Strongswan and Accel-PPP Configuration and Setup for Ubuntu 14.04 64-bit
Overview
StrongSwan stands as a comprehensive IPsec implementation designed for Linux 2.6, 3.x, and 4.x kernels. The project emphasizes robust authentication mechanisms utilizing X.509 public key certificates. It also supports secure storage of private keys on smartcards through a standardized PKCS#11 interface.
ACCEL-PPP is a completely new implementation of PPTP/PPPoE/L2TP, crafted from scratch. The userspace daemon features its own PPP implementation, eliminating the need for pppd. Additionally, a single, multi-threaded process manages all connections.
Requirements
To successfully set up CSF, ensure that you have the following:
- A CentOS 7 x64 VPS server
- Root access to the server
- An SSH client (You can download Putty or Bitvise, depending on your operating system and preference)
Once you have all these prerequisites, you can proceed to set up CSF. Follow the guide carefully, and feel free to use copy and paste for the commands provided to simplify the installation and configuration process.
Strongswan Installation Guide
We must upgrade our distribution before installing Strongswan.
sudo apt-get update
The necessary apps must then be installed in order to construct StrongSwan.
sudo apt-get install libpam0g-dev libssl-dev make gcc curl
Next, we must get StrongSwan directly from the source. As the most recent source includes the most recent code changes and enhancements, you should always obtain the most recent version. Here is a link to the most recent source [1]. I’m using version -5.3.5 right now.
wget https://download.strongswan.org/strongswan-5.3.5.tar.gz
After strongswan is extracted, open the folder.
tar xzf strongswan*.tar.g
cd /root/strongswan-*/
Then, configure strongSwan with the necessary modules. In this guide, we will configure strongSwan with FreeRADIUS, which is why we need to install the --eap-radius module.
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --disable-gmp
We will install it now that it has been configured.
make && make installCreating Strongswan Certificates
StrongSwan comes equipped with built-in procedures for straightforward certificate generation. To create the certificate, follow these commands:
Generate the server certificate.
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=US, O=Premium, CN=Premium CA" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=50.31.0.253" --san="50.31.0.253" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
It’s crucial that the domain name or IP address of your VPN server, later entered in the client’s connection properties, MUST be present either in the subject Distinguished Name (CN) and/or in a subject Alternative Name (–san). Mismatching this information will result in connection failures.
For the built-in Windows 7 VPN client to function properly, your host certificate must include the serverAuth extended key usage flag. Additionally, for OS X 10.7.3 or older, the ikeIntermediate flag is required, which we also include here.
Generate the client certificate.
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=US, O=Premium, CN=Premium Client" --outform pem > client.cert.pem
A VPN client requires a client certificate, its private key, and the signing CA certificate. The most convenient approach is to consolidate everything into a single signed PKCS#12 file and export it with a passphrase.
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "Premium CA" -out client.cert.p12
Enter a password twice to create a .p12 file. You can share the client.cert.p12 file and its export passphrase with the person responsible for installing it on the client.
Afterward, copy the generated certificates to the ipsec.d folder.
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem /usr/local/etc/ipsec.d/private/Strongswan, IPSec, and Secret Configuration
Let’s open the ipsec.secrets file first.
nano /usr/local/etc/ipsec.secrets
And include the information below.
: RSA server.pem #is the name of the server certificate
: PSK "myPSKkey" #is the pre-shared-key entered by client
After exiting and saving the file, open ipsec.conf.
nano /usr/local/etc/ipsec.conf
Add the further configuration after that.
config setup
uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
leftsubnet=0.0.0.0/0
left=%defaultroute
right=%any
auto=add
conn IKEv1-RSA-XAUTH-RADIUS
keyexchange=ikev1
fragmentation=yes
leftauth=pubkey
leftcert=server.cert.pem
rightauth=pubkey
rightauth2=xauth-radius
rightsourceip=10.31.1.0/24
rightcert=client.cert.pem
fragmentation=yes
conn IKEv1-PSK-XAUTH-RADIUS
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth-radius
rightsourceip=10.31.1.0/24
fragmentation=yes
conn IKEv2-EAP_MSCHAPv2-RADIUS-iOS
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp=aes256-sha256,3des-sha1,aes256-sha1!
leftid=50.31.0.253
rekey=no
left=%any
leftsendcert=always
leftcert=server.cert.pem
rightauth=eap-radius
rightsourceip=10.31.2.0/24
rightsendcert=never
rightdns=8.8.8.8,8.8.4.4
eap_identity=%any
conn IKEv2-EAP_MSCHAPv2-RADIUS
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftid=@vpn.com
leftauth=pubkey
leftcert=server.cert.pem
rightauth=eap-radius
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
conn L2TP-IKEv1-PSK
type=transport
keyexchange=ikev1
authby=secret
leftprotoport=17/1701
left=%any
right=%any
rightprotoport=17/%any
rekey=no
forceencaps=yes
#auto=add
IKEv1-RSA-XAUTH-RADIUS: Used for IPSec-RSA authentication.IKEv1-PSK-XAUTH-RADIUS: Utilized for IPSec-PSK authentication, which is pre-shared key-based.IKEv2-EAP_MSCHAPv2-RADIUS-iOS: Employed exclusively for IKEv2 iOS.- Note: The
leftidline represents the IP address of your server.
- Note: The
IKEv2-EAP_MSCHAPv2-RADIUS: Applied for IKEv2 VPN protocol, compatible with Windows, Linux, and Android.L2TP-IKEv1-PSK: Reserved for L2TP/IPSec protocol, which we’ll cover in more detail later on.
Close the file and log out.
Next, we will add our radius details in the strongswan.conf file. Open strongswan.conf.
nano /usr/local/etc/strongswan.conf
And make sure that the below line is duplicated in your file.
#for radius configuration details see https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
accounting = yes
servers {
#credetials for radius servers. can be 1 more more.
server-a {
# credentials for server a radius
secret = this_is_radius_secret
address = 50.31.1.57
auth_port = 1812
acct_port = 1813
}
}
}
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
server_b {
secret = your_secret
address = your_freeradius_ip
auth_port = 1812
acct_port = 1813
}
Now we will run strongswan.
ipsec start
To see available strongswan commands you can type.
ipsec --helpAccel-PPP installation and configuration
Accel-PPP is a high-performance PPP server built from scratch to address the limitations of the PPP protocol. It is designed to be more user-friendly and easier to configure compared to older solutions. We will use this application to offer PPTP and L2TP services to clients.
To begin the installation, we need to install the necessary files.
apt-get install cmake libssl-dev libpcre3-dev libnet-snmp-perl libtritonus-bin
Next, we’ll get the most recent version from [2].
wget http://downloads.sourceforge.net/project/accel-ppp/
cd /usr/src/
Ensure that you download the most recent version from the accel-ppp website.
wget http://downloads.sourceforge.net/project/accel-ppp/accel-ppp-1.9.0.tar.bz2
tar -xjf accel-ppp-1.9.0.tar.bz2
mkdir accel-ppp-build
cd accel-ppp-build
Set up accel-ppp with support for radius.
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DRADIUS=TRUE -DSHAPER=TRUE ../accel-ppp-1.9.0
We may now install accel-ppp after that.
make && make install
Open a new ‘/etc/accel-ppp.conf’ configuration file and add the following settings.
[modules]
log_file
log_syslog
pptp
l2tp
auth_mschap_v2
radius
ippool
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
[ppp]
verbose=3
min-mtu=1280
mtu=1400
mru=1400
mppe=prefer
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-timeout=120
[pptp]
bind=50.31.0.253
echo-interval=30
mppe=prefer
ip-pool=pool1
verbose=3
[l2tp]
bind=50.31.0.253
hello-interval=60
mppe=prefer
ip-pool=pool2
verbose=3
[dns]
dns1=8.8.8.8
dns2=8.8.4.4
[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=sample_server
nas-ip-address=50.31.0.253
server=50.31.1.57,this_is_radius_secret,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0,weight=1000
acct-interim-interval=500
acct-on=1
verbose=1
interim-verbose=1
[client-ip-range]
0.0.0.0/0
[ip-pool]
gw-ip-address=10.0.0.1
10.31.3.3-254,pool1
10.31.4.3-254,pool2
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
level=5
Save the file and Exit.
To run accel-ppp we execute.
accel-pppd -d -c /etc/accel-ppp.conf
That’s it! You’re now ready to connect to the server using IKEv2, IPSec, L2TP/IPSec, and PPTP from Windows, iOS, Linux, and Android devices. Enjoy your secure and versatile VPN setup!
[1]: https://download.strongswan.org/
[2]: http://downloads.sourceforge.net/project/accel-ppp/