSK NAT r i g h t s u b n e t=vhost :% p r i v a l s o=l2tp PSK nonat conn L2TP PSK nonat authby=s e c r e t p f s=no auto=add k e y i n g t r i e s =3 rekey=no i k e l i f e t i m e =8h k e y l i f e =1h type=t r a n s p o r t l e f t = l e f t p r o t o p o r t =17/1701 r i g h t=%any r i g h t p r o t o p o r t=17/%any The most important parameter for us is left(ip address of the left participant s network interface) in conn L2TP-PSK-noNAT which needs to be set to VPN Gateway IP address. More information about each attribute you can find at: net/man/5/ipsec.conf Step 3 In the /etc/ipsec.secrets file copy: %any : PSK passwd where is the local ipsec server and passwd is the key. 3

5 Step 4 We need to restart the IPsec service and then verify: # / e t c / i n i t. d/ s e r v i c e i p s e c r e s t a r t # i p s e c v e r i f y We must get no errors! Output should looks like: Figure 2: Konsole output After first ipsec verify command we will probably get 3 failures for: NETKEY detected, testing for disabled ICMP send redirects NETKEY detected, testing for disabled ICMP accept redirects Two or more interfaces found, checking IP forwarding To solve them use: Disable ICMP redirects: # f o r f in / proc / sys / net / ipv4 / conf / / a c c e p t r e d i r e c t s ; do echo 0 > $ f ; done # f o r f in / proc / sys / net / ipv4 / conf / / s e n d r e d i r e c t s ; do echo 0 > $ f ; done Enable IP forwarding: # echo 1 > / proc / sys / net / ipv4 / i p f o r w a r d After that commands everything should works ok and IPsec will be working correctly. Step 5 Create a file called ipsec.vpn in /etc/init.d/ and put this script body into it: case $1 in s t a r t ) echo S t a r t i n g my I p s e c VPN i p t a b l e s t nat A POSTROUTING o wlan0 s / 2 4 j MASQUERADE 4

6 echo 1 > / proc / sys / net / ipv4 / i p f o r w a r d f o r each in / proc / sys / net / ipv4 / conf / do echo 0 > $each / a c c e p t r e d i r e c t s echo 0 > $each / s e n d r e d i r e c t s done / e t c / i n i t. d/ i p s e c s t a r t / e t c / i n i t. d/ xl2tpd s t a r t ; ; stop ) echo Stopping my I p s e c VPN i p t a b l e s t a b l e nat f l u s h echo 0 > / proc / sys / net / ipv4 / i p f o r w a r d / e t c / i n i t. d/ i p s e c stop / e t c / i n i t. d/ xl2tpd stop ; ; r e s t a r t ) echo R e s t a r t i n g my I p s e c VPN i p t a b l e s t nat A POSTROUTING o wlan0 s / 2 4 j MASQUERADE echo 1 > / proc / sys / net / ipv4 / i p f o r w a r d f o r each in / proc / sys / net / ipv4 / conf / do echo 0 > $each / a c c e p t r e d i r e c t s echo 0 > $each / s e n d r e d i r e c t s done / e t c / i n i t. d/ i p s e c r e s t a r t / e t c / i n i t. d/ xl2tpd r e s t a r t ; ; ) echo Usage : / e t c / i n i t. d/ i p s e c. vpn { s t a r t stop r e s t a r t } e x i t 1 ; ; esac In my architecture i m using wifi connection for VPN Gateway therefor in the script file you can see as interface wlan0. In that case that you have wired connection for VPN Gateway, interface will be different e.g. eth0 or eth1... Do not forget to add to that file/service same rights as current ipsec service has! Step 6 Disable the ipsec default init script and enable the new one: #update rc. d f i p s e c remove #update rc. d i p s e c. vpn d e f a u l t Step 7 In the file /etc/xl2tpd/xl2tpd.conf copy: 5

7 Figure 3: Konsole output for Step 6 [ g l o b a l ] i p s e c s a r e f = no [ l n s d e f a u l t ] ip range = l o c a l ip = r e q u i r e chap = yes r e f u s e pap = yes r e q u i r e a u t h e n t i c a t i o n = yes ppp debug = yes p p p o p t f i l e = / e t c /ppp/ o p t i o n s. xl2tpd l e n g t h b i t = yes The IP range specified above should be set to IP addresses of your internal network which can be given to your VPN clients. Require chap mean that we will use CHAP authentication later on. Local ip is IP address of VPN Gateway. More information about each attribute you can find at: net/man/5/xl2tpd.conf Step 8 In the file /etc/xl2tpd/l2tp-secrets copy: v e r y s t r a n g e s t r i n g The first field is for our hostname, a * may be used as a wildcard.the second field is for the remote system s hostname. Again, a * may be used as a wildcard. The third field is secret used. Choose a good challenge-response authentication string,the secret should, ideally, be 16 characters long, and should probably be longer to ensure sufficient security. There is no minimum length requirement, however. Step 9 Do: 6

8 # cp / e t c /ppp/ o p t i o n s / e t c /ppp/ o p t i o n s. xl2tpd In the file /etc/ppp/options.xl2tpd copy: #myvpn # S p e c i f y which DNS S e r v e r s the incoming Win95 or WinNT Connection should use ms dns # async c h a r a c t e r map 32 b i t hex ; each b i t i s a c h a r a c t e r asyncmap 0 # Require the peer to a u t h e n t i c a t e i t s e l f b e f o r e a l l o w i n g network auth # Use hardware flow c o n t r o l ( i. e. RTS/CTS) to c o n t r o l the flow o f data # on the s e r i a l port. c r t s c t s # S p e c i f i e s that pppd should use a UUCP s t y l e l o c k on the s e r i a l d e v i c e # to ensure e x c l u s i v e a c c e s s to the d e v i c e. l o c k # Don t show the passwords when l o g g i n g the contents o f PAP packets. # This i s the d e f a u l t. hide password # Set the MRU [ Maximum Receive Unit ] value to <n> f o r n e g o t i a t i o n. pppd # w i l l ask the peer to send packets o f no more than <n> bytes. The # minimum MRU value i s 128. The d e f a u l t MRU value i s A value o f # 296 i s recommended f o r slow l i n k s (40 bytes f o r TCP/IP header # bytes o f data ). mru 1280 # Set the MTU [ Maximum Transmit Unit ] value to <n>. Unless the peer # r e q u e s t s a s m a l l e r value via MRU n e g o t i a t i o n, pppd w i l l r e q u e s t that # the k e r n e l networking code send data packets o f no more than n bytes # through the PPP network i n t e r f a c e. mtu 1280 # Set the name o f the l o c a l system f o r a u t h e n t i c a t i o n purposes to <n>. # This i s a p r i v i l e g e d option. With t h i s option, pppd w i l l use l i n e s in the # s e c r e t s f i l e s which have <n> as the second f i e l d when l o o k i n g f o r a # s e c r e t to use in a u t h e n t i c a t i n g the peer. In addition, u n l e s s overridden # with the user option, <n> w i l l be used as the name to send to the peer # when a u t h e n t i c a t i n g the l o c a l system to the peer. ( Note that pppd does # not append t h e domain name t o <n >.) name l2tpd # Add an entry to t h i s system s ARP [ Address Resolution Protocol ] # t a b l e with the IP address o f the peer and the Ethernet address o f t h i s # system. proxyarp # I f t h i s option i s given, pppd w i l l send an LCP echo r e q u e s t frame to the # peer every n seconds. Normally the peer should respond to the echo r e q u e s t # by sending an echo r e p l y. This option can be used with the # lcp echo f a i l u r e option to d e t e c t that the peer i s no l o n g e r connected. lcp echo i n t e r v a l 30 # I f t h i s option i s given, pppd w i l l presume the peer to be dead i f n 7

9 # LCP echo r e q u e s t s are sent without r e c e i v i n g a v a l i d LCP echo r e p l y. # I f t h i s happens, pppd w i l l terminate the connection. Use o f t h i s # option r e q u i r e s a non zero value f o r the lcp echo i n t e r v a l parameter. # This option can be used to enable pppd to terminate a f t e r the p h y s i c a l # connection has been broken ( e. g., the modem has hung up ) in # s i t u a t i o n s where no hardware modem c o n t r o l l i n e s are a v a i l a b l e. lcp echo f a i l u r e 4 # Disable the IPXCP and IPX p r o t o c o l s. noipx Step 10 In the file /etc/ppp/chap-secrets copy: username1 l2tpd password / 2 4 username2 l2tpd password / 2 4 Each line contains id of user(username1) and password(password) and ip of VPN Gateway for which is connected. Note that you can add as many users as you like. Step 11 Start the ipsec.vpn: # / e t c / i n i t. d/ s e r v i c e i p s e c. vpn r e s t a r t Step 12 On the Android mobile: Go to Settings Wireless & networks VPN settings Add VPN Add L2TP/IPSec PSK VPN We have 2 possibilities how to connect with clients: With or without L2TP secret: 1. Possibility(with): VPN name test1 Set VPN server Set IPSec pre-shared key passwd Enable L2TP secret enabled Set L2TP secret verystrangestring 2. Possibility(without): VPN name test2 Set VPN server Set IPSec pre-shared key passwd Enable L2TP secret disabled 8

10 Press back, then connect with client one(htc Wildfire S) using the PPP with name/password (username1 password) and do the same with Huawei Builder White using the PPP with name/password (username2 password). Wait for the messages VPN connected on the mobile devices. Both mobile clients should be connected! Conclusion In this period of living people are frequently using many hotspots in Restaurants, Pubs and other for free. They are checking facebook or twitter and enjoying of course a beer, but who cares about security? Connecting to a public hotspots may expose the system to various attack like password sniffing, credential steeling etc... Therefor i used to show in my project how to avoid these types of attacks by using secure VPN connection based on IPsec/L2TP technologie. 9