vpn serveur vpn l2tp ipsec

Au travers de ce tutoriel, vous déployez un serveur linux vous permettant d’accéder à distance (via un tunnel L2TP over IPsec) à votre réseau. L2TP over IPsec est une combinaison du protocole de tunnel de couche 2 et du protocole standard IPsec.

cf: http://www.aa-asterisk.org.uk/index.php/Setting_up_an_L2TP/IPSec_server_on_Debian

Ouvrir sur le firewall les ports 1701 TCP, 4500 UDP et 500 UDP.

[bash]
apt-get install openswan xl2tpd ppp
iptables –table nat –append POSTROUTING –jump MASQUERADE
[/bash]

[bash] vi /etc/sysctl.conf[/bash]
[bash]
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
[/bash]

[bash]vi /etc/rc.local[/bash]
[bash]
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > vpn/accept_redirects; echo 0 >  vpn/send_redirects; done
iptables –table nat –append POSTROUTING –jump MASQUERADE
[/bash]

Editer le fichier /etc/ipsec.conf :

[bash]
config setup
protostack=netkey
nat_traversal=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.2
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
[/bash]

Editer le fichier /etc/ipsec.secrets :

[bash]
include /var/lib/openswan/ipsec.secrets.inc
192.168.0.2 %any: PSK "mapassphrase"
[/bash]

[bash]
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[/bash]

Editer le fichier /etc/ppp/options.xl2tpd

[bash]
;#Do not support BSD compression.
nobsdcomp
passive
lock
;#Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate
;#Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2
;#Set the DNS servers the PPP clients will use.
ms-dns 192.168.0.1
ms-dns 8.8.8.8
mtu 1400
mru 1400
[/bash]

Relancer les services suivants :

[bash]/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart[/bash]

Editer le fichier /etc/pam.d/ppp afin d’insérer le bloc suivant :

[bash]
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
@include common-auth
@include common-account
@include common-session
[/bash]