IPSEC/L2TP VPN Server
From Amahi Wiki
WARNING | |
---|---|
This is recommended only for advanced users, proceed with caution. |
This is a IPSEC/L2TP VPN implementation for Fedora 14 that allows Android devices to connect to your HDA. It has been tested with Android OS 2.3 via Samsung Galaxy S™ II Skyrocket™. It may not work for all Android devices or may require some modification.
Setup
Install the packages first as root user:
bash code |
---|
yum -y install openswan xl2tpd
|
Configure Openswan
- Edit /etc/ipsec.conf with your favorite editor and update as follows (NOTE: Replace the {HDA IP Address} i.e. 192.168.0.10, {Router IP Address} i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):
Text |
---|
config setup protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!xxx.xxx.xxx.xxx/24 oe=off nhelpers=0 conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left={HDA IP Address} leftprotoport=17/1701 leftnexthop={Router IP Address} right=%any rightprotoport=17/0 rightsubnet=vhost:%no,%priv
|
- Add the following to /etc/ipsec.d/hda.secrets:
Text |
---|
{HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"
|
- Edit /etc/sysctl.conf and add following to the file:
Text |
---|
net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0
|
- In the same file, disable the following by adding a #:
Text |
---|
#net.bridge.bridge-nf-call-ip6tables = 0 #net.bridge.bridge-nf-call-iptables = 0 #net.bridge.bridge-nf-call-arptables = 0
|
- Create /usr/bin/disable_send_accept_redirects and add the following:
Text |
---|
#!/bin/bash # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
|
- Add the following to /etc/rc.local so this script runs on boot:
Text |
---|
/root/bin/disable_send_accept_redirects
|
- To verify everything is set correctly, do the following:
bash code |
---|
service ipsec start ipsec verify
|
- Everything should be "green" except SAref kernel support (N/A) and Opportunistic Encryption (DISABLED).
Configure xl2tpd
- Edit /etc/xl2tpd/xl2tpd.conf:
- Ensure
ipsec saref = yes
is uncommented. - The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.
- Ensure
Configure PPP
- Add following to /etc/ppp/chap-secrets (replace username and password accordingly):
Text |
---|
username * password *
|
- Check /etc/ppp/options.xl2tpd to verify that all ms-dns entries point to the correct nameservers (the HDA).
- Start xl2tpd:
bash code |
---|
service xl2tpd start
|
Configure Router
You need to forward port 500 and 4500 (both UDP) to your HDA IP address.
Set Services to Start on Boot
bash code |
---|
chkconfig ipsec on chkconfig xl2tpd on
|
That's basically it, you can now setup your L2TP/IPSEC VPN client and try to connect.
References:
Android L2TP/IPsec Client Setup
CONFIGURE
- Open the menu and choose Settings
- Select
- Wireless and Network or Wireless Controls, depending on your version of Android
- VPN Settings
- Add VPN
- Add L2TP/IPsec PSK VPN
- VPN Name and type in a descriptive name (i.e. HDA)
- Set VPN Server and type the following server hostname to username.yourhda.com (username=HDA name)
- Set IPSec pre-shared key and enter thisisourkey (replace with your secret key)
- Uncheck Enable L2TP secret
- Open the menu and choose Save
CONNECT
- Open the menu and choose Settings
- Select
- Wireless and Network or Wireless Controls, depending on your version of Android
- VPN configuration from the list
- Enter your username and password (use correct capitalization)
- Select Remember username and Connect
DISCONNECT
- Open the menu and choose Settings
- Select
- Wireless and Network or Wireless Controls, depending on your version of Android
- Select the VPN configuration from the list
- Select Disconnect
Reference: Android L2TP/IPsec Instructions