Build L2TP over IPSec on Linux(Using OpenSwan and l2tpd.0.69)

Author : Kendiv
Date   : 2006.12.20

*************************************
Requirements
*************************************
 A. Linux Kernel, either 2.0, 2.2, 2.4 or 2.6 based.
 B. If building from source, libgmp development libraries.

*************************************
KLIPS && NETKEY(aka "26sec" or "native")
*************************************
For Linux Kernels 2.6.0 and higher, Openswan gives you the choice of using the built in IPsec stack (NETKEY)
or the Openswan stack (KLIPS). Only the userland component of Openswan is required to use Openswan with NETKEY.
Please use at least version 2.6.9, as prior versions have bugs in the IPsec stack, causing complete machine crashes.

*************************************
About GMP
*************************************
Openswan needs the GMP (GNU Multi-Precision) library for the large integer calculations it uses in public key cryptography.
The GMP library is included in most Linux distributions.
Typically, there are two RPMs, libgmp and libgmp-devel, You need to install both,
either from your distribution CDs or from your vendor's web site.

*************************************
About the Openswan kernel patches
*************************************
The are 2 openswan patches.
   A. nat-t patch: provides NATTraversal support for 2.4 Linux kernels
   B. klips patch: provides the KLIPS IPSEC stack for stock 2.4 kernels.
                   If you are using RHEL3, there is already an IPSEC stack in the kernel named NETKEY.
            It is a backport(done by RedHat) of the 2.6 Linux kernels IPSEC stack

Userland:

1) From the openswan source directory:

        # make programs
2) As root, install the userland tools:

        # make install
Optional: KLIPS IPstack

0) A kernel patch must be applied to make the option CONFIG_IPSEC_NAT_TRAVERSAL available

        # make nattpatch2.6 > ../nat-t-patch-2.6.diff

        # cd ../linux

        # patch -p1<../nat-t-patch-2.6.diff

        # make menuconfig and enable Networking / Networking options / IPSEC Nat-Traversal

        recompile and install new kernel
1) From the openswan source directory:

        # export KERNELSRC=/lib/modules/`uname -r`/build

        # make module26

        # make minstall26

        # depmod -a
If compiling for X86_64 (aka AMD Athlon 64 / XP) add -m64 to USER_COMPILE and add -m64 -mno-red-zones to KLIPSCOMPILE

2) unload NETKEY before loading KLIPS: rmmod af_key esp4 ah4 ipcomp

3) load KLIPS: modprobe ipsec

You can see which IPsec stack you are using with 'ipsec --version'

NOTE: the choice to use KLIPS for 2.6 kernels is available starting in openswan version 2.3.0; previous openswan releases had only support for the builtin ipsec stack when running with 2.6 kernels

*************************************
KLIPS install 2.6.12-6 kernels
*************************************
# cd /usr/local/src/linux
# make clean
# patch -p1 -s < openswan-2.4.7.kernel-2.6-klips.patch.gz
# patch -p1 -s < openswan-2.4.7.kernel-2.6-natt.patch.gz
# make menuconfig  # Note: Enable Networking / Networking options / IPSEC Nat-Traversal / klips
# make -j20
# make modules_install
# make install

Now, reboot and choose new kernels.

Note:
  If you want NAT-T support (NATTraversal), you need to patch your kernel and build a new bzImage

then, if you only want KLIPS, use the command sequence below.
# cd /usr/src/openswan-2.#.#
# export KERNELSRC=/usr/src/kernels/linux-2.6.18/
# make module
# make module_install

1) unload NETKEY before loading KLIPS: rmmod af_key esp4 ah4 ipcomp
2) load KLIPS: modprobe ipsec
3) modify your /etc/rc.d/rc.local, add this blow:
   /sbin/modprobe ipsec

*************************************
Build Openswan
*************************************
# cd /usr/local/src/openswan-2.4.7
# make programs
# make install

*************************************
Start Openswan and test your install
*************************************
Bring Openswan up with:
# service ipsec start
# ipsec verify  # Note: To check that you have a successful install.

You should see at least:
    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

*************************************
Firewall && NAT
*************************************
You need to allow UDP 500 and ESP (protocol 50) through your firewall.
Do not NAT the packets you will be tunneling.

*************************************
Generate RSA Key
*************************************
Summary  0000288: newhostkey may block indefinitely 
Description  'ipsec newhostkey' calls rsasigkey without the --random option.
That means the device /dev/random is used. On some systems this device blocks indefinitely
because not enough entropy is available.
The device /dev/urandom should be used instead or at least this should be possible as an option. 
Additional Information  I changed line 59 of /usr/libexec/ipsec/newhostkey to:

ipsec rsasigkey $verbose --random /dev/urandom $host $bits

to make it work on my Gentoo system. 

In my system, used like blow:
# vi /usr/local/libexec/ipsec/newhostkey

# ipsec newhostkey --output /etc/ipsec.secrets

*************************************
Enable IP Forwarding
*************************************
# echo "1" > /proc/sys/net/ipv4/ip_forward
or
edit # vi /etc/sysctl.conf
set net.ipv4.ip_forward = 1

/*************************** End ****************************************************/