LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-10-2009, 12:54 PM   #1
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Rep: Reputation: 35
IPSec L2TP VPN server on Ubuntu for iPhone


I am trying to set up a IPSec L2TP server on Ubuntu so I can route all traffic from my iPhone through my home DSL connection. I used this as a general guide:

http://rootmanager.com/ubuntu-ipsec-...s-clients.html

I am able to establish the VPN connection, but I only have access to addresses on my home network through the VPN. I can't access anything on the internet. Safari can browse web pages only within my LAN. The iPhone queries my DNS server successfully, so I am fairly confident this is not a DNS issue.

Can anyone point me in the right direction? Why can't I access anything on the WAN? Suggestions?

Apollo
 
Old 04-10-2009, 04:17 PM   #2
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Ok, I think my problem has to do with NAT-Traversal. I have almost no idea what that is, but I notice if I set "nat_traversal=no" in /etc/ipsec.conf then I can connect to my VPN, but not access the WAN. Port 4500/udp is not shown in "netstat -antu" when I do this. However, if I set "nat_traversal=yes" then Port 4500/udp does appear with netstat, but I cannot connect to my VPN.

I think I need nat_traversal on, but I don't know where to go from here. I suppose my kernel maybe does not support NAT-T. Not sure.
 
1 members found this post helpful.
Old 04-13-2009, 02:51 PM   #3
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
I think I'm getting close. However ... I cannot seem to get this working. I think there is something fundamental I am failing to grasp.

Here is my setup:

openswan/xl2tpd server -- my router -- my iphone on the internet

OR

192.168.0.31--192.168.0.1--my router--11.22.33.44-----99.99.99.99
(server) -- (internal ip) -- (external ip) -- (iphone)

Obviously, the external ip addresses are not real.

My router is passing 500/udp and 4500/udp and protocol 50 to the server at 192.168.0.31. Fortunately, I have a router that will pass protocol 50 (Dlink Dir 655) -- I think many cheapo routers will not do this.

My /etc/ipsec.conf file looks like this:
===================
version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/16
nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

include /etc/ipsec.d/l2tp-psk.conf

==================

My /etc/ipsec.d/l2tp-psk.conf looks like this:

==================

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=192.168.0.31
leftnexthop=192.168.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any #I found the iPhone works with 17/%any both inside and outside my LAN.
#rightprotoport=17/0 #It seems to be reported that OS X requires this. Experiment to find what works for you.

==================

Here's my /etc/xl2tdp/xl2tpd.conf:

==================

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.0.231-192.168.0.239
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================

Here is my /etc/ppp/options.xl2tpd:

==================

# This file is filled with comments. I took them all out.
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================

Here is what I get when I run ipsec verify:

==================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

================

BTW, I am using PSKs. The authentication stuff all seems to be working. Ipsec connects fine and the VPN appears to establish normally on the iPhone. However, if I try to ping an address on my LAN from the iPhone, I get no response. If I open Safari, I cannot get to any external sites. Actually, I can browse to local sites within my LAN. The iPhone queries my DNS server successfully (DNS also runs on 192.168.0.31), but Safari does not connect to the site.

I am not fully grasping the left/right stuff in /etc/ipsec.conf . I am also not certain I have nat traversal working. I think nat traversal should be working with the kernel I am running (Linux clark 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux).

Ok, there's a lot of information. Any suggestions would be greatly appreciated.

Apollo

Last edited by Apollo77; 04-13-2009 at 08:07 PM.
 
1 members found this post helpful.
Old 04-13-2009, 06:24 PM   #4
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Ok, well, maybe this will help someone. I found the problem while reading this:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

My configuration was apparently fine except for the /etc/ppp/chap-secrets file. This is that file now:

=========

# Secrets for authentication using CHAP
# client server secret IP addresses
user222 l2tpd "password333" *
l2tpd user222 "password333" *

=========

I previously only had one line in this file. Apparently, the 2nd reverse line is also required because chap authentication needs to work in both directions.

Actually, I thought my configuration was refusing chap, so I remain confused about that. Oh well, it works.

Go figure.

Last edited by Apollo77; 04-13-2009 at 06:27 PM.
 
1 members found this post helpful.
Old 04-15-2009, 09:15 AM   #5
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Other things I did that are probably necessary:

Install openswan-modules-source:
apt-get install openswan-modules-source


Uncomment these two lines in /etc/sysctl.conf:

net/ipv4/conf/all/send_redirects = 0
net/ipv4/conf/all/send_accept = 0


I placed these four lines in my /etc/rc.local file:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart #not sure why, but ipsec was not starting after reboot. This should fix that.

Last edited by Apollo77; 04-15-2009 at 09:34 AM.
 
1 members found this post helpful.
Old 07-08-2009, 02:37 PM   #6
MidSpeck
LQ Newbie
 
Registered: Jul 2009
Posts: 9

Rep: Reputation: 6
Quote:
Originally Posted by Apollo77 View Post
Other things I did that are probably necessary:
...
echo 1 > /proc/sys/net/ipv4/ip_forward
It was actually probably this change that allowed things to work for you. Otherwise your Ubuntu box will not forward packets between the two endpoints. (Or did you make this change early on?)
 
1 members found this post helpful.
Old 10-19-2009, 03:10 PM   #7
Steveington
LQ Newbie
 
Registered: Oct 2009
Posts: 1

Rep: Reputation: 0
Thumbs up

Oh, Great info. Thanks for the help Midspeck!
 
Old 10-21-2009, 10:27 AM   #8
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
BTW, I am regularly using this VPN setup. I sit on a GO train (commuter train in Toronto) every day for about 45 minutes and this setup is great. The VPN connection establishes in just a few seconds. Once I am connected, it's as though I am sitting at home -- my iphone is connected to my home LAN. I regularly connect from my iphone 3G to PCs at my home (via VNC and RDP) and do lots of other stuff. The connection occasionally drops, but in general it is quite reliable.

If you can get this working, you will be pleased.

Apollo
 
Old 11-23-2009, 10:33 PM   #9
bleargh
Member
 
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67

Rep: Reputation: 16
I wish this were easier to setup. I want to do the same thing from Android. Does it work with Dynamic DNS addresses?
 
Old 11-24-2009, 08:28 AM   #10
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
The iphone is on a dynamic IP address when connected over 3G. My VPN server is at my home and it's on a static IP address. If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
 
Old 11-24-2009, 08:36 AM   #11
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
One thing I have noticed is that my particular VPN setup seems to work only for the iphone. I have tried to set up a VPN from my laptop (running windoze) and I cannot connect. Maybe I could get it working for both, but it's not worth the effort from my laptop -- I just funnel traffic I want encrypted through an SSH tunnel instead ... less hassle.

I'd be interested to know if anyone else gets this working on the iphone.
 
Old 11-24-2009, 09:05 AM   #12
bleargh
Member
 
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67

Rep: Reputation: 16
Quote:
Originally Posted by Apollo77 View Post
If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
Yes, that's what I mean. My router has Tomato firmware and has a DynDNS that it keeps updated at all times, but I don't know if the server can handle that.

Quote:
Set left=12.34.56.78 [should be set to your external IP address on the machine users will connect to]
I've been using an SSH tunnel from Windows computers, too. I know I've used PPTP in the past without too much hassle, but I don't know if that's encrypted, and [edit:] Windows does have native support for both "PPTP VPN" and "L2TP IPSec VPN".

Last edited by bleargh; 11-24-2009 at 11:33 AM.
 
Old 11-24-2009, 11:24 AM   #13
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
I run Tomato also. I've simply got UDP ports 500, 1701, and 4500 forwarded to the box running the VPN server. I could be wrong, but I don't think the "protocol 50" thing mentioned in one of my earlier posts is necessary.

Unless I am missing something, I don't see why dynamic DNS would be an issue with your setup. I suppose if the IP address changed during a connection then you would get dropped, but that would be a rare event.
 
Old 11-24-2009, 08:00 PM   #14
bleargh
Member
 
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67

Rep: Reputation: 16
And does it route everything through the VPN?
 
Old 11-25-2009, 08:27 AM   #15
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
I think I am correct in saying once connected to the VPN everything gets routed through the VPN. Local web sites (ie. http://192.168.0.x) appear just like I am at home on my local network. I regularly open VNC, RDP, and SSH sessions using addresses local to my LAN at home.

Regular web browsing is actually a bit slower when connected to the VPN because my upload speed at home becomes the download speed on the iphone. My DSL connection at home is about 8M/720kb, so I am limited to 720kbps download on the iphone. In downtown Toronto where I work this makes little difference because of existing network congestion -- I rarely see 500kbps download on 3G downtown (connected to the VPN or not). However, I live about 50km north of the city and I see 2M or higher on 3G there, so the VPN becomes the bottleneck there -- it's actually faster when not connected to the VPN.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec/L2TP mahesh_sonawane Linux - Networking 1 06-04-2007 01:32 AM
IPSec VPN Client on Ubuntu noorania Linux - Software 2 04-25-2006 05:32 PM
IPSEC/L2TP VPN Server on Fedora Core 3 using Kernel 2.6 petwalrus Linux - Networking 3 04-21-2005 10:55 AM
IPsec/L2TP VPN question IPsecLearner Linux - Networking 3 04-19-2005 11:32 AM
L2TP VPN connections to an ISA Server kendoucet Linux - Networking 0 03-24-2004 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration