Install L2TP over IPsec with Freeradius on Ubuntu
How to install L2TP over Ipsec with freeradius on Ubuntu 16.04
The open source installation of L2TP over IPsec with Freeradius authentication are StrongSwan and OpenSwan, both are supported on all Linux distributions. This blog is about the layer 2 tunneling protocol (L2TP) with IPsec to provide end-to-end encryption of VPN (virtual Private Network) because safety features are not offered in L2TP alone.
In this blog, OpenSwan is used to provide the security for L2TP VPN. Freeradius is a well-known open source tool which provides authentication for users. Freeradius is used to authenticate the L2TP VPN user before establishing a secure channel. An android based client will be used for the L2TP based secure tunnel.
Packages require to install L2TP over IPsec with Freeradius on ubuntu.
- Freeradius Server/Client
- Poptop Server
- xl2tpd
- Openswan for IPsec
- MySQL Server/client
- Bison & Flex
- GMP development library
$ Sudo apt-get update
$ sudo apt-get install -y mysql-server mysql-client freeradius-mysql pptpd xl2tpd
The following screenshot shows how the password for the user “root” of the MySQL database server is being set during the installation process.
Required package for the OpenSwan installation from source on the Ubuntu 16.04 platform.
$ sudo apt-get install -y build-essential libgmp3-dev bison flex
Now download the packages of freeradius and Openswan by using the following command:
$ wget https://github.com/FreeRADIUS/freeradius-client/archive/master.zip
$ unzip master.zip
Rename the dir freeradius-client-master to freeradius-client
$ sudo mv freeradius-client-master freeradius-client
$ cd freeradius-client
Run the configure script with the prefix
./configure –prefix=/
$ make && make install
Now install openswan
$ wget https://download.openswan.org/openswan/openswan-latest.tar.gz
$ tar -xzf openswan-latest.tar.gz
$ cd openswan-*
$ make programs
run this command to compile and install openswan
$ make install
Now we need to define the rules in Iptables:
$ iptables -t nat -I POSTROUTING -s 10.20.30.0/24 -j SNAT –to 192.168.15.4
$ iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -j SNAT –to 192.168.15.4
Above rules should be saved into the /etc/iptables.rc file to apply them at boot time.
$ chmod +x /etc/iptables.rc
$ sed -i “/iptables.rc/d” /etc/rc.local
$ sed -i “1a/etc/iptables.rc” /etc/rc.local
Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine
$ net.ipv4.ip_forward = 1
$ net.ipv4.conf.default.rp_filter = 0
$ net.ipv4.conf.default.accept_source_route = 0
$ net.ipv4.conf.all.send_redirects = 0
$ net.ipv4.conf.default.send_redirects = 0
$ net.ipv4.icmp_ignore_bogus_error_responses = 1
$ sysctl -p
To change the password for freeradius.
$ sed -i “s/PASSWORD(‘radpass’)/PASSWORD(‘test’)/g” /etc/freeradius/sql/mysql/admin.sql
The following MySQL commands will configure the Freeradius server on Ubuntu.
$ mysql –protocol=tcp -h localhost -u root -ptest
create database radius # create DB radius
mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/cui.sql
Adding a proper date to fix the invalid default value issue in /etc/freeradius/sql/mysql/cui.sql.
After correction in the /etc/freeradius/sql/mysql/cui.sql file and rerun above command to fix the above error.
mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/ippool.sql
mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/nas.sql
mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/schema.sql
mysql –protocol=tcp -h localhost -u root -ptest radius < /etc/freeradius/sql/mysql/wimax.sql
$ sed -i “s/password = \”radpass\”/password = \”test\”/g” /etc/freeradius/sql.conf
in this the rad password is test
Creating a soft link for the sql configuration in the modules directory of the Freeradius server.
ln -sf /etc/freeradius/sql.conf /etc/freeradius/modules/sql
Following files are not present on Ubuntu 16.04, therefore, create all required files with the described content.
- /etc/freeradius/modules/hourlylytraffic
- /etc/freeradius/modules/dailytraffic
- /etc/freeradius/modules/monthlytraffic
/etc/freeradius/modules/hourlytraffic
sqlcounter hourlytrafficcounter {
counter-name = Hourly-Traffic
check-name = Hourly-Traffic
sqlmod-inst = sql
key = User-Name
reset = 1h
query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b’”
}
/etc/freeradius/modules/dailytraffic
sqlcounter dailytrafficcounter {
counter-name = Daily-Traffic
check-name = Daily-Traffic
sqlmod-inst = sql
key = User-Name
reset = daily
query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b’”
}
/etc/freeradius/modules/monthlytraffic
sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly
query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b’”
}
The following file is important for freeradius server configuration. Our running configurations are given below.
/etc/freeradius/sites-enabled/default
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
hourlytrafficcounter
dailytrafficcounter
monthlytrafficcounter
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
sql
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Use the following command to restart the freeradius server and to verify the configuration.
$ /etc/init.d/freeradius restart
Configuration of the Freeradius client
Following command sets the hostname and secret in the “servers” file of the freeradius client.
echo -e “localhost\ttesting123” >> /etc/radiusclient/servers
Create the dictionary.microsoft configuration file for Windows based clients.
$ sudo nano /etc/radiusclient/dictionary.microsoft
$ sudo nano /etc/radiusclient/dictionary.merit
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8Add the following lines to the /etc/radiusclient/dictionary file.
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
ATTRIBUTE Hourly-Traffic 1000 integer
ATTRIBUTE Daily-Traffic 1001 integer
ATTRIBUTE Monthly-Traffic 1002 integerThe following is the run configuration of the radius client.
$ /etc/radiusclient/radiusclient.conf
Configuration of the Poptop server:
Add the following configuration in the /etc/pptpd.conf file.
localip 10.20.30.1
remoteip 10.20.30.2–254
Run following sed command on the /etc/ppp/pptpd-options file.
sed -i “/^ms-dns/d” /etc/ppp/pptpd-options
sed -i -e “/radius.so/d” -e “/radattr.so/d” /etc/ppp/pptpd-options
Add the following lines in /etc/ppp/pptpd-options file.
ms-dns 8.8.8.8
ms-dns 8.8.4.4
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so
Restart the pptpd service to apply the above changes
$ service pptpd restart
Configuration of xl2tp:
Include following configuration lines in the /etc/xl2tpd/xl2tpd.conf file as shown in following figure.
Configuration of OpenSwan:
Add the following setting of the ipsec secret file in /etc/ipsec.secrets.
$ nano /etc/ipsec.secrets
$ 192.168.15.4 %any 0.0.0.0: PSK “test”
IPsec configuration for L2TP tunnel is included in /etc/ipsec.conf file.
version 2.0 config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
protostack=netkey
#protostack=mast # used for SAref + MAST only
interfaces="%defaultroute"
oe=offconn psk-l2tp
pfs=no
auto=add
rekey=no
# overlapip=yes # for SAref + MAST
# sareftrack=yes # for SAref + MAST
type=transport
left=192.168.15.4
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
authby=secret
Configuration of PPP server:
Add the following configuration in /etc/ppp/options.xl2tpd file.
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.soAfter successful configuration of all required packages, now restart all services to test L2TP VPN.
Restarting IPsec & xl2tp services.
The following figure shows that the freeradius server is running in daemon mode which is helpful to identify that the server is working.
Insert a user account in the MySQL database to test the configuration.
INSERT INTO radius.radcheck (username, attribute, op, value) VALUES (‘username’,’User-Password’,’:=’,’userpassword’);
The following command checks that the Freeradius server is working on localhost.
$ radtest username userpassword localhost 0 testing123
OpenSwan log (/var/log/auth.log) and xl2tp log (/var/log/syslog) also shows the status of L2TP VPN.
tail -f /var/log/auth.log
tail -f /var/log/syslog
Now you can configure Android client for L2TP and connect by giving username and password.
If you have any question or Suggestion please ask here.