SL6上でVPN(L2TP over IPSec)サーバ を構築
July 5, 2013 – 4:54 pmLinux Server(OS: Scientific Linux 6.4)上にVPN(L2TP over IPSec) サーバ を構築した。
一連の構築手続きについてメモしておいた。
VPNを構築した環境: VPNを構築した自宅サーバーの仕様は、本ブログ上で「Scientific Linux 6.1で自宅サーバー再構築」とタイトルした一連のエントリー(「その1」から「その4」までの4つ)に、概略をまとめている。
パッケージのインストール: VPN(L2TP over IPsec)の構築に向け、xl2tpd とOpenswan(IpSec) の二つのパッケージを導入するため、yum によりインストール作業を行った。インストール時のログを以下に示す:
- xl2tpdのインストール:
[root@--]# yum --enablerepo=epel install xl2tpd Loaded plugins: refresh-packagekit, security epel/metalink | 5.5 kB 00:00 epel | 4.2 kB 00:00 epel/primary_db | 5.3 MB 00:02 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package xl2tpd.x86_64 0:1.3.1-7.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================ Package Arch Version Repository Size ================================================================================================ Installing: xl2tpd x86_64 1.3.1-7.el6 epel 128 k Transaction Summary ================================================================================================ Install 1 Package(s) Total download size: 128 k Installed size: 352 k Is this ok [y/N]: y Downloading Packages: xl2tpd-1.3.1-7.el6.x86_64.rpm | 128 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : xl2tpd-1.3.1-7.el6.x86_64 1/1 Verifying : xl2tpd-1.3.1-7.el6.x86_64 1/1 Installed: xl2tpd.x86_64 0:1.3.1-7.el6 Complete!
- Openswan(IpSec)のインストール:
[root@--]# yum install openswan Loaded plugins: refresh-packagekit, security Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package openswan.x86_64 0:2.6.32-20.el6_4 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: openswan x86_64 2.6.32-20.el6_4 sl-security 893 k Transaction Summary ========================================================================================================= Install 1 Package(s) Total download size: 893 k Installed size: 2.6 M Is this ok [y/N]: y Downloading Packages: openswan-2.6.32-20.el6_4.x86_64.rpm | 893 kB 00:05 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : openswan-2.6.32-20.el6_4.x86_64 1/1 Verifying : openswan-2.6.32-20.el6_4.x86_64 1/1 Installed: openswan.x86_64 0:2.6.32-20.el6_4 Complete!
コンフィギュレーションファイルと設定:
- /etc/sysctl.conf:
IP forwardingを可能にするため、以下のように変更する# Controls IP packet forwarding net.ipv4.ip_forward = 1変更後の/etc/sysctl.conf ファイルのすべてを以下に示す
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding # net.ipv4.ip_forward = 0 net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296
sysctlをリロード
[root@--]# sysctl -p
- /etc/rc.local
次のブロックを加える# Correct ICMP Redirect issues with OpenSWAN for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects echo 0 > $each/rp_filter done変更後のファイルの全体は以下:
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local # Correct ICMP Redirect issues with OpenSWAN for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects echo 0 > $each/rp_filter done - /etc/ipsec.conf
ネットワークセグメントを 192.168.11.0/24 とした場合、下記のように編集# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none # plutodebug="control parsing" plutodebug=none plutostderrlog=/var/log/pluto.log # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private=%v4:192.168.11.0/24 oe=off # Enable this if you see "failed to find any available worker" nhelpers=0 conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport forceencaps=yes right=%any rightsubnet=vhost:%any,%priv rightprotoport=17/0 # Using the magic port of "0" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port, but propose "0" instead of their port. left=%defaultroute leftprotoport=17/1701 # Apple iOS doesn't send delet notify so we need dead peer detction # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf - /etc/ipsec.secrets:
本ファイル上にshared secretを与える。shared secretは十分ランダムで長いものとすべき。
ここでは、VPNサーバーのアドレスを 192.168.11.111 としている。192.68.11.111 %any: PSK "F2C5DCED8B29E74A7D1B0FE99E69F6BDCD3E44"
ファイルの所有権、アクセス権を下記コマンドの要領で変更し、セキュリティを保持:
[root@--]# chown root:root /etc/ipsec.secrets [root@--]# chmod 600 /etc/ipsec.secrets
- /etc/xl2tpd/xl2tpd.conf:
オリジナルファイルからサーバーのネットワーク環境に合わせて編集。
LAN上でのコンフリクトがないよう注意。
; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. ; IMPORTANT: always set listen-addr to a specific address, to work around a ; udpfromto bug!!! [global] listen-addr = 192.168.11.111 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; ipsec refinfo = 30 ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 192.168.11.128-192.168.11.254 local ip = 192.168.11.111 ; leave chap unspecified for maximum compatibility with windows, iOS, etc ; require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
- /etc/ppp/options.xl2tpd:
オリジナルファイルからネットワーク環境に対応するところのみを編集。
192.168.11.1 は、ネットワークセグメントのゲートウェイアドレス。ipcp-accept-local ipcp-accept-remote #ms-dns 8.8.8.8 ms-dns 192.168.11.1 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 logfile /var/log/ppp.log # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "VPN Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
- /etc/ppp/chap-secrets:
このファイル上にVPN接続に際しての user/password を定義する。# Secrets for authentication using CHAP # client server secret IP addresses user01 * userpass01 * user02 * userpass02 *
ファイルの所有権、アクセス権を下記コマンドの要領で変更し、セキュリティを保持:
[root@--]# chown root:root /etc/ppp/chap-secrets [root@--]# chmod 600 /etc/ppp/chap-secrets
- IPTABLESの編集:
IPTABLEに下記を付け加える。#---------------------------------------------------------# # For VPN(XL2TP + IPSEC) Setting # #---------------------------------------------------------# #Allow ipsec traffic /sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT /sbin/iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT #Do not NAT VPN traffic #/sbin/iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE #Forwarding rules for VPN /sbin/iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Ports for Openswan / xl2tpd /sbin/iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT #Save your configuration going to save at the end #iptables save
上記のうち、"Do not NAT VPN・・・" 部については、同一物理サーバー上に配置しているメール機能とのコンフリクトが生じることからコメントアウトした。今後の運用時に注意する必要がある。
Serviceの起動とテスト:
- Serviceの起動
[root@--]# service ipsec start ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.2.1.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled [root@--]# service xl2tpd start Starting xl2tpd: [ OK ]
-
ipSecの検証(verify):
[root@-- ]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-358.2.1.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
上記でipSecが正常に機能していることが理解できる。
(注:)テストにあたって、ICMP Redirect に係りエラーが発生していたため、上記の結果を得るに先立ち、以下を実行している。[root@-- ]#for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done [root@-- ]#for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done [root@-- ]#echo 1 > /proc/sys/net/ipv4/ip_forward
ブロードバンドルーターの設定:
外部のネットワーク環境からVPNに接続可能とするため、今回設定したVPNサーバーを配置したネットワーク上部のブロードバンドルータについてつぎの設定を行う。- VPNパススルー設定で、IPsedパススルー機能を「使用する」とする。
- アドレス変換テーブルで、udp/500、udp/4500、tcp/1701 が疎通できるようにする。
次回: iPhoneから、ここで構築したVPNサーバへのアクセスの実際を紹介する。
参考としたサイト:
How to: Set up OpenSwan L2TP VPN Server on CentOS 6IPSEC/L2TP VPN on CentOS 6 / Red Hat Enterprise Linux 6 / Scientific Linux 6
- Openswan(IpSec)のインストール:
1 Trackback(s)