'PLEASE FOLLOW THIS LINK' - http://sqls.net/wiki/HOWTO:_Linux_VPN_Server
The depth of this howto continues to change and deepen. It's slowly becoming more involved then the current title might imply.
This link will remain at this site, but the document has been moved to the above link.
All information left on this page is out-dated. Please use the above link.
-
-
-
-
-
'The Above PPTP and L2TP/IPsec via PSK configurations have been tested to work. All the content below is old, messy, scrambled up notes - that cover certificates, freeradius, and active directory integration.'
-
-
-
-
-
-
MPPE / MPPC stuff and double-encrypting ppp packets
http://support.microsoft.com/kb/314831
http://www.jacco2.dds.nl/networking/openswan-l2tp.html#L2TP-PPPencryption
http://mppe-mppc.alphacron.de/ * Already in the kernel now!
automated!
http://www.tacteam.net/isaserverorg/vpnkitbeta2/cmak.htm
http://technet.microsoft.com/en-us/windowsserver/2000/default.aspx
All we are doing now is taking the work completed in [Setup Two] and moving to X.509 certificates. So first thing we need is OpenSSL. On Gentoo you can just emerge it.
# emerge openssl -va
These are the packages that would be merged, in order:
Calculating dependencies… done! [ebuild R ] dev-libs/openssl-0.9.8e-r1 USE=“bindist sse2 zlib -emacs -test” 0 kB
Now Edit /etc/ssl/openssl.cnf (or where ever your distro puts it) Set the “default” values in the '[ req_distinguished_name ]' section. It'll make life easier later having these defaults already setup. I created 'localityName_default' field and commented out 'organizationalUnitName' because I don't need it. the 'commonName' confused me. My research lead me to think this should be something like 'Company_Name Certificate Authority' then I read other stuff like setting up CA's for web servers and it said it needed to be the domainname. I'm not totally sure here. Then I got further into this project and from what I can tell. It can be anything that describes the “thing/person” that the cert you are creating (at that time) will be used for. So for the CA cert, you could use “CAcert” or “ca.domain.com” or “Company CA Root” anything that's descriptive to you. For the cert used for your StrongSwan server (yes it needs it's own) you could use “StrongSwan”, or “VPN-Gateway” or “hostname.domain.com”. Then for each VPN-Client you setup you could use their Active Directory CN (my goal) or first/last name, machine name, whatever is descriptive enough that you know who it is. Cause later when we get into CRL and the special index file that shows which cert pem files went to who. It's gonna show their Common Name (CN) and that's how you'll figure out which file to revoke when that needs to be done. I also created 'emailAddress_default' value. More laziness. I also changed nsComment to “SQLS Certificate” Please read the manpage for openssl.cnf for more information on options.
Now you need to create a Certificate of Authority. This will allow you to sign your own certificates. You could use another Certificate of Authority such as verisign, Godaddy or http://www.cacert.org/ where the first two cost money but are fully supported by main stream browsers. The last of them is free but is not currently supported natively by any main stream browsers. For now, just make your own :) There's 100 websites that describe ways to do this. Feel free to Google “Create OpenSSL CA” if you need more help on it.
Create a directory to house your CA. You can put this any where you wish. If you are going to create a CA that will be used only for StrongSwan you could put it inside StrongSwans config folder. I plan to use it for various tasks and chose to use '/etc/ssl'. Partly because Gentoo already has this folder and seems to put all the cert stuff there. Keeps it all in one place. I like simple. When we create the CA it will actually make a sub-folder named demoCA so it will not get mixed up with the other files in that folder.
Find the command 'CA.sh' some distributions seem to rename it to just 'CA'. You could use slocate or find to accomplish this. For example
# slocate CA*
# find / -name “CA*” -print
Locations on various distributions:
* For my Gentoo system it's located in '/etc/ssl/misc/CA.sh'
* Debian: '/usr/lib/ssl/misc/CA.sh'
* RedHat 7.x+: '/usr/share/ssl/misc/CA'
Now here's a catch that threw me off for a bit. But when you create the CA you need to first modify the openssl.cnf file. Then change it back once you are done. This was the case for the version I used at least. So edit /etc/ssl/openssl.cnf and under the section '[ CA_default ]' change the variable 'x509_extensions' to 'v3_ca'. You could comment out the old line and create this line. That might make it easier in the long run. So it would look something like.
#x509_extensions = usr_cert # Use this line for everything else
x509_extensions = v3_ca # Use this line to create a CA cert.
Now make sure you are in the folder you want to use to store your certificates in. For me it's '/etc/ssl'. Now lets run the CA.sh (or just CA) script and create the Certificate of Authority. Be sure to choose a good passphrase and write it down if you cannot remember it. You 'will' need it later.
# cd /etc/ssl # /etc/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) (press enter) Making CA certificate … Generating a 1024 bit RSA private key …………….++++++ ……….++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: (type passphrease) Verifying - Enter PEM pass phrase: (type passphrase again)
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]: State or Province Name (full name) [Oklahoma]: Locality Name (eg, city) [Tulsa]: Organization Name (eg, company) [SQLS]: Common Name (eg, YOUR name) []:SQLS Certificate Authority Email Address [it@sqls.com]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 16 14:40:26 2007 GMT
Not After : Aug 15 14:40:26 2010 GMT
Subject:
countryName = US
stateOrProvinceName = Oklahoma
organizationName = SQLS
commonName = SQLS Certificate Authority
emailAddress = it@sqls.net
X509v3 extensions:
X509v3 Subject Key Identifier:
8D:24:3E:25:EC:C2:85:B9:7B:4D:1D:49:7B:66:0C:96:D2:BA:24:F2
X509v3 Authority Key Identifier:
keyid:8D:24:3E:25:EC:C2:85:B9:7B:4D:1D:49:7B:66:0C:96:D2:BA:24:F2
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 15 14:40:26 2010 GMT (1095 days)
Write out database with 1 new entries Data Base Updated
So you got half way through and made a mistake? You want a different password? You want to start over? just delete the demoCA folder it created (for me, at least) at /etc/ssl/private/demoCA and then reissue the CA.sh -newca command
The created certificate authority is only valid for three years (Could be different on your system - based on configuration setting). Often you want a longer lifetime for the certificate of your CA. Below is how you can modify the certificate to last for 10 years. You could use any length of time that you want however. Keep in mind that whatever length you use here must be longer then the length you use when creating any certificate to be signed by this CA certificate.
# openssl x509 -in demoCA/cacert.pem -days 3650 -out demoCA/cacert.pem -signkey demoCA/private/cakey.pem
Getting Private key Enter pass phrase for private/cakey.pem:
—- the certificate authority is now ready to go. Go back in the /etc/ssl/openssl.cnf file and change the file back. Or leave the CA line commented such as below x509_extensions = usr_cert # Use this line for everything else #x509_extensions = v3_ca # Use this line to create a CA cert.
You will need to generate a certificate for every machine that will be making an IPSec connection. This includes the VPN Server and each of your client machines. This section details how to create the certificate for the StrongSwan server. Be sure to give this certificate a commonName that describes what it is being used for. Such as 'VPN Server'
First! However. In order for Mac clients and windows Vista (without modifing vista settings) to work with your server you must also add the subjectAltName value to the server's certificate. In order to do this you will need to add it to the openssl.cnf file. I have read that certificates issued to clients are allowed to contain any type of ID and unlike server certificates there are no restrictions for client certificates. So it should not harm anything by just leaving this as part of your openssl.cnf file. Another note! If you use Vista and put in the IP address instead of the server host name this is no longer an issue. But I want to use my server host name.
Again, we'll be using the CA.sh script. Except this time, instead of telling it to create a new Certificate Authority, we're telling it to request, then sign a certificate: The first certificate we create will be
# /etc/ssl/misc/CA.sh -newreq Generating a 1024 bit RSA private key …………………………….++++++ ..++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]: State or Province Name (full name) [Oklahoma]: Locality Name (eg, city) [Tulsa]: Organization Name (eg, company) [SQLS]: Common Name (eg, YOUR name) []: SQLS VPN Gateway Email Address [it@sqls.net]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: (enter) An optional company name []: (enter) Request is in newreq.pem, private key is in newkey.pem
What we just did is generate a Certificate Request - this is the same type of request that you would send to Thawte or Verisign to get a generally-accepted SSL certificate. For our uses, however, we'll sign it with our own CA:
Speaking of that! Lets Sign it.
# /etc/ssl/misc/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 16 15:09:58 2007 GMT
Not After : Aug 15 15:09:58 2008 GMT
Subject:
countryName = US
stateOrProvinceName = Oklahoma
localityName = Tulsa
organizationName = SQLS
commonName = SQLS VPN Gateway
emailAddress = it@sqls.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
SQLS Certificate
X509v3 Subject Key Identifier:
6A:44:CB:21:7B:04:01:E4:1F:94:34:67:F0:1F:5B:94:65:4C:D4:16
X509v3 Authority Key Identifier:
keyid:AB:ED:CD:7C:85:CF:24:28:5D:B0:7E:52:74:AE:AA:68:C4:CD:7E:62
Certificate is to be certified until Aug 15 15:09:58 2008 GMT (365 days) Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n] Write out database with 1 new entries Data Base Updated Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Oklahoma, O=SQLS, CN=VPN-Server/emailAddress=it@sqls.net
Validity
Not Before: Aug 16 15:09:58 2007 GMT
Not After : Aug 15 15:09:58 2008 GMT
Subject: C=US, ST=Oklahoma, L=Tulsa, O=SQLS, CN=VPN-Server/emailAddress=it@sqls.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:65:be:6c:1d:48:70:0a:90:26:27:51:2b:58:
53:f8:ca:1a:d9:29:64:30:49:db:d1:c2:a6:81:b0:
84:eb:ac:0f:76:de:5c:bf:4e:7d:21:fa:4b:55:f8:
e1:56:3a:2d:b5:4b:7f:7d:a5:b9:42:b7:57:8e:60:
aa:24:96:df:d8:78:6c:e3:67:de:9c:63:53:fb:fc:
49:08:a3:66:7b:31:c5:f9:3e:8c:d9:e9:75:a7:28:
7c:fc:3e:56:f7:9d:8c:47:da:44:8e:74:c1:83:b1:
43:dd:48:60:5b:fe:c0:72:e5:01:a1:48:da:c1:de:
4c:55:9d:fd:c7:dc:87:08:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
SQLS Certificate
X509v3 Subject Key Identifier:
6A:44:CB:21:7B:04:01:E4:1F:94:34:67:F0:1F:5B:94:65:4C:D4:16
X509v3 Authority Key Identifier:
keyid:AB:ED:CD:7C:85:CF:24:28:5D:B0:7E:52:74:AE:AA:68:C4:CD:7E:62
Signature Algorithm: sha1WithRSAEncryption
59:43:dc:80:92:a1:b1:2c:ab:e6:b3:cb:b1:44:a5:6c:57:8a:
5b:45:59:8e:9b:6a:d5:0f:df:33:50:18:9d:1c:05:91:eb:16:
8a:7f:66:da:18:88:fb:8e:f9:cc:16:51:40:fb:10:50:79:74:
ec:41:ed:00:04:3e:2d:41:0d:c2:62:25:53:15:b0:32:1e:f4:
5c:58:a3:3a:d7:d9:70:5d:1b:e3:5f:b9:61:09:c5:32:a4:08:
d6:3c:7d:29:fd:d8:64:3c:65:af:e2:a3:6f:f5:7c:13:8f:ef:
e8:1d:40:81:4b:29:04:15:cb:dd:0d:80:2a:9f:2d:ee:aa:f4:
08:41
—–BEGIN CERTIFICATE—– MIIDGDCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCE9rbGFob21hMSEwHwYDVQQKExhBbWVyaXN0YXIgRmVuY2UgUHJv ZHVjdHMxGzAZBgNVBAMTEmFtZXJpc3RhcmZlbmNlLmNvbTEkMCIGCSqGSIb3DQEJ ARYVaXRAYW1lcmlzdGFyZmVuY2UuY29tMB4XDTA3MDgxNjE1MDk1OFoXDTA4MDgx NTE1MDk1OFowgZYxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEOMAwG A1UEBxMFVHVsc2ExITAfBgNVBAoTGEFtZXJpc3RhciBGZW5jZSBQcm9kdWN0czEb MBkGA1UEAxMSYW1lcmlzdGFyZmVuY2UuY29tMSQwIgYJKoZIhvcNAQkBFhVpdEBh bWVyaXN0YXJmZW5jZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1l vmwdSHAKkCYnUStYU/jKGtkpZDBJ29HCpoGwhOusD3beXL9OfSH6S1X44VY6LbVL f32luUK3V45gqiSW39h4bONn3pxjU/v8SQijZnsxxfk+jNnpdacofPw+VvedjEfa RI50wYOxQ91IYFv+wHLlAaFI2sHeTFWd/cfchwhnAgMBAAGjgYMwgYAwCQYDVR0T BAIwADAzBglghkgBhvhCAQ0EJhYkQW1lcmlzdGFyIEZlbmNlIFByb2R1Y3RzIENl cnRpZmljYXRlMB0GA1UdDgQWBBRqRMshewQB5B+UNGfwH1uUZUzUFjAfBgNVHSME GDAWgBSr7c18hc8kKF2wflJ0rqpoxM1+YjANBgkqhkiG9w0BAQUFAAOBgQBZQ9yA kqGxLKvms8uxRKVsV4pbRVmOm2rVD98zUBidHAWR6xaKf2baGIj7jvnMFlFA+xBQ eXTsQe0ABD4tQQ3CYiVTFbAyHvRcWKM619lwXRvjX7lhCcUypAjWPH0p/dhkPGWv 4qNv9XwTj+/oHUCBSykEFcvdDYAqny3uqvQIQQ== —–END CERTIFICATE—– Signed certificate is in newcert.pem
Okay… Next, lets move the output files to names that make a bit more sense for future reference. You're welcome to use whatever name makes sense to you - just keep in mind what you named it. I've picked out some folders for these files and you can also use your own. As mentioned before I'm putting everything into /etc/ssl. All the files for StrongSwan are going into /etc/ssl/strongswan
# mkdir /etc/ssl/strongswan/certs # mkdir /etc/ssl/strongswan/keys # mkdir /etc/ssl/strongswan/requests # mv newcert.pem /etc/ssl/strongswan/certs/vpn-server.pem # mv newkey.pem /etc/ssl/strongswan/keys/vpn-server.key # mv newreq.pem /etc/ssl/strongswan/requests/vpn-server.req
' note ' to view the certificates' details
# openssl x509 -in filename.crt -noout -text
In case a private key gets stolen or compromised, you have to revoke it because based on its lifetime it is still valid. The revoked keys are stored in the certificate revocation list (CRL). First, create an (empty) list: For my version of OpenSSL I got an error about the clrnumber file not existing. The internet said I needed to create this file. If it exists for you, you can skip it. I also read you could comment the 'clrnumber' option out of the openssl.cnf file. But don't know much about that. Right now I understand the CRL file would apply globally to all Certificates created with this CA. So lets just throw this file into the demoCA/crl folder.
# echo 01 > demoCA/crlnumber # openssl ca -gencrl -out demoCA/crl/server.crl
Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:
To revoke a certificate you need to have the certificate file. This is also stored in demoCA/newcerts/. The name of the certificate can be read in demoCA/index.txt. Then use the following command.
# openssl ca -revoke compromised_cert.pem
Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: Revoking Certificate 01. Data Base Updated
— need to clean this up Revoking Certificates with your OpenSSL CA (And telling people about this using CRLs)
Note. For this to work, you'll need anything that trusts your certificates to check the latest CRL (Certificate Revokation List), otherwise They won't know you've revoked the certificate.
Note 2. Not all of the files you need for doing CRLs can be specified on the command line, however the config file to use can be (with -config <file>). Therefore, you really need to customise an openssl.cnf file for each CA you run before doing this step, otherwise you'll come unstuck. For a good guide on how to do this, see here.
First up, you need to create a CRL. It is good practice to create a blank CRL straight off, and have your clients check it. That way, when you do come to revoke a certificate, you don't then have the trouble of getting people to notice.
To create a CRL for your CA, you first need to create an index file. This will initially just be a blank file (created with touch). However, as you start to revoke certificates, things will go into here. It's human readable and unsigned, which is why we need to use OpenSSL to make the signed PEM form of it. So, once you've got your empty index file (in wherever the openssl.cnf file you've got say's it'll be…. why can't that be a command line option like everything else?), then you can make a CRL from it using: openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
This will create a CRL for you, valid for the default length of time (1 month in most OpenSSl versions). In the case that the CRL is being used only on boxes you control, and where you are sure you'll update the CRL on following revocation, you'll probably want to increase the lifetime of the crl. Otherwise, a few months down the line, your servers will complain the CRL is out of date… To increase the length of time the CRL is valid for, tack on the option -crldays xxx to the crl command above (where xxx is the number of days to be valid for)
Note - If your CRL expires before you revoke a certificate, just generate a new one, as above. The CRL is simply a signed copy of the internal list of revoked certificates, along with a validity date and placed into a standard format. There's nothing magical about it, you can create a new one whenever you want.
Now, with your initial CRL set up, we revoke a certificate: openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
This will automagically update your index.txt file with the new details of your revoked certificate. Now you need to generate a new CRL file, with the same command we used above to generate the blank one. With your new CRL created, you need to publish it!
If you want to play around with the validity period of the CRL, or other funky stuff to do with it, then you need to read the “CRL Options” section of the OpenSSL CA manual. If you need to manipulate, view etc a CRL, then take a look at the CRL utility manual.
To ensure that your Apache mod_ssl and/or OpenSSL environment make us of the CRL, take a look at the Installing CRLs page.
To peek at a CRL file, showing things like the validity and what certificates (if any) have been revoked, use:
' note ' to view the details of a certificate revocation list (CRL)
# openssl crl -in filename -noout -text
Now! Lets configure StrownSwan to use our newly created Certificate's.
Below are the config files for this setup pointing to the certificates we just created. You can take from this peices you need or replace your config files entirely with them.
This is the password file for StrongSwan and you need an entry in here so it can decode it's own private key. You do remember what you used as a password don't you? /etc/ipsec/ipsec.secrets|<pre> : RSA /etc/ssl/strongswan/keys/vpn-server.key "PASSPHRASE FOR vpn-server.key, you remember what you used - right?" </pre>
Each vpn client needs a certificate to connect to the VPN. This can be a pretty long process but here's a walk through for your first client machine. When generating certificates for vpn clients you have to make sure that the lifetime of the certificate lies within the lifetime of the CA. If the lifetime of the certificate exceeds the lifetime of the CA, the vpn client will not accept the certificate! Below I am just showing the commands. You can reference the above section for the details on each step.
# /etc/ssl/misc/CA.sh -newreq
Generating a 1024 bit RSA private key …….++++++ …………..++++++ writing new private key to 'newkey.pem'
Enter pass phrase for private/bmarriner-key.pem: (pass phrase used when creating -this- key) Enter Export Password: (this pw is used when importing this file into windows) Verifying - Enter Export Password:
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]: State or Province Name (full name) [Oklahoma]: Locality Name (eg, city) [Tulsa]: Organization Name (eg, company) [SQLS]: Common Name (eg, YOUR name) []:bmarriner Email Address [it@sqls.net]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
# /etc/ssl/misc/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 9 20:19:43 2007 GMT
Not After : Nov 8 20:19:43 2008 GMT
Subject:
countryName = US
stateOrProvinceName = Oklahoma
localityName = Tulsa
organizationName = SQLS
commonName = bmarriner
emailAddress = it@sqls.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
SQLS Certificate
X509v3 Subject Key Identifier:
CE:FA:DE:88:DD:B4:DD:59:DD:18:DD:22:5A:22:35:22:02:22:9F:11
X509v3 Authority Key Identifier:
keyid:5D:2D:F4:D2:G5:F1:G5:F4:FG:F1:G4:33:1D:91:3C:04:DD:11:DD:11
Certificate is to be certified until Nov 8 20:19:43 2008 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Oklahoma, O=SQLS, CN=SQLS Certificate Authority/emailAddress=it@sqls.net
Validity
Not Before: Nov 9 20:19:43 2007 GMT
Not After : Nov 8 20:19:43 2008 GMT
Subject: C=US, ST=Oklahoma, L=Tulsa, O=SQLS, CN=bmarriner/emailAddress=it@sqls.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bd:21:f5:32:fd:10:f0:98:f0:c0:1b:10:2a:be:
d3:33:c6:0b:da:0d:c5:7e:c7:96:c7:6a:63:b2:a6:
b5:11:7f:e9:11:8a:d2:7b:0c:fa:13:b7:ab:b3:e7:
1d:5c:77:f7:85:71:D2:3d:f9:c7:e5:89:c8:w1:99:
0e:11:e2:8e:0c:11:C3:5f:D2:24:c3:1d:f2:e3:22:
27:61:d3:15:f6:2d:fa:a8:51:7d:cd:97:e4:7e:46:
9a:86:33:11:dd:80:1f:7f:D1:15:c1:bb:62:a5:97:
20:c0:12:11:fd:84:d9:11:45:89:b8:11:11:93:f5:
0a:42:84:a8:6b:18:23:a2:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
SQLS Certificate
X509v3 Subject Key Identifier:
CE:FA:DE:88:5A:B4:0C:59:01:13:73:C3:53:81:15:D3:12:A4:9F:10
X509v3 Authority Key Identifier:
keyid:5D:58:BA:CA:45:74:15:35:BD:1F:38:DE:2D:91:3C:A4:A0:CC:B9:02
Signature Algorithm: sha1WithRSAEncryption
43:26:5c:25:e0:5f:c4:38:02:06:01:b4:f4:45:5f:33:dc:03:
d1:a9:cc:36:bc:51:f4:9c:e9:5e:dd:ea:04:ac:ae:97:4b:49:
c1:d6:f8:ce:62:1d:76:93:11:5e:1a:11:b7:a4:fe:20:1f:af:
5c:8a:c5:34:df:95:66:22:21:7d:5a:e4:ad:79:6a:2e:59:b6:
47:ba:ba:e4:31:12:f3:57:82:16:eb:dd:71:f2:18:bd:99:54:
2e:26:cc:5e:67:f2:78:3b:e1:c7:c3:c6:63:4b:f8:e1:94:b3:
d7:51:7d:99:6b:d7:cc:b9:d4:f0:2e:c1:89:fa:4b:c1:b5:a3:
b2:f2
—–BEGIN CERTIFICATE—– MIIDKzCCApSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx ASKDJLF903JA;OSJF932J;ASLKJDF93J;ASJF90Q23JIAM93JF[AJ[39JAF;SDKJ ZHVjdHMxNzA1BgNVBAMTLkFtZXJpc3RhciBGZW5jZSBQcm9kdWN0cyBDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWl0QGFtZXJpc3RhcmZlbmNl LmNvbTAeFw0wNzExMDkyMDE5NDNaFw0wODExMDgyMDE5NDNaMIGNMQswCQYDVQQG EwJVUzERMA8GA1UECBMIT2tsYWhvbWExDjAMBgNVBAcTBVR1bHNhMSEwHwYDVQQK MIIDKzCCApSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx ASKDJLF903JA;OSJF932J;ASLKJDF93J;ASJF90Q23JIAM93JF[AJ[39JAF;SDKJ ZHVjdHMxNzA1BgNVBAMTLkFtZXJpc3RhciBGZW5jZSBQcm9kdWN0cyBDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWl0QGFtZXJpc3RhcmZlbmNl LmNvbTAeFw0wNzExMDkyMDE5NDNaFw0wODExMDgyMDE5NDNaMIGNMQswCQYDVQQG lytJwdb4zmgddpgRXhoRt6T+IB+vXIrFNN+VZiIofVrkrXlqLlm2R7q65DES81eB FuvdcfIYvZlZLibMXmf3eDvhx8PGY0v44ZSz11F9mWvXzLnU8I7BifpLwbWjsvI= —–END CERTIFICATE—– Signed certificate is in newcert.pem
# mv newcert.pem /etc/ssl/strongswan/certs/bmarriner.pem # mv newkey.pem /etc/ssl/strongswan/keys/bmarriner.key # mv newreq.pem /etc/ssl/strongswan/requests/bmarriner.req
The easiest way to transfer certificates to a windows box is by using the PKCS#12 exchange format. OpenSSL can reformat the certificates to this format. You are asked to specify an export password. On the windows box you can then import this file using the export password. You will note I created a folder to store the .pfx files.
# openssl pkcs12 -export -inkey strongswan/keys/bmarriner.key -in strongswan/certs/bmarriner.pem -certfile demoCA/cacert.pem -out bmarriner.pfx -name “Windows Certificate for bmarriner”
Enter pass phrase for strongswan/keys/bmarriner.key: Enter Export Password: Verifying - Enter Export Password:
# mkdir strongswan/pkcs12 # mv bmarriner.pfx strongswan/pkcs12/
With a minimal (perspective) amount of effort you could automate this process to some degree. I plan on creating a web interface to create and issue certificates, but - Not today. Down below there are client installation instructions for different operating systems.
Please jump to “Client Configuration”
This section will cover setting up PPTPD to work with FreeRadius for username/password authentication.
This section will cover setting up XL2TPD to work with FreeRadius for username/password authentication.
This section will cover setting up FreeRadius to use an Active Directory (via Samba) server for username/password authentication.
This section will cover setting StrongSwan up to allow 'both' X.509 certificates and pre-shared keys.
* http://www.nthdegree.com.au/sverre/publications/141004.html
Okay, if you're happy managing all your users with the chap-secrets username/password file and certificates. You can stop here. I'm not happy with that. I want Active Directory to control everything and so does my boss :)
Here's two links that will help, although they all seem to cover using radius with PAP/PPTP configurations and we're going to use if for L2TP/IPSEC.. So, we're way cooler. :) There is some good resources here though. And some cover connections to MySQL or PostgreSQL which is something I'm not covering - because I don't care about it :) Active Directory may not be god but it owns my company.
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm http://www.xs4all.nl/~evbergen/radius-pppd.html http://www.penguin-soft.com/penguin/man/8/pppd-radius.html http://poptop.sourceforge.net/dox/radius_mysql.htmlhttp://members.surfshop.net.ph/~bench/ppp-radius/ppp-radius-pap.html http://wiki.freeradius.org/PopTop http://lists.cistron.nl/pipermail/freeradius-users/2002-June/008361.html http://www.mail-archive.com/l2tpd-devel@l2tpd.org/msg00871.html
Okay, so here's my emerge impasse etc # emerge ppp freeradius -va
These are the packages that would be merged, in order:
Calculating dependencies… done! [ebuild R ] net-dialup/ppp-2.4.4-r9 USE=“pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6 -mppe-mppc” 0 kB [ebuild R ] net-dialup/freeradius-1.1.6 USE=“kerberos ldap mysql pam ssl -debug -edirectory -firebird -frascend -frnothreads -frxp -postgres -snmp -udpfromto” 0 kB
Total: 2 packages (2 reinstalls), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]
We need to setup Kerberos too.. d'oh. which I've done long ago. my config files will be included later. http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_6.htmhelps. But there's 1000 examples on how to configure Kerberos to AD.
Either way you need impasse etc # emerge -va mit-krb5
These are the packages that would be merged, in order:
Calculating dependencies… done! [ebuild R ] app-crypt/mit-krb5-1.5.3 USE=”-doc -ipv6* -krb4 -tcl” 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]
It's a pretty simple setup. here is my config. You need to adjust it so it matches your domain.
We can test it too! Thankfully
10.2 Test Kerberos
Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start → Administrative Tools → DNS. The dnsmgmt window pops up. Click on the ”+” of “Forward Lookup Zones”. Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose “New Host (A)…”. Put in the server Netbios name which is defined in smb.conf and the ip address. Then press the “Add Host” button.
When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital.
[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG Password for skwok@EXAMPLENET.ORG: Authenticated to Kerberos v5
To check the Kerberos tickets:
[root@pptp etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: skwok@EXAMPLENET.ORG
Valid starting Expires Service principal
09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG
renew until 09/04/05 14:43:47
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
okay now we need to join the Active Directory domain. -------------------------------------------------------------
10. Join the AD Domain
Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain. For Samba version below 3.0.23:
[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers" skwok@EXAMPLENET.ORG's password: Using short domain name -- EXAMPLE Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG'
For Samba version 3.0.23 or above:
[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG createcomputer="Asiapac/Australia/Sydney/Servers" skwok@EXAMPLENET.ORG's password: Using short domain name -- EXAMPLEE Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG'
auw shit. Your samba should be like mine :) ?
impasse etc # emerge -va samba
These are the packages that would be merged, in order:
Calculating dependencies… done! [ebuild R ] net-fs/samba-3.0.24-r3 USE=“acl kerberos ldap oav pam python readline syslog winbind -async -automount -caps -cups -doc -examples -fam -quotas (-selinux) -swat” LINGUAS=”-ja -pl” 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]
Just make sure kerberos is compiled in.
Don't care about Radius? Winbind is an option. I didn't use it. but, this guy shows how to.. http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_7.htm
okay we need freeradius and radiusclient impasse ~ # emerge radiusclient freeradius -va
These are the packages that would be merged, in order:
Calculating dependencies… done! [ebuild R ] net-dialup/radiusclient-0.3.2 0 kB [ebuild R ] net-dialup/freeradius-1.1.6 USE=“kerberos ldap mysql pam ssl -debug -edirectory -firebird -frascend -frnothreads -frxp -postgres -snmp -udpfromto” 0 kB
Total: 2 packages (2 reinstalls), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]
PPPD radius plugin uses the Radius Client module. Obviously it will connect to the free radius server. we need to modify it a tad so it supports microsoft stuff.
impasse radiusclient # cp /usr/share/freeradius/dictionary.microsoft . impasse radiusclient # echo “INCLUDE /etc/radiusclient/dictionary.microsoft” » dictionary
now we need to edit the dictionary.microsoft file from freeradius so it will work correctly with PPPD. But there's a lot to change. Feel free to do so. Or use -this- version.
First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word “octets” to “string” in the file. Add the word Microsoft to all attributes. Here is my version:
Now, lets setup Free Radius.
auuuwww fuck. I have to setup winbind first. I thought we could skip that step. But according to /etc/raddb/radiusd.conf I need winbind installed meh. wait a min...
--------------------------------------------------------
so I think I'll move along ignore what it said.. I edited /etc/raddb/radiusd.conf and found the line use_mppe = no uncommented it, and changed it to use_mppe = yes
then I uncommented the ntlm_auth line just a few lines lower. it said I need winbindd running.. well see.
There's a password too, we should change that.
The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. Save the file.
The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf.
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
....[snip]....
Note: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other.
I set my password to w4sl4b! – Ohh better not tell them that edit /etc/radiusclient/servers to match that localhost w4sl4b!
Now we need to configure PPPD it gets it's config from whichever PPPdoptions file you are usinging. We're using :) /etc/ppp/options.l2tp
require-mschap-v2 require-mppe-128 ms-dns 10.0.0.1 ms-wins 10.0.0.1 proxyarp lock nobsdcomp novj novjccomp nologfd auth nodefaultroute plugin radius.so plugin radattr.so
There are two plugins we used in
then I read http://wiki.freeradius.org/PopTop
---------------------------------------------------
you need to edit /etc/ppp/radius/servers put localhost w4sl4b!
okay so I thought it all would work at this point problem is.. it doesn't. So I'm debugging I looked for some how to debug http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO it stuff and as I suspected there's some config elements actually needed in smb.conf file such as..
winbind use default domain = yes
cause it was giving me errors about finding hte domain :)
so we can test this..
impasse samba # wbinfo -a ssra%vTG45#6! plaintext password authentication failed Could not authenticate user ssra%vTG45#6! with plaintext password could not obtain winbind separator! could not obtain winbind domain name! challenge/response password authentication failed Could not authenticate user ssra with challenge/response
wtf
okay
I need to edit /etc/conf.d/samba and change the line #add “winbind” to the daemon_list if you also want winbind to start daemon_list=“smbd nmbd”
do
daemon_list=“smbd nmbd winbind”
impasse samba # wbinfo -a asd%asd plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user asd%asd with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user asd with challenge/response impasse samba #
now I get that.. at least that looks better.
I used a real name
impasse samba # wbinfo -a ssra%vTG45#6! plaintext password authentication succeeded challenge/response password authentication succeeded impasse samba #
so I removed those smb.conf changes.. and I got
impasse samba # wbinfo -a ssra%vTG45#6! plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user ssra%vTG45#6! with plaintext password challenge/response password authentication succeeded
which is what I'm suppose to be getting. Fantastic
next step.. Test ntlm_auth
impasse samba # ntlm_auth –request-nt-key –domain=SQLS –username ssra password: NT_STATUS_OK: Success (0x0) impasse samba #
more help here http://mkeadle.org/index.php?p=13
radius needs access to the winbind_priv folder but I want squid to access it too! and maybe some other stuff too. Sooo
impasse samba # groupadd winbind impasse samba # usermod radius winbind usermod: user winbind does not exist impasse samba # usermod radius -g winbind usermod: user winbind does not exist impasse samba # usermod -g winbind radius usermod: user radius does not exist impasse samba # usermod -g winbind radiusd impasse samba # usermod -g winbind squid impasse samba # pwd /var/cache/samba impasse samba # chown -R root:winbind winbindd_privileged/ impasse samba # chmod -R g+wr winbindd_privileged/
notes on gentoo samba
http://forums.gentoo.org/viewtopic-t-363736-highlight-init+d+winbind.html
open'd up radiusd.conf and uncommented
with_ntdomain_hack = no
still no go.. read http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO and some debug stuff there. I'm following that to see if I can get a test (radtest) to work.
edited nssswitch.conf
I did a lot of shit. removed ppp and reinstalled it I went though both it's config and xl2tpd config and read the manual on the options. Removed all the stuff possible that would keep my basic non-radius setup working. Basic is better, right? Now I got Radius telling me
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
okay radiusd can access it.. not sure who "winbind client" is. so..
impasse samba # chmod -R 777 winbindd_privileged/
lets try this..
it worked.
holy mary mother of jesus! It works! okay! we have at this point vpn working authenticating off radius which auths from active directory.
ohh I made that winbind group but I never added radiusd to the winbind group - apparently. So I did that :) I settled with a 750 for the folder, and 660 for the pipe file (640 didn't work) inside the folder. With both having a ownership of root:winbind
Alright, I don't want every single AD user to be able to connect to the VPN. Though I do understand I would have to give them a x509 cert in the first place.. but.. layers of security! Right?
The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter ”–require-membership-of=EXAMPLE+VPN_Allowed”.
In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed"
Okay, that's what it says at : http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_9.htm But I'm not sure about all that EXAMPLE stuff.. lets see okay.. example is suppose to be the domain name. The + is the windbind seperater if that's how you configured it. But I didn't. I left things with the samba defaults. so here's my version.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=DOMAIN\\VPN"
You can test this.. impasse raddb # ntlm_auth –request-nt-key –domain=SQLS –username ssra –require-membership-of=SQLS\\VPN password: NT_STATUS_OK: Success (0x0)
I wanted to name the group VPN Users as that would kinda go with what our other groups are called. But I couldn't get it to accept the space. I tried using 'SQLS\\VPN Users' it sent the ' as part of the group name. I tried SQLS\\VPN\ Users but it still only sent SQLS\VPN as the group. -shrug-
Maybe you know how?!?
okay now lets get radius to hand out IP addresses. First we will try to get it working :) just one general pool for all PPP connections. Then we will try to get seperate pools for specific users and I'd really like to have this controled via AD but.. not sure if that's going to happen.
impasse xl2tpd # cp xl2tpd.conf xl2tpd.conf-radiusworks impasse xl2tpd # pwd /etc/xl2tpd
edit xl2tpd.conf file and remove your ip ranges under the [lns_default] section and then add assign ip = no
so it should look like -link- [global] port = 1701
[lns default] assign ip = no local ip = 10.0.0.12 pppoptfile = /etc/ppp/options.l2tpd length bit = yes
require authentication = yes
impasse xl2tpd # /etc/init.d/xl2tpd restart * Stopping xl2tpd … [ ok ] * Starting xl2tpd … ————————————————————–
then edit /etc/ppp/options.l2tpd and the below two lines so pppd doesn't get fussy about feeeradius handing out the IPs. ipcp-accept-local ipcp-accept-remote
In the radiusd.conf file there should already be a ippool named main_pool we can use that for our basic setup. You can modify it to suit the IP pool you wish to hand out. then a bit lower in the accounting and post-auth sections uncomment the line ;main_pool; so it will load it. Gentoo has the permissions on the radius folder set so it cannot write to it! Well the default location for the ip pool db file it wants to create happens to be there. So it needs write access.
impasse etc # chmod 770 /etc/raddb/
Now look for the Framed-User Default seciton. It's what seems to be applied to all my PPP connections :).
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
It has two items in there which make no sense to me and so.. I got rid of them. the IP-Addrees and MTU. I don't a MTU of 576. If someone can tell me why I need that I'll add it back. And I don't want that IP address either. I want it to use my IP Pool instead. So I changed this section to:
DEFAULT Service-Type == Framed-User, Pool-Name := “main_pool”
Service-Type = Framed-User, Fall-Through = Yes
There's I'm sure many ways to accomplish this. And I may change this later but at this point you should be able to connect to your vpn server and authenticate against Active Directory and assign ip addresses from the freeradius main_pool.
Next step would be to say, special user = zyx gets special ip range yza. I don't know how to do this via anything I put in Active Directory for that user. But since I only have a few users with this requirement I can do it manually in the user file. First we need to create our special restricted IP Pool then setup which users will get that assigned to them.
So open up radiusd.conf and add this section right after the main_pool section. You can read the comments from main_pool section to see what these do. Then go to the accounting and post-auth sections and just below the “main_pool” line add another line “mv_pool”
ippool mv_pool {
range-start = 10.0.200.2
range-stop = 10.0.200.29
netmask = 255.255.255.0
cache-size = 30
session-db = ${raddbdir}/db.mvpool
ip-index = ${raddbdir}/db.mvindex
override = no
}
Now I decided to use “huntgroups” so I can says all these users here get this special pool.
edit /etc/raddb/huntgroups at the bottom of the file add
machine_vendors NAS-IP-Address == 127.0.0.1
User-Name = ssra
feel free to read all the comments in the file to have some understanding of what it's doing. That's how I figured out what to add. Anyone this creates a huntgroup named “machine_vendors” and adds the user “ssra” into that group. the NAS-IP-Address should be 127.0.0.1 unless you for some reason have it some where else. Which is unlikely if you're following this howto :)
Now in the /etc/raddb/users file.
Remember that section we edited before : DEFAULT Service-Type == Framed-User, Pool-Name := “main_pool”
Service-Type = Framed-User, Fall-Through = Yes
Okay, find that section again. Just past it add this section DEFAULT Huntgroup-Name == “machine_vendors”, Pool-Name := “mv_pool”
Fall-Through = Yes
so now when someone in the machine_vendors group logs on they will get an IP out of the mv_pool. Fantastic.
Now you can assign iptables rules based on that subnet and only allow those users to access whatever you want them accessing. I'm not covering netfilter today :)
Restart everything.. You're done. Or, I'm done anyhow. Next I want to make a easy way to create the X.509 cert's for users and an easy way to revoke them. If I can't find a php tool that already exists I might write one :) This VPN setup must be done via GUI environment for the average user so the “helpdesk support guy” can easily set it up without logging into the linux server.