Difference between revisions of "IPSEC/L2TP VPN Server"

From Amahi Wiki
Jump to: navigation, search
(Created page with "{{MessageBox| backgroundcolor = #FBB| image =Warning.png| heading =WARNING| message = This is recommended only for advanced users, proceed with caution.}} This is a IPSEC/L2TP VP...")
 
Line 4: Line 4:
 
heading =WARNING|
 
heading =WARNING|
 
message = This is recommended only for advanced users, proceed with caution.}}
 
message = This is recommended only for advanced users, proceed with caution.}}
This is a IPSEC/L2TP VPN implementation for Fedora 14 that allows Android devices to connect to your HDA.  It has been tested with Android OS 2.3 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™].  It may not work for all Android devices or may require some modification.
+
This is a IPSEC/L2TP VPN server implementation for Fedora 14 that allows Android devices to connect to your HDA.  It has been tested with Android OS 2.3 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™].  It may not work for all Android devices or may require some modification.
  
 
===Setup===
 
===Setup===

Revision as of 01:03, 27 February 2012

Warning.png WARNING
This is recommended only for advanced users, proceed with caution.


This is a IPSEC/L2TP VPN server implementation for Fedora 14 that allows Android devices to connect to your HDA. It has been tested with Android OS 2.3 via Samsung Galaxy S™ II Skyrocket™. It may not work for all Android devices or may require some modification.

Setup

Install the packages first as root user:

bash code
​yum -y install openswan xl2tpd​


Configure Openswan

  • Edit /etc/ipsec.conf with your favorite editor and update as follows (NOTE: Replace the {HDA IP Address} i.e. 192.168.0.10, {Router IP Address} i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
Text
​config setup protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24 oe=off nhelpers=0 conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left={HDA IP Address} leftprotoport=17/1701 leftnexthop={Router IP Address} right=%any rightprotoport=17/0 rightsubnet=vhost:%no,%priv​


  • Add the following to /etc/ipsec.d/hda.secrets:
Text
​{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"​


  • Edit /etc/sysctl.conf and add following to the file:
Text
​net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0​


  • In the same file, disable the following by adding a #:
Text
​#net.bridge.bridge-nf-call-ip6tables = 0 #net.bridge.bridge-nf-call-iptables = 0 #net.bridge.bridge-nf-call-arptables = 0​


  • Create /usr/bin/disable_send_accept_redirects and add the following:
Text
​#!/bin/bash # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects​


  • Add the following to /etc/rc.local so this script runs on boot:
Text
​/root/bin/disable_send_accept_redirects​


  • To verify everything is set correctly, do the following:
bash code
​service ipsec start ipsec verify​


  • Everything should be "green" except SAref kernel support (N/A) and Opportunistic Encryption (DISABLED).


Configure xl2tpd

  • Edit /etc/xl2tpd/xl2tpd.conf:
    • Ensure ipsec saref = yes is uncommented.
    • The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.

Configure PPP

  • Add following to /etc/ppp/chap-secrets (replace username and password accordingly):
Text
​username * password *​
  • Check /etc/ppp/options.xl2tpd to verify that all ms-dns entries point to the correct nameservers (the HDA).
  • Start xl2tpd:
bash code
​service xl2tpd start​


Configure Router

You need to forward port 500 and 4500 (both UDP) to your HDA IP address.

Set Services to Start on Boot

bash code
​chkconfig ipsec on chkconfig xl2tpd on​


That's basically it, you can now setup your L2TP/IPSEC VPN client and try to connect.


References:

Fedora as IPSEC/L2TP VPN Server for Mac and Android

Installing OpenSwan for the first time

Android L2TP/IPsec Client Setup

CONFIGURE

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN Settings
    • Add VPN
    • Add L2TP/IPsec PSK VPN
    • VPN Name and type in a descriptive name (i.e. HDA)
    • Set VPN Server and type the following server hostname to username.yourhda.com (username=HDA name)
    • Set IPSec pre-shared key and enter thisisourkey (replace with your secret key)
  • Uncheck Enable L2TP secret
  • Open the menu and choose Save

CONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • VPN configuration from the list
  • Enter your username and password (use correct capitalization)
  • Select Remember username and Connect

DISCONNECT

  • Open the menu and choose Settings
  • Select
    • Wireless and Network or Wireless Controls, depending on your version of Android
    • Select the VPN configuration from the list
    • Select Disconnect


Reference: Android L2TP/IPsec Instructions