Who's Online
We have 16 guests and no members online
Products and Services
Home
Linux Tutorials
- Details
- Parent Category: Tutorials
- Hits: 13355
|
|
These are just installation notes and this should not be considered a complete howto.
The fail2ban script runs as a daemon and bans an IP address after too many failed login attempts. We use it for blocking failed login attempts for SSH, ProFTP and Postfix.
Fail2ban is very effective at stopping the brute-force attacks now common to all Internet-connected hosts. We have found it reliable and functional without causing problems.
Installation on Centos 5
wget http://superb-west.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.1.tar.bz2
tar -xjvf fail2ban-0.8.1.tar.bz2
cd fail2ban-0.8.1
python setup.py install
Or you cand download the rpm for CentOS 5.x from: ftp://rpmfind.net/linux/dag/redhat/el5/en/i386/dag/RPMS/fail2ban-0.8.2-2.el5.rf.noarch.rpm and install:
rpm -ivh fail2ban-0.8.2-2.el5.rf.noarch.rpm
vi /etc/fail2ban/jail.conf
Enable only the sections you need and do them one at a time. We enable SSH and ProFTP (both use /var/log/secure) as well as Postfix.
Set your local networks and any other networks you consider 'safe'. You certainly don't want to block your own clients!
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24
Installation on SME 7
NEEDS Python 2.4!! (NOT CURRENTLY AVAILABLE)
(SME 7 uses /var/log/messages)
Startup
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
service fail2ban start
Tools
Show failed SSH logins by date:
cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c
Search for correct log file:
grep such /var/log/messages*
grep ftp /var/log/messages*
grep -r NOQUEUE /var/log
This should match Postfix bans:
grep rejected /var/log/maillog
Configuration
Adjust the following sample configuration files to your needs.
# Fail2Ban jail.local configuration file
################################################
# www.starhost.ro
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# ignore Opus IP ranges
ignoreip = 127.0.0.1 192.245.12.0/24 207.182.32.0/19 204.27.149.0/24
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# Don't know how well other backend options work.
backend = polling
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest= root@localhost, sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/secure
maxretry = 3
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/secure
maxretry = 3
[postfix]
enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest= This email address is being protected from spambots. You need JavaScript enabled to view it., sender= This email address is being protected from spambots. You need JavaScript enabled to view it.]
logpath = /var/log/maillog
maxretry = 5
# Fail2Ban filter.d/postfix.local configuration file
################################################
# www.starhost.ro
#
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
reject: RCPT from (.*)\[<HOST>\]: 550
reject: RCPT from (.*)\[<HOST>\]: 450
ignoreregex =
# Fail2Ban action.d/sendmail-whois.local configuration file
################################################
# www.starhost.ro
#
[Definition]
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actioncheck =
actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/dig -x <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionunban =
[Init]
name = default
dest = root
sender = fail2ban
Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.
- Details
- Parent Category: Tutorials
- Hits: 1329
|
|
Today we will talk about Linux and Nginx tips and tricks that will help webmaster to tune their dedicated server to handle high traffic.
Nginx configuration nginx.conf is a file file, usually located at /etc/nginx/nginx.conf path containing configuration settings for nginx server. Cannot find the location of the file? Use locate command: >cd / then >locate nginx.conf. You may find the values in conf/extra directory.
Main parameters to tune are:
worker_processes. I usualy set to 4. Default is 1, so:
worker_processes 4;
keepalive_timeout, default is set to 0 i'm using 65:
keepalive_timeout 65;
client_max_body_size 1000M;
Another crucial parameter for increasing nginx speed is Nginx Compression. So let's see how we can serve compressed content from ngix and increase response time:
#Compression
gzip on;
gzip_static on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_buffers 32 8k;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/xml application/xml+rss;
# Disable for IE < 6 because there are some known problems
gzip_disable "MSIE [1-6].(?!.*SV1)";
# Add a vary header for downstream proxies to avoid sending cached gzipped files to IE6
gzip_vary on;
set $cache_uri $request_uri;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in") {
set $cache_uri 'null cache';
}
# Cache static files for as long as possible
location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max; log_not_found off; access_log off;
}
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Tutorials
- Hits: 3199
|
|
In this tutorial I'll show you how to install DjBDNS on Ubuntu server:
apt-get install daemontools ucspi-tcp djbdns
useradd -d /var/dnscache -s /bin/false dnscache
useradd -d /var/dnscache -s /bin/false dnslog
mkdir -p /var/dnscache
dnscache-conf dnscache dnslog /var/dnscache/dnscache 0.0.0.0
touch /var/dnscache/dnscache/root/ip/0.0.0.0
ln -sf /var/dnscache/dnscache /etc/service/
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Tutorials
- Hits: 14687
|
|
In this tutorial i'll guide you to configure your Amazon cloud sessions in order to conect to it from internet via L2TP IPSec VPN.
But first let's define some things for the new Amazon users:
This config was tested on Windows clients and they need a special adjustment on registry for AssumeUDPEncapsulationContextOnSendRule string:
- Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
- Click Start
Collapse this image , point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentNote You can also apply theAssumeUDPEncapsulationContextOnSendRuleDWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- On the Edit menu, point to New, and then click DWORD (32-bit) Value.
- Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
- Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
- In the Value Data box, type one of the following values:
- 0
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value. - 1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices. - 2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
- 0
- Click OK, and then exit Registry Editor.
- Restart the computer.
More on: http://support.microsoft.com/kb/926179/en-us
Now let's move to the Amazon server configs:
|
1) Openswan package install
#apt-get install openswan xl2tpd
ipsec.conf
#EC2
# /etc/ipsec.conf on remote (non-amazon) server
version 2.0
config setup
nat_traversal=yes
# we should exclude ourselves, but that's dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.224.58.229/32,%v4:!192.168.2.0/24
# amazon kernels have no KLIPS support
protostack=netkey
oe=off
nhelpers=0
interfaces=%defaultroute
conn EC2
authby=secret
pfs=no
rekey=no
type=tunnel
esp=aes128-sha1
ike=aes128-sha-modp1024
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
ipsec.secrets:
include /var/lib/openswan/ipsec.secrets.inc
"ELASTIC_AMAZON_IP" %any: PSK "secretkey"
xl2tpd.conf:
[global]
[lns default]
ip range = 192.168.2.2-192.168.2.254
local ip = 192.168.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = openSwanVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
options.xl2tpd:
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
defaultroute
debug
lock
proxyarp
connect-delay 5000
chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"user" * "pass" 192.168.2.1/25
On a Windows XP client, we set things up for a quick test:
Control Panel > Network Connections > File > New connection...
Select Connect to the network at my workplace
Select Virtual Private Network connection
Company Name: Your Company
Select Do not dial the initial connection
Host name or IP address: ELASTIC_IP
Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
Pre-shared key: secretkey Properties > Network > Type of VPN: L2TP IPSec VPN
Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Tutorials
- Hits: 495
We have a Windows network (Windows server and Windows clients) at work, with an Ubuntu server that has an external IP address. I wanted to allow certain users to be able to connect via a VPN. I also wanted to allow them to do it without any special software on their machines. Our Windows Server had a private IP address and only one network card, so the basic RRAS solution was not going to work for me. Below is the step-by-step I went through to set up a "VPN server" that would work with the native Windows client. Running on Ubuntu Server 10.04.3 LTS on our proxy server, so it has an external IP address and an internal IP address on two different NICs. It is assumed that you run the following commands as root when needed and that you are smart enough to know when that might be. Windows VPN clients use either PPTP or IPSec L2TP. (Windows 7 also has IKEv2, but we won't cover it here since Openswan didn't yet support NAT for IKEv2.) In this guide, we'll use IPSec L2TP. We set things up first with Pre-shared Keys (PSK) since it's easier to test, then we step through using certificates with the default Windows Server Certificate Authority (CA). I also wanted to authenticate users off of their domain password and only if they were in a particular group. Note: In this guide, the external IP of the machine is listed as 12.34.56.78. The gateway IP is listed as 12.34.56.1. The internal IP of the VPN server (since it has a NIC on both the inside and the outside) is 192.168.1.1 in this example. Change these for your set up. This will allow the Windows clients to create an IPSec SA between itself and the VPN server. Unfortunately, the version of Openswan that comes with Lucid is now pretty out of date, and you may have trouble getting iPhones and iPads connected to this same setup if you use their package. I realize this guide is for Windows clients, but we try to be accommodating. If you want to try the regular Ubuntu packages, see the previous version of this document. As for the rest of us, we will continue on with the latest versions of things. Download the latest version of Openswan to your computer. Expand the file and enter the directory In order to actually compile the program, we just need to install a few packages from the default Ubuntu repositories. Then we can compile Openswan. We do these with the commands below. At this point, if there were no errors in the compiling, we can go ahead and install it. (If you have the Ubuntu version of Openswan installed, you can uninstall it first with Congratulations! The latest version of Openswan is now installed. Now we can get on with the setup. Set Add: Add: At this point, your VPN server should be listening on port 500/udp and 4500/udp for connections. You can check this using Setting Up an IPSec L2TP VPN server on Ubuntu for Windows clients
1) Install and set up the openswan package.
wget http://openswan.org/download/openswan-2.6.35.tar.gz
tar -zxvpf openswan-2.6.35.tar.gz
cd openswan-2.6.35apt-get install libgmp3-dev bison flex
make programs
apt-get remove openswan
)sudo make install
cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/l2tp-psk.conf
nano /etc/ipsec.d/l2tp-psk.confleft=12.34.56.78
[should be set to your external IP address on the machine users will connect to]leftnexthop=12.34.56.1
[set this to your external gateway]nano /etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
Also, for Windows Vista to work properly, we need to tell it which private subnets are allowed, and which are not. In our example, since our company's internal subnet is 192.168.1.0/24, we disallow that (at the end of the line).virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.1.0/24
nano /etc/ipsec.secrets
12.34.56.78 %any: "yourSharedPSK!"
/etc/init.d/ipsec restart
netstat -antu
.2) A quick test
This will check to see if the IPSec side of things is working properly.
You'll need to allow udp/500 and udp/4500 to your external interface through the firewall on your INPUT chain. I also added protocol 50. How this looks depends on your firewall implementation, but my iptables filter rules look like this:-A INPUT -p 50 -j ACCEPT
-A INPUT -p udp -d 12.34.56.78 --dport 500 -j ACCEPT
-A INPUT -p udp -d 12.34.56.78 --dport 4500 -j ACCEPT
On a Windows XP client, we set things up for a quick test:
Control Panel > Network Connections > File > New connection...
Select Connect to the network at my workplace
Select Virtual Private Network connection
Company Name: Your Company
Select Do not dial the initial connection
Host name or IP address: 12.34.56.78
Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
Pre-shared key: yourSharedPSK!
Properties > Network > Type of VPN: L2TP IPSec VPN
Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network
Pay atention to Windows clients that conects to L2TP server behind NAT:
To create and configure the
http://support.microsoft.com/kb/926179/en-us
Now, monitor /var/log/auth.log (perhaps with tail -f /var/log/auth.log
) and connect with the Windows client.
In the end, the connection will fail, but you should see connection attempts on the VPN server with a STATE_QUICK_R2: IPsec SA established
. This means the IPSec side of things is working with the pre-shared key.
registry value, follow these steps:
- Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
- Click Start
Collapse this image
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentNote You can also apply theAssumeUDPEncapsulationContextOnSendRuleDWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- On the Edit menu, point to New, and then click DWORD (32-bit) Value.
- Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
- Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
- In the Value Data box, type one of the following values:
- 0
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value. - 1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices. - 2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
- 0
- Click OK, and then exit Registry Editor.
- Restart the computer.
3) Install xl2tpd
Since Windows default client is more than just IPSec, it uses L2TP inside of an IPSec SA, we need a daemon to handle that. Like Openswan, there have been a few bugs fixed since the version in the Ubuntu repository. Rather than compile it though, I just download a later version from a later version of Ubuntu.
After you have the .deb file downloaded, you can install it with a command such as: dpkg -i xl2tpd_1.2.8+dfsg-1_i386.deb
.
Modify /etc/xl2tpd/xl2tpd.conf
so it includes at least the following:
[global]
listen-addr = 12.34.56.78
[lns default]
ip range = 192.168.1.10-192.168.1.20
local ip = 192.168.1.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
The IP range specified above should be set to IP addresses of your internal network which can be given to your VPN clients. Don't worry much that we are refusing CHAP and PAP methods, because we will require MS-CHAP v2 next.
cp /etc/ppp/options /etc/ppp/options.xl2tpd
nano /etc/ppp/options.xl2tpd
Change noauth
to auth
.
Set name l2tpd
. You can really set it to something other than l2tpd, but you have to match it in the next file.
Set mru 1280
and mtu 1280
. I had some weird trouble with Vista's Remote Desktop not working over the VPN if these were left at their defaults of 1500. 1280 is chosen because that is the minimum required if the IPv6 protocol is to work as well (although that is not covered in this document).
/etc/ppp/chap-secrets
#client server secret IP addresses username l2tpd "password" 192.168.1.1/24 l2tpd username "password" 192.168.1.1/24
Match the l2tpd with the name in the previous file. You can use this to test your CHAP authentication if you want... but you'd have to temporarily change the refuse chap = yes
line above. I put it here just so you know how to test it if you want.
At this point, you need to add an extra rule to your firewall. Some of the sites I reference urge you to be security-minded here because if you open up this port to the whole world, then anyone may try to authenticate without IPSec. Basically, you want to allow connections to udp/1701, but they'd better be connected via IPSec. My filter rule looks like the following:-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
This will allow L2TP traffic to connect to us ONLY if it shows up in an IPSec packet. The best information I've found about how IPSec (NETKEY) interacts with the iptables firewall was found in this post by Nigel Metheringham.
The last firewall modification we need to make for xl2tpd (which we could probably get more picky if you wanted). When an L2TP connection is made, it creates a ppp# interface on the VPN server, so we need to allow it to talk to the other interfaces.-A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
4) Join Ubuntu to the Active Directory domain
I wanted to have the authentication based off of the Windows AD rather than some /etc/ppp/chap-secrets file.
apt-get install smbclient
apt-get install winbind
Make sure /etc/resolv.conf
points to your DNS servers that have your AD information. Add an A and PTR record for the machine if you don't already have that.
apt-get install krb5-user
(includes krb5-config)
Kerberos servers for your realm: windowsserver.example.local
Administrative servers for your realm: windowsserver.example.local
/etc/samba/smb.conf
(if not specifically listed, I just left the defaults):
workgroup = EXAMPLE
interfaces = eth0 lo
bind interfaces only = true
security = ADS
realm = EXAMPLE.LOCAL
password server = windowsserver.example.local
idmap uid = 10000-20000
idmap gid = 10000-20000
/etc/krb5.conf
(I believe this file is case-sensitive. I only list the lines here that I modified from the default.)
default-realm = EXAMPLE.LOCAL [REALMS] EXAMPLE.LOCAL = { kdc = windowsserver.example.local admin_server = windowsserver.example.local }Run:
/etc/init.d/winbind restart
Note that the clocks of the Windows server and the VPN server must be within 5 minutes of each other for the next commands:
net ads join -U Administrator
This joins the Ubuntu server to the Windows domain. On one machine, I had to make sure that the FQDN was listed in /etc/hosts
before it let me join the domain.
net ads testjoin
This line tests to see if the VPN server was properly joined to the AD domain.
5) Update xl2tpd/ppp to work with the Windows domain authentication
/etc/ppp/options.xl2tpd
and add:
require-mschap-v2
# We can enable MPPE for additional encryption, but all this should be coming over IPSec anyway
#require-mppe-128
ms-dns 192.168.1.3
ms-dns 192.168.1.4
# The following lines let the authentication occur against the Windows domain, and require the user to be a member of the 'VPN Users' group on the 'EXAMPLE' domain.
plugin winbind.so
ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
6) Using Certificates instead of Pre-shared Keys
This assumes that you already have Certificate Services set up on your Windows Server. I don't go into a lot of detail here.
6.1) Getting a certificate for your VPN server
openssl req -new -out vpn.example.com.pem
Enter PEM pass phrase:
Country: US
State: State
Locality: City Name
Organization: Your Company Name
OU:
CN: vpn.example.com E-mail:
Challenge password:
Optional company name:
mv vpn.example.com.pem /etc/ssl/private
chmod 640 /etc/ssl/private/vpn.example.com.pem
Load up your Certification Authority on Windows. Right-click on the server, All Tasks > Submit new request... and give it the vpn.example.com.pem file you created.
Choose Pending Requests. Right-click the request, All Tasks > Issue
In Issued Certificates, Open the certificate
Details tab > Copy to File...
Choose DER encoded binary X.509 (.cer)
Export the certificate for the CA as well (not the private key!) using the Certificate snap-in of mmc
.
Copy both to your VPN server.
openssl x509 -inform DER -in windowsserver.example.local.cer -outform PEM -out windowsserver.example.local.pem
This just converts the DER encoded file to a .PEM file.
cp windowsserver.example.local.pem /etc/ipsec.d/cacerts
IPSec needs to know the public key of the CA for verification purposes.
openssl x509 -inform DER -in vpn.example.com.cer -outform PEM -out vpn.example.com.pem
cp vpn.example.com.pem /etc/ipsec.d/certs
Takes the generated certificate for our VPN server and lets openswan (IPSec) use it as needed.
6.2) Setting openswan to use certificates rather than PSKs
cp /etc/ipsec.d/examples/l2tp-cert.conf /etc/ipsec.d/l2tp-cert.conf
Edit
/etc/ipsec.conf
Replace l2tp-psk.conf
with l2tp-cert.conf
.
Also, for Windows Vista to work properly, we need to tell it which private subnets are allowed, and which are not. In our example, since our company's internal subnet is 192.168.1.0/24, we disallow that (at the end of the line).virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.1.0/24
/etc/ipsec.d/l2tp-cert.conf
. Vista seems to like or need the leftid setting.
left=12.34.56.78
leftnexthop=12.34.56.1
leftid=@vpn.example.com
leftcert=/etc/ipsec.d/certs/vpn.example.com.pem
openssl req -new -keyout vpn.example.com.pem
PEM passphrase: passphraseToAccessFile
This tells openssl to spit out our private key into a file.
mv vpn.example.com.pem /etc/ipsec.d/private/vpn.example.com.pem
Move this private key to a place where IPSec (openswan) can have access to it.
We need to modify/etc/ipsec.secrets
to make sure it can use the private key associated with our certificate:
Comment out the pre-shared key we put in there earlier and add the line (including the colon):: RSA vpn.example.com.pem "passphraseToAccessFile"
/etc/init.d/ipsec restart
6.3) Getting the Windows client to work with certificates
First off, we need to get a certificate for the Windows machine. With Windows XP Professional attached to a domain, this is fairly straight-forward and I believe you can even push the certificates to the machines. It may go something like this for you:
Start > Run > mmc
> File > Add/Remove Snap-in... > Add... > Certificates > Select Computer account
> Local computer > Close > OK
Highlight Certificates > Personal, Right-click > All Tasks > Request New Certificate...
However, I was dealing with a bunch of Windows XP Home machines, unfortunately, so I had to go about things in a different way. I had to download Windows Server 2003 SP1 Administration Tools Pack (Adminpak) KB304718.
From there, one could take certreq.exe
, certutil.exe
, certcli.dll
, and certadm.dll
to a different machine.
Create req.inf:
[NewRequest]
Subject="CN=foo.example.com,C=US"
KeyLength=2048
MachineKeySet=TRUE
Silent=TRUE
certreq.exe -new req.inf Request.pem
Take the
Request.pem
file to the CA, submit the request and issue the certificate. View the certificate details and Copy to File...Transfer the certificate back to the original computer (we'll call it Issued.cer). Also transfer the certificate for the CA to the client machine (not the private key or anything like that).
We need to install both certificates in the Local Computer account store.
Command-line version looks like this:
certutil.exe -encode Issued.cer Issued.pem
certutil.exe -addstore "root" windowsserver.example.local.cer
certreq.exe -accept Issued.pem
This puts the Windows CA in the Trusted Root folder and accepts (into the Personal folder) the issued certificate that we requested earlier.
With Windows XP, you must run these commands as an administrative user. Windows Vista can use the same commands and needs to be running as an administrator as well. However, certutil.exe, etc. may need to be a different version between XP and Vista.
You should be able to connect to the VPN without using a PSK now!
7) Finished!
This setup should work even if the client is behind a NAT (using NAT-T on udp/4500). One caveat I've noticed however is that the client cannot be initially on the same subnet as your organization's internal IP range. Meaning, if your company is using 192.168.1.0/24 and your user happens to be using the same IP range at home, he or she will not be able to connect. For one, this is because Windows will not know how to route the packets. Is a particular packet to 192.168.1.100 meant to go over the VPN or stay local?
Another caveat that I noticed in previous setups is that I don't think two computers can connect to the server from behind the same NAT. I haven't tested this for a while, so it may be fixed in these later versions.
This is obviously a very brief setup guide and I don't go into lots of details on how it all works. You can read some of the sources at the bottom for more information. However, if you do see a better way to do things, let me know. My e-mail address can be deduced from the very bottom of the document.
Hope things work for you!
A Few Referenced Sources
The earlier version of this document
Compiling Openswan on Ubuntu
http://www.jacco2.dds.nl/networking/openswan-l2tp.html
http://support.real-time.com/open-source/ipsec/index.html
http://koeppe-net.de/l2tp-howto.txt
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm
http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.htm
http://www.jacco2.dds.nl/networking/certutil.html
http://lists.openswan.org/pipermail/users/2005-August/006101.html
-----
I hope this helps someone. Let me know if there are errors above and I'll update this document.
-W Gillespie (wgillespie, es2eng.com)
Last updated: 2011-08-19