Changes

From Amahi Wiki
Jump to: navigation, search
360 bytes removed ,  03:58, 23 June 2020
no edit summary
heading =WARNING|
message = This is recommended only for advanced users, proceed with caution.}}
 {{NeedsUpdate}}  This is a IPSECIPsec/L2TP VPN server implementation for Fedora 14 that allows Android OS (2.3.5 or less) devices to connect to your HDA. It has been tested with Android OS 2.3.5 via [http://www.samsung.com/us/mobile/cell-phones/SGH-I727MSAATT Samsung Galaxy S™ II Skyrocket™]. It may not work for all Android devices or may require some modification.
===Setup===
Install the packages first as root user:
{{Code| yum -y install openswan xl2tpd}}
====Configure Openswan====
*Edit '''''/etc/ipsec.conf''''' with your favorite editor and update as follows ('''NOTE:''' Replace the ''{HDA IP Address}'' i.e. 192.168.0.10, ''{Router IP Address}'' i.e. 192.168.0.1, and xxx.xxx.xxx.xxx/24 i.e. 192.168.0.0/24 with the correct IP addresses for your network):{{Text|Text=<pre>config setup
protostack=netkey
nat_traversal=yes
oe=off
nhelpers=0
<nowiki></nowiki>conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT<nowiki></nowiki>conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=<nowiki>{HDA IP Address}</nowiki> leftprotoport=17/1701 leftnexthop={Router IP Address} right=%any rightprotoport=17/0 rightsubnet=vhost:%no,%priv}}any</pre>
* Add the following to '''''/etc/ipsec.d/hda.secrets''''':
{{Text| {HDA IP Address} %any: "a_key_that_is_at_least_8_characters_long"}}
* Edit '''''/etc/sysctl.conf''''' and add following to the file:
{{Text|Text=<pre>net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0}}</pre>
* In the same file, disable the following by adding a #:
{{Text|Text=<pre><nowiki>#</nowiki>net.bridge.bridge-nf-call-ip6tables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-iptables = 0
<nowiki>#</nowiki>net.bridge.bridge-nf-call-arptables = 0}}</pre>
* Create '''''/usr/bin/disable_send_accept_redirects''''' and add To enable changes, do the following:{{Text|Text=<nowiki>#</nowiki>!/bin/bash sysctl -p
<nowiki>#</nowiki> Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
* Create '''''/usr/bin/zl2tpset''''' and add the following:<pre><nowiki>#</nowiki> Disable accept redirectsecho 0 > !/procbin/sys/net/ipv4/conf/all/accept_redirectsbashecho 0 > for each in /proc/sys/net/ipv4/conf/default/accept_redirects*"doecho 0 > /proc/sys/net/ipv4/conf/eth0\$each/accept_redirectsecho 0 > \$each/procsend_redirectsdone</sys/net/ipv4/conf/lo/accept_redirects}}pre> 
* Make it executable
{{Code| chmod 755 /usr/bin/disable_send_accept_redirects}}zl2tpset
* Add the following to '''''/etc/rc.local''''' so this script runs on boot:
{{Text|Text= /rootusr/bin/disable_send_accept_redirects}}zl2tpset
* To verify everything is set correctly, do the following:
{{Code| service ipsec start ipsec verify}}
* Everything should be "green" except ''SAref kernel support'' ('''N/A''') and ''Opportunistic Encryption'' ('''DISABLED''').
 
====Configure xl2tpd====
* Edit '''''/etc/xl2tpd/xl2tpd.conf'''''and update to reflect as follows:** Ensure <code>ipsec saref = yes</code> is uncommented.** '''NOTE:''' The IP range is outside an actively used IP range. For example if your DHCP server assigns IPs between 192.168.10.10 and 192.168.10.100 you can use 192.168.10.150-192.168.10.200. Also, xl2tpd needs a local IP which is used for communication with PPP. Given example, you could use 192.168.10.101.<pre>[global]ipsec saref = no [lns default]ip range = 192.168.10.150-192.168.10.200local ip = 192.168.10.101require chap = yesrefuse pap = yesrequire authentication = yesppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes</pre>
====Configure PPP====
* Add following to '''''/etc/ppp/chap-secrets''''' (replace username and password accordingly):
{{Text|Text= username * password *}}
* Check '''''/etc/ppp/options.xl2tpd''''' to verify that all ''ms-dns'' entries point to the correct nameservers (the HDA).
*Start xl2tpd:
{{Code| service xl2tpd start}}
====Configure Router====
====Set Services to Start on Boot====
{{code| chkconfig ipsec on chkconfig xl2tpd on}}
That's basically it, you can now setup your L2TP/IPSEC IPsec VPN client and try to connect.
References:
[http://www.mindbug.org/2010/11/fedora-as-ipsecl2tp-vpn-server-for-mac.html Fedora as IPSECIPsec/L2TP VPN Server for Mac and Android]
[https://lists.openswan.org/pipermail/users/2008-March/014218.html Installing OpenSwan for the first time]
 
[http://www.linuxhelp.in/2011/06/installing-and-configuring-l2tp-vpn.html Installing and configuring l2tp vpn using xl2tpd]
===Android L2TP/IPsec Client Setup===
Reference: [https://www.goldenfrog.com/vyprvpn/support/vpn-setup/android-l2tp Android L2TP/IPsec Instructions]
 
===TIPS===
There is a nice [http://3h3.62.sl.pt VPN Menu] shortcut that you can install from the Android App Market that puts a shortcut on the home screen. When selected, it takes you right to the VPN screen.
12,424

edits