IPSec L2TP VPN server on Ubuntu for iPhone
 

I am trying to set up a IPSec L2TP server on Ubuntu so I can route all traffic from my iPhone through my home DSL connection. I used this as a general guide:

http://rootmanager.com/ubuntu-ipsec-...s-clients.html

I am able to establish the VPN connection, but I only have access to addresses on my home network through the VPN. I can't access anything on the internet. Safari can browse web pages only within my LAN. The iPhone queries my DNS server successfully, so I am fairly confident this is not a DNS issue.

Can anyone point me in the right direction? Why can't I access anything on the WAN? Suggestions?

Apollo

Ok, I think my problem has to do with NAT-Traversal. I have almost no idea what that is, but I notice if I set "nat_traversal=no" in /etc/ipsec.conf then I can connect to my VPN, but not access the WAN. Port 4500/udp is not shown in "netstat -antu" when I do this. However, if I set "nat_traversal=yes" then Port 4500/udp does appear with netstat, but I cannot connect to my VPN.

I think I need nat_traversal on, but I don't know where to go from here. I suppose my kernel maybe does not support NAT-T. Not sure.

I think I'm getting close. However ... I cannot seem to get this working. I think there is something fundamental I am failing to grasp.

Here is my setup:

openswan/xl2tpd server -- my router -- my iphone on the internet

OR

192.168.0.31--192.168.0.1--my router--11.22.33.44-----99.99.99.99
(server) -- (internal ip) -- (external ip) -- (iphone)

Obviously, the external ip addresses are not real.

My router is passing 500/udp and 4500/udp and protocol 50 to the server at 192.168.0.31. Fortunately, I have a router that will pass protocol 50 (Dlink Dir 655) -- I think many cheapo routers will not do this.

My /etc/ipsec.conf file looks like this:
===================
version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/16
nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

include /etc/ipsec.d/l2tp-psk.conf

==================

My /etc/ipsec.d/l2tp-psk.conf looks like this:

==================

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=192.168.0.31
leftnexthop=192.168.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any #I found the iPhone works with 17/%any both inside and outside my LAN.
#rightprotoport=17/0 #It seems to be reported that OS X requires this. Experiment to find what works for you.

==================

Here's my /etc/xl2tdp/xl2tpd.conf:

==================

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.0.231-192.168.0.239
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================

Here is my /etc/ppp/options.xl2tpd:

==================

# This file is filled with comments. I took them all out.
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================

Here is what I get when I run ipsec verify:

==================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

================

BTW, I am using PSKs. The authentication stuff all seems to be working. Ipsec connects fine and the VPN appears to establish normally on the iPhone. However, if I try to ping an address on my LAN from the iPhone, I get no response. If I open Safari, I cannot get to any external sites. Actually, I can browse to local sites within my LAN. The iPhone queries my DNS server successfully (DNS also runs on 192.168.0.31), but Safari does not connect to the site.

I am not fully grasping the left/right stuff in /etc/ipsec.conf . I am also not certain I have nat traversal working. I think nat traversal should be working with the kernel I am running (Linux clark 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux).

Ok, there's a lot of information. Any suggestions would be greatly appreciated.

Apollo

Ok, well, maybe this will help someone. I found the problem while reading this:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

My configuration was apparently fine except for the /etc/ppp/chap-secrets file. This is that file now:

=========

# Secrets for authentication using CHAP
# client server secret IP addresses
user222 l2tpd "password333" *
l2tpd user222 "password333" *

=========

I previously only had one line in this file. Apparently, the 2nd reverse line is also required because chap authentication needs to work in both directions.

Actually, I thought my configuration was refusing chap, so I remain confused about that. Oh well, it works.

Go figure.

Other things I did that are probably necessary:

Install openswan-modules-source:
apt-get install openswan-modules-source


Uncomment these two lines in /etc/sysctl.conf:

net/ipv4/conf/all/send_redirects = 0
net/ipv4/conf/all/send_accept = 0


I placed these four lines in my /etc/rc.local file:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart #not sure why, but ipsec was not starting after reboot. This should fix that.

It was actually probably this change that allowed things to work for you. Otherwise your Ubuntu box will not forward packets between the two endpoints. (Or did you make this change early on?)

Oh, Great info. Thanks for the help Midspeck!

BTW, I am regularly using this VPN setup. I sit on a GO train (commuter train in Toronto) every day for about 45 minutes and this setup is great. The VPN connection establishes in just a few seconds. Once I am connected, it's as though I am sitting at home -- my iphone is connected to my home LAN. I regularly connect from my iphone 3G to PCs at my home (via VNC and RDP) and do lots of other stuff. The connection occasionally drops, but in general it is quite reliable.

If you can get this working, you will be pleased.

Apollo

I wish this were easier to setup. I want to do the same thing from Android. Does it work with Dynamic DNS addresses?

The iphone is on a dynamic IP address when connected over 3G. My VPN server is at my home and it's on a static IP address. If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).

One thing I have noticed is that my particular VPN setup seems to work only for the iphone. I have tried to set up a VPN from my laptop (running windoze) and I cannot connect. Maybe I could get it working for both, but it's not worth the effort from my laptop -- I just funnel traffic I want encrypted through an SSH tunnel instead ... less hassle.

I'd be interested to know if anyone else gets this working on the iphone.

Yes, that's what I mean. My router has Tomato firmware and has a DynDNS that it keeps updated at all times, but I don't know if the server can handle that.

I've been using an SSH tunnel from Windows computers, too. I know I've used PPTP in the past without too much hassle, but I don't know if that's encrypted, and [edit:] Windows does have native support for both "PPTP VPN" and "L2TP IPSec VPN".

I run Tomato also. I've simply got UDP ports 500, 1701, and 4500 forwarded to the box running the VPN server. I could be wrong, but I don't think the "protocol 50" thing mentioned in one of my earlier posts is necessary.

Unless I am missing something, I don't see why dynamic DNS would be an issue with your setup. I suppose if the IP address changed during a connection then you would get dropped, but that would be a rare event.

And does it route everything through the VPN?

I think I am correct in saying once connected to the VPN everything gets routed through the VPN. Local web sites (ie. http://192.168.0.x) appear just like I am at home on my local network. I regularly open VNC, RDP, and SSH sessions using addresses local to my LAN at home.

Regular web browsing is actually a bit slower when connected to the VPN because my upload speed at home becomes the download speed on the iphone. My DSL connection at home is about 8M/720kb, so I am limited to 720kbps download on the iphone. In downtown Toronto where I work this makes little difference because of existing network congestion -- I rarely see 500kbps download on 3G downtown (connected to the VPN or not). However, I live about 50km north of the city and I see 2M or higher on 3G there, so the VPN becomes the bottleneck there -- it's actually faster when not connected to the VPN.

Yeah, speed's not that important. I'd be connecting through Wi-Fi nodes only, so I want everything encrypted. I'll try to set this up when I have some time to spend. Thanks for the info!

Apollo77,

Is this setup still working for you? Are you on Rogers or Fido? I thought both Fido and Rogers have blocked vpn on cellular network since last month and it's now only available as 10$ add-on on Rogers... (http://www.howardforums.com/showthread.php?t=1573850)

I'm looking for a way to access Pandora radio from iPhone in Canada... Would you have some ideas how to extend your setup to achieve this? It would certainly make your go commute much more pleasant ;)

Thanks,
yyz

I'm on Rogers. I used the VPN today. It's still working in Toronto and I'm not paying extra. Same deal on tethering ... I see it on the bill, but they don't charge me yet. Maybe it depends on your package. I've got 6 gigs per month. After ripoff fees and taxes I'm paying $100. Maybe VPN blocking is coming.

If they start blocking my VPN I'll need to use an SSH tunnel instead. That won't be as convenient, but it will serve my purposes for some things I do on the iphone. I can see what Rogers motives might be. I've got Skype installed on my iphone and I've tried it a few times through the VPN over 3G (I think I had to hack something to get it to work on 3G, but I can't recall the details). It doesn't work very well, but potentially Skype could cut into Rogers regular cell service and use up 3G bandwidth. The day is coming when traditional cell phone service providers need to realize they are now providing data services, not phone call services.

Pandora radio ...
"We are deeply, deeply sorry to say that due to licensing constraints, we can no longer allow access to Pandora for listeners located outside of the U.S."

hmmmm, that's a tough one. They are using IP address to determine country. The only solution I can think of is some kind of proxy scheme based in the US. Maybe it exists. Google it.

Depends on your default gateway
 

Apollo is right. I can't speak for the iPhone since I haven't played with it much, but the way it works for Windows depends on a single setting.
In Windows, "Use default gateway on remote network" is normally set, which means that everything gets routed to the VPN server. If you uncheck that setting, then Windows only routes a single subnet to the VPN server.

@Apollo77

I have the exact same configuration as you do but I can't seem to get l2tp/ipsec working. IPSec part seems ok as I see the following in auth.log:

ipsec verify shows this:

However, no clue what's going on with xl2tpd. All I see is:

Any idea what might be wrong? The only difference that I'm aware of is that Bell's crappy 2wire modem wouldn't let me forward protocol 50. Could that be the issue here?

Thanks!

Fido/Rogers blocking vpn
 

BTW, it seems Fido/Rogers have only blocked PPTP on 3G network (now available as premium service on Rogers). There have been many reports that L2TP/IPSEC still works (this is confirmed by Apollo77 too).

yyz, I will compare your logs with mine. However, it might be a few days before I get to it (busy time of year).

Its working now!
 

This issue is resolved now. I got some help from this thread. The problem was that the latest version of openswan has a bug that causes xl2tpd to fail. Downgrading to 2.4.12 version from the jaunty release fixed this problem. A small issue that I'm still facing is that if I disconnect and immediately try to reconnect, the connection fails with the same error that I posted before. However, if I try after a few hours or do an ipsec restart, it works again.

Also, I'd like to point out that the protocol 50 (ESP) forwarding isn't required for this to work. I think NAT-T takes care of this.

@Apollo77, thanks a lot for all the configs you posted - they were tremendous help.

Cheers!
YYZ

Glad you resolved it. I actually tried to send you a private message, but was not able. Since you are in Toronto (as am I), I was going to offer to hand you a copy on a CD of the VMware virtual machine where I run the VPN server. Running this in a VM works quite well and gives it portability.

However, that offer is now off the table (I don't wish to be inundated with requests for it). Perhaps, this could be distributed as a VMware appliance, but I am not volunteering to do this.

Apollo

Correct, if you are behind a NAT such that your connection must use UDP port 4500 (NAT-T), then proto 50 isn't used directly. Protocol 50 is used when both sides have route-able IP address.

Hello,

This post was very useful for me to establish connection between my iphone and remote server.
My connection ipsec is OK, my connection l2tp is OK, i can access my remote network address but i cant access another remote internet ip address.

I can see some traffic in my interface ppp0 with tcpdump.

I think its a routing problem or iptables ?

Is everyone can help me with this issue ?

If you can see some traffic on ppp0, it's probably exactly what you guessed.
Is ip_forward enabled? (/proc/sys/net/ipv4/ip_forward should be 1)
If so, I would lean toward an iptables issue.
Check your FORWARD chain rules and make sure that ppp0 can talk to the desired network. Conversely, make sure that your internal network can talk to ppp0.

Perhaps your rules would look something like:
-A FORWARD -i ppp+ -p all -j ACCEPT
-A FORWARD -o ppp+ -p all -j ACCEPT

Tis the season
 

Great work Apollo77. I'd be happy to distribute this as a Virtual Appliance for you. It would be a shame to see all that work, all that effort not shared with the community.

VMsAreGreat