VPN

2014-09-04T02:52:37Z

2601:8:2000:2B5:C827:A41B:8D4F:1E22: Fixed uniluug issue

Connecting to the Internet through Virginia Tech's [http://en.wikipedia.org/wiki/Virtual_private_network Virtual Private Network] (VPN) is the only officially advertised and supported method of accessing certain resources such as [http://network.software.vt.edu/ VT Network Software] from off-campus. Alternatively, you can use SSH tunnels or [[proxies]] to obtain a Virginia Tech IP address.

'''Important:''' You must first create a [http://answers.vt.edu/kb/entry/3765 Remote Access ID] to be able to log into the VPN. This is different from your normal VT PID password. This is the Network Account information on your [https://my.vt.edu/accounts/myaccounts Accounts page].

== pptpclient ==
Tested on [[Arch Linux]] with pptpclient 1.7.2 (updated on 2011-08-28).

* Ensure that you have both '''ppp''' and '''pptpclient''' installed. Otherwise, you may receive strange errors or otherwise be unable to connect.
* Create the file '''/etc/ppp/peers/{{{peername}}}''' with the following:
remotename {{{peername}}}
pty "pptp {{{host}}} --nolaunchpppd"
name username
file /etc/ppp/options.pptp
require-mppe-128
ipparam {{{peername}}}
Make sure to replace '''username''' with your username.
* Edit the file '''/etc/ppp/chap-secrets''' and add the following line to the bottom, replacing '''username''' with your username and '''password''' with your password:
username {{{peername}}} password *
* To connect, use the pon script:
sudo pon {{{peername}}}
* To disconnect, use poff:
sudo poff {{{peername}}}

== Network Manager ==
Tested on [[Fedora]] 15 (updated on 2011-08-28).
Tested on [[Ubuntu]] 12.04 LTS (2012-05-22)

* Install the '''networkmanager-pptp''' package. (Ubuntu users can skip this step.)
* Right click on the Network Manager applet and select Edit Connections...
* Select the VPN tab and click Add.
* Select '''Point-to-Point Tunneling Protocol (PPTP)''' and click Create...
* Enter '''{{{peername_full|{{{peername}}}}}}''' for the connection name.
* Enter '''{{{host}}}''' for the gateway.
* Enter your username and remote access passphrase (in the password field), leaving NT domain blank.
* Click Save...
* Left click on the Network Manager applet, and select '''{{{peername_full|{{{peername}}}}}}''' under VPN Connections.

[[Category:Howtos]] [[Category:Campus computing resources]]

IPsec

2014-09-04T02:50:07Z

2601:8:2000:2B5:C827:A41B:8D4F:1E22:

==Network-to-Network==
For purposes of this tutorial, we are setting up two endpoints, '''vpn1''' and '''vpn2''', both using IPv6 with the subnets '''2001:db8:1::/64''' and '''2001:db8:2::/64''', respectively.

===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.28 on Debian Squeeze (updated on 2012-02-25).

* Generate a new host key on both endpoints:
sudo ipsec newhostkey --output /etc/ipsec.secrets

* Configure '''/etc/ipsec.conf''' on '''vpn1''':
config setup
protostack=netkey
nat_traversal=off

conn vpn2
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=vpn2.example.com
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.

* Configure '''/etc/ipsec.conf''' on '''vpn2''':
config setup
protostack=netkey
nat_traversal=off

conn vpn1
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn2.example.com
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::/64
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.

* After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.

===OpenBSD===
Tested on [[OpenBSD]] 5.0 (updated on 2012-02-25).

* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
<pre>isakmpd_flags="-K"
ipsec=YES</pre>

* Configure '''/etc/ipsec.conf''' on '''vpn1''':
ike esp from 2001:db8:1::/64 to 2001:db8:2::/64 \
peer vpn2.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn1.example.com tag ipsec-vpn1

* Configure '''/etc/ipsec.conf''' on '''vpn2''':
ike esp from 2001:db8:2::/64 to 2001:db8:1::/64 \
peer vpn1.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn2.example.com tag ipsec-vpn1

* We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''.

* After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
sudo /etc/rc.d/isakmpd start
sudo ipsecctl -f /etc/ipsec.conf

The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.

==Roadwarrior==
===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.37 on Arch Linux (updated on 2012-06-27).

* Generate a new host key on both endpoints:
sudo ipsec newhostkey --output /etc/ipsec.secrets

* Configure '''/etc/ipsec.conf''' on your VPN server:
config setup
protostack=netkey
nat_traversal=on

conn myvpn
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=%any
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.

* Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN:
config setup
protostack=netkey
nat_traversal=on

conn vpn1
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=%defaultroute
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::1/128
leftsourceip=2001:db8:2::1
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.

* After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.

===OpenBSD===
Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27).

* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
<pre>isakmpd_flags="-K"
ipsec=YES</pre>

* Configure '''/etc/ipsec.conf''' on your VPN server:
ike esp from 2001:db8:1::/64 to 2001:db8:2::1 \
peer any \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn1.example.com tag ipsec-vpn1

* Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN:
ike esp from 2001:db8:2::1 to 2001:db8:1::/64 \
peer vpn1.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn2.example.com tag ipsec-vpn1

* We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''.

* After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
sudo /etc/rc.d/isakmpd start
sudo ipsecctl -f /etc/ipsec.conf

The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.

===Linux with OpenSWAN (laptop) to OpenBSD (router)===
Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27).

Assume router has an IPv4 only hostname of home.example.org and you want to route the IPv6 subnet 2001:420:1:9A8::/64
Assume the laptop is called laptop.example.org (does not have to be an actuall DNS entry) and will round the org-local subnet fd20:50::1/128 (which is actually just 1 ip)

* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
<pre>isakmpd_flags="-K"
ipsec=YES</pre>

* Configure '''/etc/ipsec.conf''' on '''home.example.org''':
ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \
peer any \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1

* Generate a new host key on '''laptop.example.org''':
sudo ipsec newhostkey --output /etc/ipsec.secrets

* Configure '''/etc/ipsec.conf''' on '''laptop.example.org''':
config setup
protostack=netkey
nat_traversal=off

conn vpn2
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=%defaultroute
leftid=@laptop.example.org
leftsubnet=fd20:50::1/128
leftsourceip=fd20:50::1
leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on '''laptop.example.org'''
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:420:1:9A8::/64
rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org'''
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start

The trickiest part (and its not actually *that* tricky) is to convert the the pubkey on Linux to the format OpenBSD uses, and vice versa. There is a handy perl script found [http://pastebin.com/THUf4Dsg here] that takes in a Linux or OpenBSD formated pubkey in stdin and outputs a OpenBSD or Linux formated pubkey.

On OpenBSD the pubkey is found in '''/etc/isakmpd/local.pub''' and in Linux it is found in /etc/ipsec.secrets. In ipsec.secrets, you will find a public key like:
#pubkey=0s...

* To convert this to OpenBSD format, run

echo ": PUB 0s..." | ./ipsec.pl

where 0s... is your full public key.

* For the OpenBSD key, it is possible to pipe in local.pub like:

cat local.pub | ./ipsec.pl

* Place the output from the OpenBSD pubkey into '''/etc/ipsec.conf''' on '''laptop.example.org''' here:

rightrsasigkey=<server_pubkey>

and put the output for the Linux pubkey into '''/etc/isakmpd/pubkeys/fqdn/laptop.example.org'''

* After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''':
sudo /etc/rc.d/isakmpd start
sudo ipsecctl -f /etc/ipsec.conf

and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.

== External links ==
* [[w:IPsec|IPsec]]

[[Category:Howtos]]

Linux and Unix Users Group at Virginia Teck Wiki - User contributions [en]

VPN

IPsec