VPNの設定をしてみたり

VPN接続の環境をMicrosoft Azure上に構築してみました。

構築はA0インスタンス上のUbuntu 14.04.4 LTSを利用しました。

必要なパッケージ

VPNを構築するのに、以下の二つのパッケージを導入しました。

  • openswan – Internet Key Exchange daemon
  • xl2tp – layer 2 tunneling protocol implementation

openswanの設定

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=auto
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

conn L2TP-PSK-NAT
        rightsubnet=0.0.0.0/0
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
        # YourIPAddress  %any: "sharedsecret"
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=<AzureVMのeth0 IPAddress>
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=add

/etc/ipsec.secretsファイルに接続に必要なシークレットを記述するのですが、Ubuntuでは/var/lib/openswan/ipsec.secrets.incファイルに記述します。

<AzureVMのeth0 IPAddress> %any: PSK "<SECRET>"

xl2tpdの設定

;
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work.  The best place to look for a list of all options is in
; the source code itself, until I have the time to write better documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
[global]                                                                ; Global parameters:
port = 1701                                                     ; * Bind to port 1701
;auth file = /etc/l2tpd/l2tp-secrets    ; * Where our challenge secrets are
auth file = /etc/ppp/chap-secrets       ; * Where our challenge secrets are
; access control = yes                                  ; * Refuse connections without IP match
; rand source = dev                     ; Source for entropy for random
;                                       ; numbers, options are:
;                                       ; dev - reads of /dev/urandom
;                                       ; sys - uses rand()
;                                       ; egd - reads from egd socket
;                                       ; egd is not yet implemented
;
[lns default]                                                   ; Our fallthrough LNS definition
; exclusive = no                                                ; * Only permit one tunnel per host
; ip range = 192.168.0.1-192.168.0.20   ; * Allocate from this IP range
ip range = 10.0.0.64-10.0.0.127 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5                                ; * But this one is okay
; ip range = lac1-lac2                                  ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8               ; * These can connect as LAC's
; no lac = untrusted.marko.net                  ; * This guy can't connect
; hidden bit = no                                               ; * Use hidden AVP's?
local ip = <AzureVMのetc0 IP>                             ; * Our local IP to use
length bit = yes                                                ; * Use length bit in payload?
require chap = yes                                      ; * Require CHAP auth. by peer
; refuse pap = yes                                              ; * Refuse PAP authentication
; refuse chap = no                                              ; * Refuse CHAP authentication
; refuse authentication = no                    ; * Refuse authentication altogether
require authentication = yes                    ; * Require peer to authenticate
; unix authentication = no                              ; * Use /etc/passwd for auth.
name = l2tp                                             ; * Report this as our hostname
; ppp debug = no                                                ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
; call rws = 10                                                 ; * RWS for call (-1 is valid)
; tunnel rws = 4                                                ; * RWS for tunnel (must be > 0)
; flow bit = yes                                                ; * Include sequence numbers
; challenge = yes                                               ; * Challenge authenticate peer ; 
; rx bps = 10000000                             ; Receive tunnel speed
; tx bps = 10000000                             ; Transmit tunnel speed
; bps = 100000                                  ; Define both receive and transmit speed in one option

; [lac marko]                                                   ; Example VPN LAC definition
; lns = lns.marko.net                                   ; * Who is our LNS?
; lns = lns2.marko.net                                  ; * A backup LNS (not yet used)
; redial = yes                                                  ; * Redial if disconnected?
; redial timeout = 15                                   ; * Wait n seconds between redials
; max redials = 5                                               ; * Give up after n consecutive failures
; hidden bit = yes                                              ; * User hidden AVP's?
; local ip = 192.168.1.1                                ; * Force peer to use this IP for us
; remote ip = 192.168.1.2                               ; * Force peer to use this as their IP
; length bit = no                                               ; * Use length bit in payload?
; require pap = no                                              ; * Require PAP auth. by peer
; require chap = yes                                    ; * Require CHAP auth. by peer
; refuse pap = yes                                              ; * Refuse PAP authentication
; refuse chap = no                                              ; * Refuse CHAP authentication
; refuse authentication = no                    ; * Refuse authentication altogether
; require authentication = yes                  ; * Require peer to authenticate
; name = marko                                                  ; * Report this as our hostname
; ppp debug = no                                                ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko     ; * ppp options file for this lac
; call rws = 10                                                 ; * RWS for call (-1 is valid)
; tunnel rws = 4                                                ; * RWS for tunnel (must be > 0)
; flow bit = yes                                                ; * Include sequence numbers
; challenge = yes                                               ; * Challenge authenticate peer 
;
; [lac cisco]                                                   ; Another quick LAC
; lns = cisco.marko.net                                 ; * Required, but can take from default
; require authentication = yes                  

xl2tpdへの接続に使用するユーザー名とパスワードを設定。

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

<USERNAME> l2tp "<PASSWORD>" *

サーバー自体の設定はこれで完了ですが、AzureVMの場合はネットワークセキュリティグループの受信セキュリティ規則に以下のポートを受信できるように設定を追加しなければなりません。

  • UDP/500
  • UDP/4500
  • UDP/1701

この設定をする事で、l2tpdを使用してAzureVMに接続する事が出来るようになります。

接続したAzureVM経由で別のサーバーにアクセスをしたい場合は、追加でiptablesの設定を行います。

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE