I am trying to set up a IPSec L2TP server on Ubuntu so I can route all traffic from my iPhone through my home DSL connection. I used this as a general guide:

http://rootmanager.com/ubuntu-ipsec-...s-clients.html

I am able to establish the VPN connection, but I only have access to addresses on my home network through the VPN. I can't access anything on the internet. Safari can browse web pages only within my LAN. The iPhone queries my DNS server successfully, so I am fairly confident this is not a DNS issue.

Can anyone point me in the right direction? Why can't I access anything on the WAN? Suggestions?

Apollo

Ok, I think my problem has to do with NAT-Traversal. I have almost no idea what that is, but I notice if I set "nat_traversal=no" in /etc/ipsec.conf then I can connect to my VPN, but not access the WAN. Port 4500/udp is not shown in "netstat -antu" when I do this. However, if I set "nat_traversal=yes" then Port 4500/udp does appear with netstat, but I cannot connect to my VPN.

I think I need nat_traversal on, but I don't know where to go from here. I suppose my kernel maybe does not support NAT-T. Not sure.

1 members found this post helpful.

I think I'm getting close. However ... I cannot seem to get this working. I think there is something fundamental I am failing to grasp.

Here is my setup:

openswan/xl2tpd server -- my router -- my iphone on the internet

OR

192.168.0.31--192.168.0.1--my router--11.22.33.44-----99.99.99.99
(server) -- (internal ip) -- (external ip) -- (iphone)

Obviously, the external ip addresses are not real.

My router is passing 500/udp and 4500/udp and protocol 50 to the server at 192.168.0.31. Fortunately, I have a router that will pass protocol 50 (Dlink Dir 655) -- I think many cheapo routers will not do this.

My /etc/ipsec.conf file looks like this:
===================
version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/16
nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

include /etc/ipsec.d/l2tp-psk.conf

==================

My /etc/ipsec.d/l2tp-psk.conf looks like this:

==================

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=192.168.0.31
leftnexthop=192.168.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any #I found the iPhone works with 17/%any both inside and outside my LAN.
#rightprotoport=17/0 #It seems to be reported that OS X requires this. Experiment to find what works for you.

==================

Here's my /etc/xl2tdp/xl2tpd.conf:

==================

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.0.231-192.168.0.239
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================

Here is my /etc/ppp/options.xl2tpd:

==================

# This file is filled with comments. I took them all out.
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================

Here is what I get when I run ipsec verify:

==================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

================

BTW, I am using PSKs. The authentication stuff all seems to be working. Ipsec connects fine and the VPN appears to establish normally on the iPhone. However, if I try to ping an address on my LAN from the iPhone, I get no response. If I open Safari, I cannot get to any external sites. Actually, I can browse to local sites within my LAN. The iPhone queries my DNS server successfully (DNS also runs on 192.168.0.31), but Safari does not connect to the site.

I am not fully grasping the left/right stuff in /etc/ipsec.conf . I am also not certain I have nat traversal working. I think nat traversal should be working with the kernel I am running (Linux clark 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux).

Ok, there's a lot of information. Any suggestions would be greatly appreciated.

Apollo

1 members found this post helpful.

Ok, well, maybe this will help someone. I found the problem while reading this:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

My configuration was apparently fine except for the /etc/ppp/chap-secrets file. This is that file now:

=========

# Secrets for authentication using CHAP
# client server secret IP addresses
user222 l2tpd "password333" *
l2tpd user222 "password333" *

=========

I previously only had one line in this file. Apparently, the 2nd reverse line is also required because chap authentication needs to work in both directions.

Actually, I thought my configuration was refusing chap, so I remain confused about that. Oh well, it works.

Go figure.

1 members found this post helpful.

Other things I did that are probably necessary:

Install openswan-modules-source:
apt-get install openswan-modules-source


Uncomment these two lines in /etc/sysctl.conf:

net/ipv4/conf/all/send_redirects = 0
net/ipv4/conf/all/send_accept = 0


I placed these four lines in my /etc/rc.local file:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart #not sure why, but ipsec was not starting after reboot. This should fix that.

1 members found this post helpful.

It was actually probably this change that allowed things to work for you. Otherwise your Ubuntu box will not forward packets between the two endpoints. (Or did you make this change early on?)

1 members found this post helpful.

Oh, Great info. Thanks for the help Midspeck!

BTW, I am regularly using this VPN setup. I sit on a GO train (commuter train in Toronto) every day for about 45 minutes and this setup is great. The VPN connection establishes in just a few seconds. Once I am connected, it's as though I am sitting at home -- my iphone is connected to my home LAN. I regularly connect from my iphone 3G to PCs at my home (via VNC and RDP) and do lots of other stuff. The connection occasionally drops, but in general it is quite reliable.

If you can get this working, you will be pleased.

Apollo

I wish this were easier to setup. I want to do the same thing from Android. Does it work with Dynamic DNS addresses?

The iphone is on a dynamic IP address when connected over 3G. My VPN server is at my home and it's on a static IP address. If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).

One thing I have noticed is that my particular VPN setup seems to work only for the iphone. I have tried to set up a VPN from my laptop (running windoze) and I cannot connect. Maybe I could get it working for both, but it's not worth the effort from my laptop -- I just funnel traffic I want encrypted through an SSH tunnel instead ... less hassle.

I'd be interested to know if anyone else gets this working on the iphone.

Yes, that's what I mean. My router has Tomato firmware and has a DynDNS that it keeps updated at all times, but I don't know if the server can handle that.

I've been using an SSH tunnel from Windows computers, too. I know I've used PPTP in the past without too much hassle, but I don't know if that's encrypted, and [edit:] Windows does have native support for both "PPTP VPN" and "L2TP IPSec VPN".

I run Tomato also. I've simply got UDP ports 500, 1701, and 4500 forwarded to the box running the VPN server. I could be wrong, but I don't think the "protocol 50" thing mentioned in one of my earlier posts is necessary.

Unless I am missing something, I don't see why dynamic DNS would be an issue with your setup. I suppose if the IP address changed during a connection then you would get dropped, but that would be a rare event.

And does it route everything through the VPN?

I think I am correct in saying once connected to the VPN everything gets routed through the VPN. Local web sites (ie. http://192.168.0.x) appear just like I am at home on my local network. I regularly open VNC, RDP, and SSH sessions using addresses local to my LAN at home.

Regular web browsing is actually a bit slower when connected to the VPN because my upload speed at home becomes the download speed on the iphone. My DSL connection at home is about 8M/720kb, so I am limited to 720kbps download on the iphone. In downtown Toronto where I work this makes little difference because of existing network congestion -- I rarely see 500kbps download on 3G downtown (connected to the VPN or not). However, I live about 50km north of the city and I see 2M or higher on 3G there, so the VPN becomes the bottleneck there -- it's actually faster when not connected to the VPN.