Setting up an IPSEC tunnel

This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.

If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we highly recommend you use a GRE tunnel documented here: GRE tunnelling your filtered IP.

If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: Redirecting your filtered IP.

Supported Operating Systems

All operating systems with IPSEC support are, you guessed it, supported.

We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.

Please note, if you're setting this up on an OpenVZ with us, you must use a 64bit based template.

Prerequisites

iptables installed on your BuyVM VPS (included already in most cases)

A 64bit based distribution if you're doing this on OpenVZ. This can't be stressed enough and will not work on a 32bit distribution (for the time being).

Setup

First you must install openswan & xl2tpd.

On Debian/Ubuntu:

apt-get update && apt-get dist-upgrade

apt-get install openswan xl2tpd

Note: During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.

On CentOS:

yum -y install xl2tpd openswan

Setup ipsec.conf

Open up /etc/ipsec.conf with your favorite editor. Replace the entire contents with the following:

vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file: /usr/share/doc/openswan/ipsec.conf-sample

#

# Manual: ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Do not set debug options to debug configuration issues!

# plutodebug / klipsdebug = "all", "none" or a combation from below:

# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

# eg:

# plutodebug="control parsing"

#

# enable to get logs per-peer

# plutoopts="--perpeerlog"

#

# Again: only enable plutodebug or klipsdebug when asked by a developer

#

# NAT-TRAVERSAL support, see README.NAT-Traversal

nat_traversal=yes

# exclude networks used on server side by adding %v4:!a.b.c.0/24

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24

# OE is now off by default. Uncomment and change to on, to enable.

oe=off

# which IPsec stack to use. auto will try netkey, then klips then mast

protostack=netkey

conn %default

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

leftprotoport=17/1701

rightprotoport=17/%any

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

left=209.141.56.138

conn L2TP-PSK-noNAT

left=209.141.56.138

right=%any

Make sure you update YOUR_BUYVM_IP with your BuyVM IP.

Setup xl2tpd.conf

Open up /etc/xl2tpd/xl2tpd.conf with your favorite editor. Replace the entire contents with the following:

vi /etc/xl2tpd/xl2tpd.conf

[global]

;listen-addr = 127.0.0.1 ; Global parameters:

port = 1701 ; * Bind to port 1701

auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are

access control = no ; * Refuse connections without IP match

rand source = dev ; Source for entropy for random

[lns default] ; Our fallthrough LNS definition

exclusive = yes ; * Only permit one tunnel per host

ip range = 10.1.0.2 - 10.1.0.100

local ip = 10.1.0.1

refuse authentication = yes ; * Refuse authentication altogether

refuse pap = yes ; * Refuse PAP authentication

refuse chap = yes

ppp debug = no ; * Turn on PPP debugging

pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

Optional: Update the ip range & local ip to fit your needs.

Setup options.l2tpd

Open up /etc/ppp/options.l2tpd with your favorite editor. Replace the entire contents with the following:

vi /etc/ppp/options.l2tpd

# Do not support BSD compression.

nobsdcomp

passive

lock

# Allow all usernames to connect.

name *

proxyarp

ipcp-accept-local

ipcp-accept-remote

lcp-echo-failure 10

lcp-echo-interval 5

nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.

noauth

refuse-chap

refuse-mschap

refuse-mschap-v2

# Set the DNS servers the PPP clients will use.

ms-dns 8.8.8.8

ms-dns 8.8.4.4

mtu 1400

mru 1400

Setup ipsec.secrets

Open up /etc/ipsec.secrets with your favorite editor. Replace the entire contents with the following:

vi /etc/ipsec.secrets

209.141.56.138 %any: "PSK"

The mysecretpresharedkeypassword is the shared key you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.

Allow traffic to route out your VPS

As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:

iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source 209.141.56.138

Apply the configuration files

You must now restart the ipsec & xl2tpd daemons:

/etc/init.d/ipsec restart

/etc/init.d/xl2tpd restart

Client side configuration

From here you must configure your client side.

For a good Windows 2008/2012/7/8 guide, please check out Follow all the steps except 9 & 10 as it's specific to their platform.