Trusted, Bureaucrats, Administrators
12,424
edits
Changes
From Amahi Wiki
IPSEC/L2TP VPN Server (view source)
Revision as of 01:02, 27 February 2012
, 01:02, 27 February 2012Created page with "{{MessageBox| backgroundcolor = #FBB| image =Warning.png| heading =WARNING| message = This is recommended only for advanced users, proceed with caution.}} This is a IPSEC/L2TP VP..."
{{MessageBox|
backgroundcolor = #FBB|
image =Warning.png|
heading =WARNING|
message = This is recommended only for advanced users, proceed with caution.}}
This is a IPSEC/L2TP VPN implementation for Fedora 14 that allows Android devices to connect to your HDA. It has been tested with Android OS 2.3 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™]. It may not work for all Android devices or may require some modification.
===Setup===
Install the packages first as root user:
{{Code|yum -y install openswan xl2tpd}}
====Configure Openswan====
*Edit '''''/etc/ipsec.conf''''' with your favorite editor and update as follows ('''NOTE:''' Replace the ''{HDA IP Address}'' i.e. 192.168.0.10, ''{Router IP Address}'' i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
{{Text|Text=config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24
oe=off
nhelpers=0
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left={HDA IP Address}
leftprotoport=17/1701
leftnexthop={Router IP Address}
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv}}
* Add the following to '''''/etc/ipsec.d/hda.secrets''''':
{{Text|{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"}}
* Edit '''''/etc/sysctl.conf''''' and add following to the file:
{{Text|Text=net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0}}
* In the same file, disable the following by adding a #:
{{Text|Text=<nowiki>#</nowiki>net.bridge.bridge-nf-call-ip6tables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-iptables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-arptables = 0}}
* Create '''''/usr/bin/disable_send_accept_redirects''''' and add the following:
{{Text|Text=<nowiki>#</nowiki>!/bin/bash
<nowiki>#</nowiki> Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
<nowiki>#</nowiki> Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects}}
* Add the following to '''''/etc/rc.local''''' so this script runs on boot:
{{Text|Text=/root/bin/disable_send_accept_redirects}}
* To verify everything is set correctly, do the following:
{{Code|service ipsec start
ipsec verify}}
* Everything should be "green" except ''SAref kernel support'' ('''N/A''') and ''Opportunistic Encryption'' ('''DISABLED''').
====Configure xl2tpd====
* Edit '''''/etc/xl2tpd/xl2tpd.conf''''':
** Ensure <code>ipsec saref = yes</code> is uncommented.
** The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.
====Configure PPP====
* Add following to '''''/etc/ppp/chap-secrets''''' (replace username and password accordingly):
{{Text|Text=username * password *}}
* Check '''''/etc/ppp/options.xl2tpd''''' to verify that all ''ms-dns'' entries point to the correct nameservers (the HDA).
*Start xl2tpd:
{{Code|service xl2tpd start}}
====Configure Router====
You need to forward port 500 and 4500 (both UDP) to your HDA IP address.
====Set Services to Start on Boot====
{{code|chkconfig ipsec on
chkconfig xl2tpd on}}
That's basically it, you can now setup your L2TP/IPSEC VPN client and try to connect.
References:
[http://www.mindbug.org/2010/11/fedora-as-ipsecl2tp-vpn-server-for-mac.html Fedora as IPSEC/L2TP VPN Server for Mac and Android]
[https://lists.openswan.org/pipermail/users/2008-March/014218.html Installing OpenSwan for the first time]
===Android L2TP/IPsec Client Setup===
<u>'''CONFIGURE'''</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** VPN Settings
** Add VPN
** Add L2TP/IPsec PSK VPN
** VPN Name and type in a descriptive name (i.e. HDA)
** Set VPN Server and type the following server hostname to '''username.yourhda.com''' (username=HDA name)
** Set IPSec pre-shared key and enter ''thisisourkey'' (replace with your secret key)
* Uncheck Enable L2TP secret
* Open the menu and choose Save
<u>'''CONNEC'''T</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** VPN configuration from the list
* Enter your username and password (use correct capitalization)
* Select Remember username and Connect
<u>'''DISCONNECT'''</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** Select the VPN configuration from the list
** Select Disconnect
Reference: [https://www.goldenfrog.com/vyprvpn/support/vpn-setup/android-l2tp Android L2TP/IPsec Instructions]
backgroundcolor = #FBB|
image =Warning.png|
heading =WARNING|
message = This is recommended only for advanced users, proceed with caution.}}
This is a IPSEC/L2TP VPN implementation for Fedora 14 that allows Android devices to connect to your HDA. It has been tested with Android OS 2.3 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™]. It may not work for all Android devices or may require some modification.
===Setup===
Install the packages first as root user:
{{Code|yum -y install openswan xl2tpd}}
====Configure Openswan====
*Edit '''''/etc/ipsec.conf''''' with your favorite editor and update as follows ('''NOTE:''' Replace the ''{HDA IP Address}'' i.e. 192.168.0.10, ''{Router IP Address}'' i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
{{Text|Text=config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24
oe=off
nhelpers=0
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left={HDA IP Address}
leftprotoport=17/1701
leftnexthop={Router IP Address}
right=%any
rightprotoport=17/0
rightsubnet=vhost:%no,%priv}}
* Add the following to '''''/etc/ipsec.d/hda.secrets''''':
{{Text|{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"}}
* Edit '''''/etc/sysctl.conf''''' and add following to the file:
{{Text|Text=net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0}}
* In the same file, disable the following by adding a #:
{{Text|Text=<nowiki>#</nowiki>net.bridge.bridge-nf-call-ip6tables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-iptables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-arptables = 0}}
* Create '''''/usr/bin/disable_send_accept_redirects''''' and add the following:
{{Text|Text=<nowiki>#</nowiki>!/bin/bash
<nowiki>#</nowiki> Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
<nowiki>#</nowiki> Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects}}
* Add the following to '''''/etc/rc.local''''' so this script runs on boot:
{{Text|Text=/root/bin/disable_send_accept_redirects}}
* To verify everything is set correctly, do the following:
{{Code|service ipsec start
ipsec verify}}
* Everything should be "green" except ''SAref kernel support'' ('''N/A''') and ''Opportunistic Encryption'' ('''DISABLED''').
====Configure xl2tpd====
* Edit '''''/etc/xl2tpd/xl2tpd.conf''''':
** Ensure <code>ipsec saref = yes</code> is uncommented.
** The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.
====Configure PPP====
* Add following to '''''/etc/ppp/chap-secrets''''' (replace username and password accordingly):
{{Text|Text=username * password *}}
* Check '''''/etc/ppp/options.xl2tpd''''' to verify that all ''ms-dns'' entries point to the correct nameservers (the HDA).
*Start xl2tpd:
{{Code|service xl2tpd start}}
====Configure Router====
You need to forward port 500 and 4500 (both UDP) to your HDA IP address.
====Set Services to Start on Boot====
{{code|chkconfig ipsec on
chkconfig xl2tpd on}}
That's basically it, you can now setup your L2TP/IPSEC VPN client and try to connect.
References:
[http://www.mindbug.org/2010/11/fedora-as-ipsecl2tp-vpn-server-for-mac.html Fedora as IPSEC/L2TP VPN Server for Mac and Android]
[https://lists.openswan.org/pipermail/users/2008-March/014218.html Installing OpenSwan for the first time]
===Android L2TP/IPsec Client Setup===
<u>'''CONFIGURE'''</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** VPN Settings
** Add VPN
** Add L2TP/IPsec PSK VPN
** VPN Name and type in a descriptive name (i.e. HDA)
** Set VPN Server and type the following server hostname to '''username.yourhda.com''' (username=HDA name)
** Set IPSec pre-shared key and enter ''thisisourkey'' (replace with your secret key)
* Uncheck Enable L2TP secret
* Open the menu and choose Save
<u>'''CONNEC'''T</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** VPN configuration from the list
* Enter your username and password (use correct capitalization)
* Select Remember username and Connect
<u>'''DISCONNECT'''</u>
* Open the menu and choose Settings
* Select
** Wireless and Network or Wireless Controls, depending on your version of Android
** Select the VPN configuration from the list
** Select Disconnect
Reference: [https://www.goldenfrog.com/vyprvpn/support/vpn-setup/android-l2tp Android L2TP/IPsec Instructions]
