Chapter 8
You can specify DNS and WINS servers inside the remote office network. Clients will then use those instead of the DNS/WINS servers assigned by their ISP's DHCP server. This is necessary to resolve machine names that are only available within the office network. If you use this L2TP connection to not only get a virtual IP and reach the office network, but also as the default connection for all packets, change the nodefaultroute option to defaultroute. This will also require you to make a similar configuration change in the client configuration to send all traffic over the VPN connection. The proxyarp parameter ensures that the virtual IP the remote client obtains appears to be located in the remote office LAN. The Linux server will answer ARP requests on the local Ethernet on behalf of all the L2TP-assigned virtual IP addresses.
Configuring User Authentication for pppd
pppd will need to authenticate users using their usernames and passwords. Do not confuse this with the PSK, which just authenticates a group of machines with IPsec for Phase 1. If you have a Windows Domain or some way to authenticate users on the office network, you'll want to hook pppd into this. Probably the easiest way is to use a recent version of pppd with RADIUS support. Configuring a RADIUS server falls outside the scope of this book. Take a look at FreeRADIUS for a good free RADIUS implementation.
For small setups, it is probably enough to use a simple /etc/ppp/chap-secrets file:
# Secrets for authentication using CHAP
# client |
server secret |
IP addresses |
||
paul |
|
* |
"mysecret" |
192.168.1.128/25 |
* |
paul |
"mysecret" |
192.168.1.128/25 |
|
ken |
* |
|
"anothersecret" |
192.168.1.130 |
* |
ken |
|
"anothersecret" |
192.168.1.130 |
In this example, the user paul has password mysecret. pppd will pick any available IP from the range 192.168.1.128/25 (which should fall within the subnet range specified in our L2TP configuration). The user ken has been given a static IP address of 192.168.1.130. Be careful not to overlap static addresses with address ranges or addresses might get handed out twice.
If you enable Use Windows logon on the Windows clients to enable them to log in to the office network over the VPN, then the client will authenticate itself as \\DOMAINNAME\username instead of just username, in which case you will need to use the full syntax for the username, such
as \\XELERANCE\paul.
Microsoft Windows XP L2TP Configuration
Windows XP and 2003 can be configured to use either PSK or X.509 Certificates in combination with L2TP. Apart from the certificate import process, configuration of both versions is practically identical. First log in as a user that has administrative access to the local machine.
Start the New Connection Wizard. You will find it at Start | All Programs | Accessories | Communications | New Connection Wizard. Click Next when the wizard's splash screen appears. From the four options presented, choose Connect to the network at my workplace and click Next.
165
Interoperating with Microsoft Windows and Apple Mac OS X
On the next screen, select Virtual Private Network connection, and click Next. Give the VPN connection a name and click Next. Then specify the gateway, in our example aivd.xelerance.com, and click Next, and then Finish.
Connect to the VPN and fill in the username and password that was previously set in the CHAP secrets file. Save the username and password if you wish by checking the box, and specify whether all users will be allowed to start the VPN or not.
Don't start the connection yet. First, click the Properties button.
On the Options tab, check Include Windows logon domain if you wish to log in to a remote Windows domain.
166
Chapter 8
On the Security tab, choose Advanced (custom settings), and then click the Settings... button. On the Advanced Security Settings dialog, select Optional encryption in the Data encryption dropdown. This refers to the L2TP encryption. Since we are using L2TP/IPsec, we are already using IPsec for our encryption and there is no need to enforce encryption on the L2TP layer as well. Under Allow these protocols, make sure PAP is not selected and CHAP is selected. Select OK.
167
Interoperating with Microsoft Windows and Apple Mac OS X
A pop-up will appear, warning you that encryption (for L2TP) may not occur. Since we are using IPsec, we don't really care so select Yes, and you'll be returned to the Security tab.
Click the IPSec Settings... button. On the dialog that appears, check Use pre-shared key if you want to use PSK, and type in the PSK that you put in /etc/ipsec.secrets on the Openswan server earlier.
If you want to use X.509 Certificates, make sure this box is not checked and do not forget to import the appropriate certificates later. You can either use Xelerance's certimport.exe or follow the manual import procedure described at the end of this chapter. Click on OK, and open the
Networking tab.
Change the Type of VPN to L2TP IPSec VPN. You can further configure the TCP/IP settings for the virtual IP that you will obtain by selecting Internet Protocol (TCP/IP) in the lower pane, and then clicking on Properties.
168