Difference between revisions of "IPSEC/L2TP VPN Server"

From Amahi Wiki
Jump to: navigation, search
Line 19: Line 19:
 
         oe=off
 
         oe=off
 
         nhelpers=0
 
         nhelpers=0
 
 
  conn L2TP-PSK-NAT
 
  conn L2TP-PSK-NAT
 
     rightsubnet=vhost:%priv
 
     rightsubnet=vhost:%priv
 
     also=L2TP-PSK-noNAT
 
     also=L2TP-PSK-noNAT
 
 
  conn L2TP-PSK-noNAT
 
  conn L2TP-PSK-noNAT
 
     authby=secret
 
     authby=secret

Revision as of 01:28, 5 March 2012

Warning.png WARNING
This is recommended only for advanced users, proceed with caution.


This is a IPsec/L2TP VPN server implementation for Fedora 14 that allows Android OS (2.3.5 or less) devices to connect to your HDA. It has been tested with Android OS 2.3.5 via Samsung Galaxy S™ II Skyrocket™. It may not work for all Android devices or may require some modification.

Setup

Install the packages first as root user:

bash code
​yum -y install openswan xl2tpd​


Configure Openswan

  • Edit /etc/ipsec.conf with your favorite editor and update as follows (NOTE: Replace the {HDA IP Address} i.e. 192.168.0.10 and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):

{{Text|Text=config setup

       protostack=netkey
       nat_traversal=yes
       virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24
       oe=off
       nhelpers=0
conn L2TP-PSK-NAT
   rightsubnet=vhost:%priv
   also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
   authby=secret
   pfs=no
   auto=add
   keyingtries=3
   rekey=no
   ikelifetime=8h
   keylife=1h
   type=transport
   left={HDA IP Address}
   leftprotoport=17/1701
   right=%any
   rightprotoport=17/%any
  • Add the following to /etc/ipsec.d/hda.secrets:
Text
​{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"​


  • Edit /etc/sysctl.conf and add following to the file:
Text
​net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0​


  • In the same file, disable the following by adding a #:
Text
​#net.bridge.bridge-nf-call-ip6tables = 0 #net.bridge.bridge-nf-call-iptables = 0 #net.bridge.bridge-nf-call-arptables = 0​


  • Create /usr/bin/zl2tpset and add the following:
Text
​#!/bin/bash for each in /proc/sys/net/ipv4/conf/*" do echo 0 > \$each/accept_redirects echo 0 > \$each/send_redirects done​
  • Make it executable
bash code
​chmod 755 /usr/bin/zl2tpset​


  • Add the following to /etc/rc.local so this script runs on boot:
Text
​/usr/bin/zl2tpset​


  • To verify everything is set correctly, do the following:
bash code
​service ipsec start ipsec verify​


  • Everything should be "green" except SAref kernel support (N/A) and Opportunistic Encryption (DISABLED).

Configure xl2tpd

  • Edit /etc/xl2tpd/xl2tpd.conf:
    • Ensure ipsec saref = yes is uncommented.
    • The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.
Text
​[lns default] ip range = 192.168.10.150-192.168.10.200 local ip = 192.168.10.101​

Configure PPP

  • Add following to /etc/ppp/chap-secrets (replace username and password accordingly):
Text
​username * password *​
  • Check /etc/ppp/options.xl2tpd to verify that all ms-dns entries point to the correct nameservers (the HDA).
  • Start xl2tpd:
bash code
​service xl2tpd start​


Configure Router

You need to forward port 500 and 4500 (both UDP) to your HDA IP address.

Set Services to Start on Boot

bash code
​chkconfig ipsec on chkconfig xl2tpd on​


That's basically it, you can now setup your L2TP/IPsec VPN client and try to connect.


References:

Fedora as IPsec/L2TP VPN Server for Mac and Android

Installing OpenSwan for the first time

Android L2TP/IPsec Client Setup

CONFIGURE

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN Settings
    • Add VPN
    • Add L2TP/IPsec PSK VPN
    • VPN Name and type in a descriptive name (i.e. HDA)
    • Set VPN Server and type the following server hostname to username.yourhda.com (username=HDA name)
    • Set IPSec pre-shared key and enter thisisourkey (replace with your secret key)
  • Uncheck Enable L2TP secret
  • Open the menu and choose Save

CONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN configuration from the list
  • Enter your username and password (use correct capitalization)
  • Select Remember username and Connect

DISCONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • Select the VPN configuration from the list
    • Select Disconnect


Reference: Android L2TP/IPsec Instructions