Ubuntu-fr

Soumari

Configuration de serveur Openswan et Xl2tpd

Bonsoir à tous,
Je mets en place une solution VPN basé sur IPSEC. Pour cela, coté serveur  j'utilise les logiciels openswan et xl2tpd. J'ai eu plusieurs tutoriels de configuration. Mais jusqu'à je n'ai pas pu configurer. La version de mon OS est Ubuntu 12.04. J'ai besoin de votre aide.

Kooothor

Re : Configuration de serveur Openswan et Xl2tpd

Salut,

Si tu as besoin d'une aide, nous on a besoin d'un problème précis.
Les tutos c'est bien, mais rien ne remplace la documentation officielle !
Et pour finir, pour un tuto trouvé en français, il en existe dix en anglais.

~ktr

Soumari

Re : Configuration de serveur Openswan et Xl2tpd

Je configure mon serveur avec ce document:  https://help.ubuntu.com/community/L2TPServer
Lors de la vérification de IPSEC service, il y a des erreurs qui apparaissent.

Voici ce que j'obtiens :

root@soumaila-HP-2000-Notebook-PC:/home/soumaila# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-53-generic (netkey)
Checking for IPsec support in kernel                            [OK]
SAref kernel support                                           [N/A]
NETKEY:  Testing XFRM related proc values                      [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

    [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

    [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                             [OK]
Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Au début j'ai édité le fichier /etc/ipsec.d/l2tp-psk.conf:

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
        # YourIPAddress  %any: "sharedsecret"
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=192.168.1.64
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any

        forceencaps = yes
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
#conn passthrough-for-non-l2tp
      #  type=passthrough
      #  left=192.168.1.64
      #  leftnexthop=0.0.0.0
      #  right=0.0.0.0
      #  rightsubnet=0.0.0.0/0
      #  auto=route

puis le fichier /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        # dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v$
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4$
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add
include /etc/ipsec.d/l2tp-psk.conf

puis enfin le ficher /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc
10.255.100.18 %any:PSK "motdepasse"

Kooothor

Re : Configuration de serveur Openswan et Xl2tpd

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

C'est pourtant clair, non ?

Édite /etc/sysctl.conf et ajoute :
net.ipv4.conf.all.accept_redirects = 0

Soumari

Re : Configuration de serveur Openswan et Xl2tpd

Bonjour à tous,
Je n'arrive pas à me connecter au serveur Openswan L2tp avec un client Windows. J'ai utilisé la documentation officielle: https://help.ubuntu.com/community/L2TPServer
Après tail -f var/log/auth.log Voici les dernières lignes du fichier « /var/log/auth.log »
Oct 24 10:49:57 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [IKE CGA version 1]
Oct 24 10:49:57 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: initial Main Mode message received on 10.255.100.97:500 but no connection has been authorized with policy=PSK
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: received Vendor ID payload [RFC 3947] method set to=109
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [FRAGMENTATION]
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: ignoring Vendor ID payload [IKE CGA version 1]
Oct 24 10:50:01 soumaila-PC pluto[4230]: packet from 10.255.100.97:39193: initial Main Mode message received on 10.255.100.97:500 but no connection has been authorized with policy=PSK

Dernière modification par Soumari (Le 26/10/2013, à 01:16)