www.linuxexpert.ro

Tutorials

  • Home
  • BGP Tutorials
    • Remove private AS
  • cPanel Tutorials
    • Install ImageMagick on cPanel
    • Install Softaculous
  • Linux Tutorials
    • Auto-reboot Linux after kernel panic
    • Building a firewall with Iptables
    • Change array RAID 1 disk order
    • Configure ntfs-3g on Linux Slackware
    • DHCP Option Codes
    • DansGuardian with Squid and ClamAV
    • Fetchmail for Gmail accounts
    • Install Zend & APC PHP Optimizers
    • Install Atheros AR242x PCI Express Adapter
    • Install awstats with DirectAdmin
    • Install DBD::mysql via CPAN shell
    • Install DjbDNS on Ubuntu
    • Installing fail2ban on Centos 5
    • Install GoDaddy SSL Certificate
    • Install i386 packages under x86_64
    • Install Linux via USB flashdrive
    • Install ModSecurity2 on Apache2.0.x
    • Install Nginx on CentOS
    • Install webalizer with ispconfig
    • Install intel A/B/G/N wireless on linux
    • Kernel Upgrade
    • Mobile phone access via bluetooth
    • Optimize MySQL
    • Optimize Qmail
    • Optimize server load
    • Optimize and Tune Apache for performance
    • Optimize and Tune Nginx for performance
    • Perfect Mailserver on Debian
    • Pidgin "Now Playing" Status Message
    • PHP hardening
    • PHP hardening with Suhosin
    • PHP5 Support allong with PHP4
    • Previewing your site before making DNS changes
    • Proxy Auto Configuration
    • PXE boot install rescue
    • Setup awstats on CentOS
    • Setup EC2 Amazon L2TP IPSec VPN
    • Setup email piping with Qmail
    • Setup Exim with DKIM
    • Setup Exim smart relay with cPanel
    • Setup OpenVPN
    • Setup postfix on nonstandard port
    • Setup SS5 Socks Proxy
    • Setup vsftp with no shell access
    • Sendmail smart relay with gmail auth
    • Squid proxy NCSA authentication
    • Tcpdump filters
    • Upgrade PHP to 5.3 in Plesk 10
    • Useful regular expressions
    • X with [SiS] 771/671 VGA controller
  • Joomla Tutorials
    • Hardening Joomla
    • Module Positions
    • Remove Joomla description meta tag
  • Looking Glasses
  • Optimize Firefox
  • Security
    • Crack WiFi WEP passwords
    • Defend against UDP isc.org DNS query DDOS
    • Detect DDoS attack
    • Remove malware from web sites
    • Sniff SSL passwords with ettercap
    • Snort2BGP
    • Track Hackers
    • What Is My IP
  • Troubleshooting
    • Grub error no such disk
    • named dumping master file: tmp-XXXXXXXXXX: open: permission denied
    • Nginx 413 Request Entity Too Large
    • SSH conection closed by remote host
    • Troubleshooting sis190.c
  • Unix Tutorials
    • FreeBSD reset root password
    • Installing snort on OpenBSD
    • Unix Toolbox
  • Virtualization Tutorials
    • Convert VirtualBox image to VMWare
    • VMware SNMP Enable
  • VoIP Tutorials
    • Install Elastix
    • Qos for Asterisk

Who's Online

We have 73 guests and no members online

Most Read

  • Setup SS5 Socks Proxy
  • Install webalizer with ispconfig
  • Sniff SSL passwords with ettercap
  • __404__
  • Optimize and Tune Apache for performance

Products and Services

  • Home
  • Linux Products and Services
  • Buy VPN Account
  • Privacy Policy for Linuxexpert
  • Remove malware

Setup EC2 Amazon L2TP IPSec VPN

  • Print
  • Email
Details
Parent Category: Tutorials
Published: 24 November 2011
Hits: 14650

In this tutorial i'll guide you to configure your Amazon cloud sessions in order to conect to it from internet via L2TP IPSec VPN.

But first let's define some things for the new Amazon users:

  • EC2 Private IP Address: The internal RFC 1918 address of an instance that is only routable within the EC2 Cloud. Network traffic originating outside the EC2 network cannot route to this IP, and must use the Public IP or Elastic IP Address mapped to the instance.
  • EC2 Public IP Address: Internet routable IP address assigned by the system for all instances. Traffic routed to the Public IP is translated via 1:1 Network Address Translation (NAT) and forwarded to the Private IP address of an instance. The mapping of a Public IP to Private IP of an instance is the default launch configuration for all instance types. Public IP Addresses are no longer usable upon instance termination.
  • EC2 Elastic IP Address: Internet routable IP address allocated to an AWS EC2 account. Similar to EC2 Public Address, 1:1 NAT is used to map Elastic IP Addresses with their associated Private IP addresses. Unlike a standard EC2 Public IP Address, Elastic IP Addresses are allocated to accounts and can be remapped to other instances when desired.

    • This config was tested on Windows clients  and they need a special adjustment on registry for AssumeUDPEncapsulationContextOnSendRule string:

    1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
    2. Click Start
      Collapse this imageExpand this image, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
    3. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
      Note You can also apply the
      AssumeUDPEncapsulationContextOnSendRule
      DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
    4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
    5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
    6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
    7. In the Value Data box, type one of the following values:
      • 0
        A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
      • 1
        A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
      • 2
        A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
    8. Click OK, and then exit Registry Editor.
    9. Restart the computer.

    More on: http://support.microsoft.com/kb/926179/en-us

    Now let's move to the Amazon server configs:

    1) Openswan package install

    #apt-get install openswan xl2tpd

    ipsec.conf
    #EC2
    # /etc/ipsec.conf on remote (non-amazon) server
    version 2.0

    config setup
    nat_traversal=yes
    # we should exclude ourselves, but that's dynamic.
    # The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.224.58.229/32,%v4:!192.168.2.0/24
    # amazon kernels have no KLIPS support
    protostack=netkey

    oe=off
    nhelpers=0
    interfaces=%defaultroute


    conn EC2
    authby=secret
    pfs=no
    rekey=no
    type=tunnel
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701

    right=%any
    rightprotoport=17/%any
    rightsubnetwithin=0.0.0.0/0
    auto=add

     

    ipsec.secrets:


    include /var/lib/openswan/ipsec.secrets.inc
    "ELASTIC_AMAZON_IP" %any: PSK "secretkey"

     

    xl2tpd.conf:

    [global]


    [lns default]
    ip range = 192.168.2.2-192.168.2.254
    local ip = 192.168.2.1
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    name = openSwanVPNserver
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes

    options.xl2tpd:


    ipcp-accept-local
    ipcp-accept-remote
    noccp
    auth
    crtscts
    idle 1800
    mtu 1280
    mru 1280
    defaultroute
    debug
    lock
    proxyarp
    connect-delay 5000

    chap-secrets
    # Secrets for authentication using CHAP
    # client        server  secret                  IP addresses
    "user"          *          "pass"                  192.168.2.1/25

    On a Windows XP client, we set things up for a quick test:
    Control Panel > Network Connections > File > New connection...
    Select Connect to the network at my workplace
    Select Virtual Private Network connection
    Company Name: Your Company
    Select Do not dial the initial connection
    Host name or IP address: ELASTIC_IP Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
    Pre-shared key: secretkey Properties > Network > Type of VPN: L2TP IPSec VPN
    Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network

    Note:

    We use Hosting and VPS Hosting, from: www.star-host.org

    We like and trust them.

    Good prices, high security.

     

     

    fShare
    Tweet