L2TP over IPSec on Debian 10

Question

My Debian 10 box has a Wifi interface, wlx08beac0a6c1d running a WEP AP for old hardware that doens't wupport WPA.

My main network is 192.168.1.0/24 and this interface is configured to be 192.168.2.1.

For starters that interface is restricted to one MAC and it only allows DHCP on that network

iptables -A INPUT -i wlx08beac0a6c1d -m mac ! --mac-source 00:30:65:05:9F:4D -j DROP
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -j DROP

(The MAC check is also in hostapd.conf -- where of course it is just as ineffective security measure (although it's probably fairly effective here in Shropshire).)

This device (claims to) support L2TP over IPSec. I imagine that by opening another port for this I can get this old machine to join the rest of my network through a tunnel to that port and that once connected the old machine will appear as if it is on my network.

Is this so? Or have I got the wrong end of the stick? Is this now secure on the WEP network?

It looks like the packages needed are strongswan and xl2tpd?

It looks like IPSec is going to encrypt traffic over the WEP network, and that I'll need to open some more ports to allow the encryption to be negotiated and started?

It then looks like L2TP will establish a connection a PPP connection to another port on Debia and route all traffic through it? So the old machine will get a second IP address for this PPP connection? And how will it appear in Debian (and be routable between the rest of my network and the Internet)?

So: first is strongswan...

# apt-get install strongswan

And now I really don't understand what to do. I've done what it says here https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2 and ended up with this ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn wep-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=192.168.2.31
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.2.0/24
    rightdns=192.168.2.31
    rightsendcert=never
    eap_identity=%identity

I think that left is correct if you interpret it as being this machine, but not sure about right which presumably is some other thing?

Then it goes on to do something with something called UFW but I am using iptables. I think I need

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 4500 -j ACCEPT

to allow connections to IPsec.

Then the next part of the trick is xl2tpd...

# apt-get install xl2tpd

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 192.168.3.100-192.168.3.254
local ip = 192.168.3.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes

/etc/ppp/xl2tpd-options

require-mschap-v2
ms-dns 192.168.3.1

Add to /etc/ppp/chap-secrets

And

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 1701 -j ACCEPT

Obviously, it doesn't work.

Answer 1

/etc/ipsec.conf

config setup

conn wep-ap
        type=transport
        authby=secret
        pfs=no
        rekey=no
        keyingtries=1
        left=%any
        leftid=%any
        right=%any
        auto=add
        esp=aes128-sha1-modp1536
        ike=aes128-sha1-modp1536
        include /var/lib/strongswan/ipsec.conf.inc

Question: how do you work out what the values for esp and ike are? They are in a different format in ipsec.conf than what appears in /var/log/syslog -- very unhelpfully.

/etc/strongswan.conf

charon { plugins { eap_dynamic { preferred = eap-mschapv2, eap-tls } } }

/etc/ipsec.secrets

%any %any : PSK "password"

/etc/ppp/chap-secrets

laptop  *       password *

/etc/ppp/options.xl2tpd

noccp
auth
mtu 1410
mru 1410
nodefaultroute
proxyarp
silent
debug
ms-dns 192.168.3.31

/etc/xl2tpd/xl2tpd.conf

[global]                                                                ; Global parameters:
port = 1701                                                     ; * Bind to port 1701
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes
auth file = /etc/xl2tpc/l2tp-secrets
access control = no
[lns default]                                                   ; Our fallthrough LNS definition
ip range = 192.168.3.100-192.168.3.254                          ; * But this one is okay
local ip = 192.168.3.31                         ; * Our local IP to use
name = mini31                                           ; * Report this as our hostname
pppoptfile = /etc/ppp/options.xl2tpd
ppp debug = yes
require authentication = yes
require chap = yes
refuse pap = yes

However this still doesn't work. You can see in /var/log/syslog that IPSec gets connected but then L2TP fails saying

...
xl2tpd[27668]: network_thread: select timeout with max retries: 5 for tunnel: 28160
xl2tpd[27668]: Maximum retries exceeded for tunnel 28160.  Closing.
xl2tpd[27668]: Connection 4 closed to 192.168.1.11, port 1701 (Timeout)
...

Answer 2

Just reproduced on a fresh install on a Raspberry Pi and it worked!

I eventually found out that on the Raspberry there were lots of files in /etc/strongswan.d/charon but none on Debian. Copying these files from Raspberry to Debian has got it working!