Showing posts with label vpn. Show all posts
Showing posts with label vpn. Show all posts

February 18, 2017

L2TP/IPSEC VPN on a Debian VPS

ipsec Segmentation Fault

root# invoke-rc.d ipsec start
Job for ipsec.service failed. See 'systemctl status ipsec.service' and 'journalctl -xn' for details.
invoke-rc.d: initscript ipsec, action "start" failed.
root# systemctl status ipsec.service
ipsec.service - LSB: Start Openswan IPsec at boot time
Loaded: loaded (/etc/init.d/ipsec)
Active: failed (Result: exit-code) since Sat 2017-02-18 15:17:07 CET; 3s ago
Process: 844 ExecStart=/etc/init.d/ipsec start (code=exited, status=139)

Feb 18 15:17:07 vpn-example.com systemd[1]: Starting LSB: Start Openswan IPsec at boot time...
Feb 18 15:17:07 vpn-example.com ipsec[844]: Segmentation fault
Feb 18 15:17:07 vpn-example.com ipsec[844]: failed to start openswan IKE daemon - the following error occured:
Feb 18 15:17:07 vpn-example.com systemd[1]: ipsec.service: control process exited, code=exited status=139
Feb 18 15:17:07 vpn-example.com systemd[1]: Failed to start LSB: Start Openswan IPsec at boot time.
Feb 18 15:17:07 vpn-example.com systemd[1]: Unit ipsec.service entered failed state.
root# /etc/init.d/ipsec start
Segmentation fault
failed to start openswan IKE daemon - the following error occured:

Solution: make sure /etc/ipsec.conf has an empty line at the end of file.

source

Verify the configuration

ipsec verify

Using tcpdump to debug L2TP/IPSEC UDP packets

If you're getting the following error:
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer
You'll need to confirm if the packets are reaching the VPN server:
tcpdump -i any -n -nn icmp or \( udp and \( port 500 or port 1701 or port 4500 \) \)

source


https://www.elastichosts.com/blog/linux-l2tpipsec-vpn-server/
https://gist.github.com/mietek/4877cd74423bf6925b92
https://wiki.openwrt.org/inbox/openswanxl2tpvpn
https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd
http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_a_Raspberry_Pi_with_Arch_Linux.html
https://habrahabr.ru/company/FastVPS/blog/205162/
Labels: , ,

March 17, 2012

install openvpn freebsd

cd /usr/ports/security/openvpn && make install clean mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/easy-rsa /usr/local/etc/openvpn/easy-rsa/keys && cp -R /usr/local/share/doc/openvpn/easy-rsa/2.0/* /usr/local/etc/openvpn/easy-rsa echo "">/usr/local/etc/openvpn/easy-rsa/keys/index.txt && echo "00">/usr/local/etc/openvpn/easy-rsa/keys/serial cd /usr/local/etc/openvpn/easy-rsa chmod +x ./build-ca ./build-dh ./build-inter ./build-key ./build-key-pass ./build-key-pkcs12 ./build-key-server ./build-req ./build-req-pass ./clean-all ./inherit-inter ./list-crl ./openssl*.cnf ./pkitool ./revoke-full ./sign-req ./whichopensslcnf
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@example.com"
sh ./clean-all && . ./vars ./build-ca 
Generating a 1024 bit RSA private key
..++++++
.........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:server2
Name [changeme]:
Email Address [me@example.com]:
./build-key-server server2 
Generating a 1024 bit RSA private key
..............++++++
......................................................................++++++
writing new private key to 'server2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server2]:
Name [changeme]:
Email Address [me@example.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server2'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'me@example.com'
Certificate is to be certified until Mar 15 12:37:05 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
./build-key client2 
Generating a 1024 bit RSA private key
.++++++
...++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client2]:
Name [changeme]:
Email Address [me@example.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client2'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'me@example.com'
Certificate is to be certified until Mar 15 12:38:53 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
./build-dh exit openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/keys/ta.key cp /usr/local/share/doc/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
  • Certificates path:
    Пути к файлам сертификатов:
    ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt cert /usr/local/etc/openvpn/easy-rsa/keys/server2.crt key /usr/local/etc/openvpn/easy-rsa/keys/server2.key dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
  • Turn TCP mode on:
    Включаем TCP вместо UDP:
    ;proto udp proto tcp
  • Uncomment the following lines:
    Раскомментируйте следующие строки:
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 208.67.222.222"
    This will enable routing of all your traffic through the VPN server i.e. your public IP will be same as the assigned to VPS one.
    Именно эти параметры перенаправят весь ваш траффик через сервер, в результате вашим публичным IP станет адрес VDS сервера, а реальный IP будет скрыт.
echo 'openvpn_enable="YES"'>>/etc/rc.conf echo 'openvpn_if="tun"'>>/etc/rc.conf /usr/local/etc/rc.d/openvpn start http://www.lissyara.su/articles/freebsd/security/openvpn/
Labels: ,
Subscribe to: Posts (Atom)