Difference between revisions of "Vpnsec Linux install"

From Cncz
Jump to: navigation, search
m
(Added description of installation without NetworkManager)
Line 1: Line 1:
[nl]Deze procedure gaat uit van gebruik van Ubuntu 14.04 en <b><tt>NetworkManager</tt></b>
+
[nl]Deze procedure gaat uit van gebruik van Ubuntu 14.04 en <b><tt>NetworkManager</tt></b>. Zie [[#Installatie_zonder_NetworkManager|hieronder]] voor een handmatige procedure.
  
 
Installeer de benodigde software:
 
Installeer de benodigde software:
 
[/nl]
 
[/nl]
[en]This procedure assumes using <b><tt>NetworkManager</tt></b>.
+
[en]This procedure assumes using <b><tt>NetworkManager</tt></b>. See [[#Installation_without_NetworkManager|below]] for a manual procedure.
  
 
Install the required software:
 
Install the required software:
Line 69: Line 69:
  
 
sudo service network-manager restart
 
sudo service network-manager restart
 +
</pre>
 +
 +
== [Installatie zonder NetworkManager][Installation without NetworkManager] ==
 +
 +
[nl]Installeer strongswan, inclusief de curl, eap-identity, eap-mschapv2 en eap-md4 (benodigd voor eap-mschapv2) plugins. Wanneer je strongswan zelf compileert, zorg er dan voor dat je de benodigde plugins meegeeft aan het <b><tt>configure</tt></b>-script.[/nl]
 +
[en]Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md4 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the <b><tt>configure</tt></b> script.[/en]
 +
<pre>$ ./configure --enable-curl --enable-md4 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify
 +
$ make
 +
$ sudo make install
 +
</pre>
 +
[nl]Je kunt testen welke plugins geactiveerd zijn met <b><tt>sudo ipsec statusall</tt></b> of <b><tt>sudo ipsec listplugins</tt></b>. Indien nodig kun je plugins handmatig laden vanuit <b><tt>strongswan.conf</tt></b>.[/nl]
 +
[en]You can test which plugins are loaded with <b><tt>sudo ipsec statusall</tt></b> or <b><tt>sudo ipsec listplugins</tt></b>. If necessary you can load plugins manually by editing <b><tt>strongswan.conf</tt></b>.[/en]
 +
 +
[nl]Zorg ervoor dat je <b><tt>ipsec.conf</tt></b>, waarschijnlijk te vinden in /etc of in /usr/local/etc, er als volgt uitziet:[/nl]
 +
[en]Make sure your <b><tt>ipsec.conf</tt></b>, probably located in /etc or in /usr/local/etc, looks like this:[/en]
 +
<pre>
 +
config setup
 +
    strictcrlpolicy=yes
 +
 +
conn %default
 +
    ikelifetime=60m
 +
    keylife=20m
 +
    rekeymargin=3m
 +
    keyingtries=1
 +
    keyexchange=ikev2
 +
 +
conn science
 +
    left=%defaultroute
 +
    leftfirewall=yes
 +
    leftsourceip=%config
 +
    leftauth=eap-mschapv2
 +
    leftid=mysciencelogin        <-- edit this
 +
    eap_identity=mysciencelogin  <-- edit this
 +
    right=vpnsec.science.ru.nl
 +
    rightauth=pubkey
 +
    rightid=@vpnsec.science.ru.nl
 +
    rightsubnet=0.0.0.0/0
 +
    forceencaps=yes
 +
    auto=start
 +
</pre>
 +
[nl]En je <b><tt>ipsec.secrets</tt></b> als volgt, waarbij je je eigen Science-gebruikersnaam en-wachtwoord invult:[/nl]
 +
[en]And your <b><tt>ipsec.secrets</tt></b> as follows, where you enter your own Science account name and password:[/en]
 +
<pre>
 +
mysciencelogin : EAP "mypassword"
 +
</pre>
 +
 +
[nl]Alles zou nu moeten werken:[/nl]
 +
[en]Everything should work now:[/en]
 +
<pre>
 +
$ sudo ipsec start
 +
$ sudo ipsec up science
 +
</pre>
 +
 +
[nl]Het kan nodig zijn om het root-certificaat handmatig in de juiste map te zetten:[/nl]
 +
[en]It can be necessary to put the root certificate in the right folder manually:[/en]
 +
<pre>
 +
$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem
 
</pre>
 
</pre>

Revision as of 14:45, 29 February 2016

This procedure assumes using NetworkManager. See below for a manual procedure.

Install the required software:

# aptitude install network-manager-strongswan strongswan-plugin-eap-mschapv2
The following NEW packages will be installed:
  libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a}
  strongswan-plugin-eap-mschapv2 strongswan-plugin-openssl{a} 
...

# service network-manager stop
network-manager stop/waiting
# service network-manager start
network-manager start/running, process 29031

Configuration:

Select the NetworkManager applet and after that Edit Connections...

Vpnsec linux 2.png

Click Add, select IPsec/IKEv2 in the section VPN, click Create

Vpnsec linux 3.png

Enter data at:Connection name, Address (vpnsec.science.ru.nl), loginname, etc. and check the marks where needed.

Vpnsec linux 4.png

Save: (Save and Close)

Vpnsec linux 5.png

Start the VPN. Select the NetworkManager applet, next VPN Connections and finally the connection created.

Vpnsec linux 6.png

Known problems

If the VPN connection has been established, but ping ns1.science.ru.nl doesn't work, while ping 131.174.224.4 does work, then probably dnsmasq is the culprit. This can be solved bij disabling the dnsmasq DNS cache, as is described in Ask Ubuntu: DNS problem when connected to a VPN:

First make sure that there are no lines beginning with nameserver in any files in /etc/resolvconf/resolv.conf.d.
If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to target original, make it point to /dev/null.

Second, disconnect from the VPN. Edit /etc/NetworkManager/NetworkManager.conf

$ sudo gedit /etc/NetworkManager/NetworkManager.conf

and comment out

dns=dnsmasq

(i.e., add a # so that it looks like the following)

#dns=dnsmasq

and then

sudo service network-manager restart

Installation without NetworkManager

Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md4 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the configure script.

$ ./configure --enable-curl --enable-md4 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify
$ make
$ sudo make install

You can test which plugins are loaded with sudo ipsec statusall or sudo ipsec listplugins. If necessary you can load plugins manually by editing strongswan.conf.

Make sure your ipsec.conf, probably located in /etc or in /usr/local/etc, looks like this:

config setup
    strictcrlpolicy=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn science
    left=%defaultroute
    leftfirewall=yes
    leftsourceip=%config
    leftauth=eap-mschapv2
    leftid=mysciencelogin        <-- edit this
    eap_identity=mysciencelogin  <-- edit this
    right=vpnsec.science.ru.nl
    rightauth=pubkey
    rightid=@vpnsec.science.ru.nl
    rightsubnet=0.0.0.0/0
    forceencaps=yes
    auto=start

And your ipsec.secrets as follows, where you enter your own Science account name and password:

mysciencelogin : EAP "mypassword"

Everything should work now:

$ sudo ipsec start
$ sudo ipsec up science

It can be necessary to put the root certificate in the right folder manually:

$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem