VPN接続の環境をMicrosoft Azure上に構築してみました。
構築はA0インスタンス上のUbuntu 14.04.4 LTSを利用しました。
必要なパッケージ
VPNを構築するのに、以下の二つのパッケージを導入しました。
openswanの設定
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=auto # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT # # Configuration for one user with any type of IPsec/L2TP client # including the updated Windows 2000/XP (MS KB Q818043), but # excluding the non-updated Windows 2000/XP. # # # Use a Preshared Key. Disable Perfect Forward Secrecy. # # PreSharedSecret needs to be specified in /etc/ipsec.secrets as # YourIPAddress %any: "sharedsecret" authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # left=<AzureVMのeth0 IPAddress> # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add
/etc/ipsec.secretsファイルに接続に必要なシークレットを記述するのですが、Ubuntuでは/var/lib/openswan/ipsec.secrets.incファイルに記述します。
<AzureVMのeth0 IPAddress> %any: PSK "<SECRET>"
xl2tpdの設定
; ; Sample l2tpd configuration file ; ; This example file should give you some idea of how the options for l2tpd ; should work. The best place to look for a list of all options is in ; the source code itself, until I have the time to write better documetation :) ; Specifically, the file "file.c" contains a list of commands at the end. ; ; You most definitely don't have to spell out everything as it is done here ; [global] ; Global parameters: port = 1701 ; * Bind to port 1701 ;auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are ; access control = yes ; * Refuse connections without IP match ; rand source = dev ; Source for entropy for random ; ; numbers, options are: ; ; dev - reads of /dev/urandom ; ; sys - uses rand() ; ; egd - reads from egd socket ; ; egd is not yet implemented ; [lns default] ; Our fallthrough LNS definition ; exclusive = no ; * Only permit one tunnel per host ; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range ip range = 10.0.0.64-10.0.0.127 ; * Allocate from this IP range ; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts ; ip range = 192.168.0.5 ; * But this one is okay ; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP ; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's ; no lac = untrusted.marko.net ; * This guy can't connect ; hidden bit = no ; * Use hidden AVP's? local ip = <AzureVMのetc0 IP> ; * Our local IP to use length bit = yes ; * Use length bit in payload? require chap = yes ; * Require CHAP auth. by peer ; refuse pap = yes ; * Refuse PAP authentication ; refuse chap = no ; * Refuse CHAP authentication ; refuse authentication = no ; * Refuse authentication altogether require authentication = yes ; * Require peer to authenticate ; unix authentication = no ; * Use /etc/passwd for auth. name = l2tp ; * Report this as our hostname ; ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file ; call rws = 10 ; * RWS for call (-1 is valid) ; tunnel rws = 4 ; * RWS for tunnel (must be > 0) ; flow bit = yes ; * Include sequence numbers ; challenge = yes ; * Challenge authenticate peer ; ; rx bps = 10000000 ; Receive tunnel speed ; tx bps = 10000000 ; Transmit tunnel speed ; bps = 100000 ; Define both receive and transmit speed in one option ; [lac marko] ; Example VPN LAC definition ; lns = lns.marko.net ; * Who is our LNS? ; lns = lns2.marko.net ; * A backup LNS (not yet used) ; redial = yes ; * Redial if disconnected? ; redial timeout = 15 ; * Wait n seconds between redials ; max redials = 5 ; * Give up after n consecutive failures ; hidden bit = yes ; * User hidden AVP's? ; local ip = 192.168.1.1 ; * Force peer to use this IP for us ; remote ip = 192.168.1.2 ; * Force peer to use this as their IP ; length bit = no ; * Use length bit in payload? ; require pap = no ; * Require PAP auth. by peer ; require chap = yes ; * Require CHAP auth. by peer ; refuse pap = yes ; * Refuse PAP authentication ; refuse chap = no ; * Refuse CHAP authentication ; refuse authentication = no ; * Refuse authentication altogether ; require authentication = yes ; * Require peer to authenticate ; name = marko ; * Report this as our hostname ; ppp debug = no ; * Turn on PPP debugging ; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac ; call rws = 10 ; * RWS for call (-1 is valid) ; tunnel rws = 4 ; * RWS for tunnel (must be > 0) ; flow bit = yes ; * Include sequence numbers ; challenge = yes ; * Challenge authenticate peer ; ; [lac cisco] ; Another quick LAC ; lns = cisco.marko.net ; * Required, but can take from default ; require authentication = yes
xl2tpdへの接続に使用するユーザー名とパスワードを設定。
# Secrets for authentication using CHAP # client server secret IP addresses <USERNAME> l2tp "<PASSWORD>" *
サーバー自体の設定はこれで完了ですが、AzureVMの場合はネットワークセキュリティグループの受信セキュリティ規則に以下のポートを受信できるように設定を追加しなければなりません。
- UDP/500
- UDP/4500
- UDP/1701
この設定をする事で、l2tpdを使用してAzureVMに接続する事が出来るようになります。
接続したAzureVM経由で別のサーバーにアクセスをしたい場合は、追加でiptablesの設定を行います。
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE