Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-10-2009, 12:54 PM
|
#1
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Rep:
|
IPSec L2TP VPN server on Ubuntu for iPhone
I am trying to set up a IPSec L2TP server on Ubuntu so I can route all traffic from my iPhone through my home DSL connection. I used this as a general guide:
http://rootmanager.com/ubuntu-ipsec-...s-clients.html
I am able to establish the VPN connection, but I only have access to addresses on my home network through the VPN. I can't access anything on the internet. Safari can browse web pages only within my LAN. The iPhone queries my DNS server successfully, so I am fairly confident this is not a DNS issue.
Can anyone point me in the right direction? Why can't I access anything on the WAN? Suggestions?
Apollo
|
|
|
04-10-2009, 04:17 PM
|
#2
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
Ok, I think my problem has to do with NAT-Traversal. I have almost no idea what that is, but I notice if I set "nat_traversal=no" in /etc/ipsec.conf then I can connect to my VPN, but not access the WAN. Port 4500/udp is not shown in "netstat -antu" when I do this. However, if I set "nat_traversal=yes" then Port 4500/udp does appear with netstat, but I cannot connect to my VPN.
I think I need nat_traversal on, but I don't know where to go from here. I suppose my kernel maybe does not support NAT-T. Not sure.
|
|
1 members found this post helpful.
|
04-13-2009, 02:51 PM
|
#3
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
I think I'm getting close. However ... I cannot seem to get this working. I think there is something fundamental I am failing to grasp.
Here is my setup:
openswan/xl2tpd server -- my router -- my iphone on the internet
OR
192.168.0.31--192.168.0.1--my router--11.22.33.44-----99.99.99.99
(server) -- (internal ip) -- (external ip) -- (iphone)
Obviously, the external ip addresses are not real.
My router is passing 500/udp and 4500/udp and protocol 50 to the server at 192.168.0.31. Fortunately, I have a router that will pass protocol 50 (Dlink Dir 655) -- I think many cheapo routers will not do this.
My /etc/ipsec.conf file looks like this:
===================
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/16
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/l2tp-psk.conf
==================
My /etc/ipsec.d/l2tp-psk.conf looks like this:
==================
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=192.168.0.31
leftnexthop=192.168.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any #I found the iPhone works with 17/%any both inside and outside my LAN.
#rightprotoport=17/0 #It seems to be reported that OS X requires this. Experiment to find what works for you.
==================
Here's my /etc/xl2tdp/xl2tpd.conf:
==================
[global]
ipsec saref = yes
[lns default]
ip range = 192.168.0.231-192.168.0.239
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
==================
Here is my /etc/ppp/options.xl2tpd:
==================
# This file is filled with comments. I took them all out.
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
==================
Here is what I get when I run ipsec verify:
==================
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
================
BTW, I am using PSKs. The authentication stuff all seems to be working. Ipsec connects fine and the VPN appears to establish normally on the iPhone. However, if I try to ping an address on my LAN from the iPhone, I get no response. If I open Safari, I cannot get to any external sites. Actually, I can browse to local sites within my LAN. The iPhone queries my DNS server successfully (DNS also runs on 192.168.0.31), but Safari does not connect to the site.
I am not fully grasping the left/right stuff in /etc/ipsec.conf . I am also not certain I have nat traversal working. I think nat traversal should be working with the kernel I am running (Linux clark 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux).
Ok, there's a lot of information. Any suggestions would be greatly appreciated.
Apollo
Last edited by Apollo77; 04-13-2009 at 08:07 PM.
|
|
1 members found this post helpful.
|
04-13-2009, 06:24 PM
|
#4
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
Ok, well, maybe this will help someone. I found the problem while reading this:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
My configuration was apparently fine except for the /etc/ppp/chap-secrets file. This is that file now:
=========
# Secrets for authentication using CHAP
# client server secret IP addresses
user222 l2tpd "password333" *
l2tpd user222 "password333" *
=========
I previously only had one line in this file. Apparently, the 2nd reverse line is also required because chap authentication needs to work in both directions.
Actually, I thought my configuration was refusing chap, so I remain confused about that. Oh well, it works.
Go figure.
Last edited by Apollo77; 04-13-2009 at 06:27 PM.
|
|
1 members found this post helpful.
|
04-15-2009, 09:15 AM
|
#5
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
Other things I did that are probably necessary:
Install openswan-modules-source:
apt-get install openswan-modules-source
Uncomment these two lines in /etc/sysctl.conf:
net/ipv4/conf/all/send_redirects = 0
net/ipv4/conf/all/send_accept = 0
I placed these four lines in my /etc/rc.local file:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart #not sure why, but ipsec was not starting after reboot. This should fix that.
Last edited by Apollo77; 04-15-2009 at 09:34 AM.
|
|
1 members found this post helpful.
|
07-08-2009, 02:37 PM
|
#6
|
LQ Newbie
Registered: Jul 2009
Posts: 9
Rep:
|
Quote:
Originally Posted by Apollo77
Other things I did that are probably necessary:
...
echo 1 > /proc/sys/net/ipv4/ip_forward
|
It was actually probably this change that allowed things to work for you. Otherwise your Ubuntu box will not forward packets between the two endpoints. (Or did you make this change early on?)
|
|
1 members found this post helpful.
|
10-19-2009, 03:10 PM
|
#7
|
LQ Newbie
Registered: Oct 2009
Posts: 1
Rep:
|
Oh, Great info. Thanks for the help Midspeck!
|
|
|
10-21-2009, 10:27 AM
|
#8
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
BTW, I am regularly using this VPN setup. I sit on a GO train (commuter train in Toronto) every day for about 45 minutes and this setup is great. The VPN connection establishes in just a few seconds. Once I am connected, it's as though I am sitting at home -- my iphone is connected to my home LAN. I regularly connect from my iphone 3G to PCs at my home (via VNC and RDP) and do lots of other stuff. The connection occasionally drops, but in general it is quite reliable.
If you can get this working, you will be pleased.
Apollo
|
|
|
11-23-2009, 10:33 PM
|
#9
|
Member
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67
Rep:
|
I wish this were easier to setup. I want to do the same thing from Android. Does it work with Dynamic DNS addresses?
|
|
|
11-24-2009, 08:28 AM
|
#10
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
The iphone is on a dynamic IP address when connected over 3G. My VPN server is at my home and it's on a static IP address. If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
|
|
|
11-24-2009, 08:36 AM
|
#11
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
One thing I have noticed is that my particular VPN setup seems to work only for the iphone. I have tried to set up a VPN from my laptop (running windoze) and I cannot connect. Maybe I could get it working for both, but it's not worth the effort from my laptop -- I just funnel traffic I want encrypted through an SSH tunnel instead ... less hassle.
I'd be interested to know if anyone else gets this working on the iphone.
|
|
|
11-24-2009, 09:05 AM
|
#12
|
Member
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67
Rep:
|
Quote:
Originally Posted by Apollo77
If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
|
Yes, that's what I mean. My router has Tomato firmware and has a DynDNS that it keeps updated at all times, but I don't know if the server can handle that.
Quote:
Set left=12.34.56.78 [should be set to your external IP address on the machine users will connect to]
|
I've been using an SSH tunnel from Windows computers, too. I know I've used PPTP in the past without too much hassle, but I don't know if that's encrypted, and [edit:] Windows does have native support for both "PPTP VPN" and "L2TP IPSec VPN".
Last edited by bleargh; 11-24-2009 at 11:33 AM.
|
|
|
11-24-2009, 11:24 AM
|
#13
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
I run Tomato also. I've simply got UDP ports 500, 1701, and 4500 forwarded to the box running the VPN server. I could be wrong, but I don't think the "protocol 50" thing mentioned in one of my earlier posts is necessary.
Unless I am missing something, I don't see why dynamic DNS would be an issue with your setup. I suppose if the IP address changed during a connection then you would get dropped, but that would be a rare event.
|
|
|
11-24-2009, 08:00 PM
|
#14
|
Member
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67
Rep:
|
And does it route everything through the VPN?
|
|
|
11-25-2009, 08:27 AM
|
#15
|
Member
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182
Original Poster
Rep:
|
I think I am correct in saying once connected to the VPN everything gets routed through the VPN. Local web sites (ie. http://192.168.0.x) appear just like I am at home on my local network. I regularly open VNC, RDP, and SSH sessions using addresses local to my LAN at home.
Regular web browsing is actually a bit slower when connected to the VPN because my upload speed at home becomes the download speed on the iphone. My DSL connection at home is about 8M/720kb, so I am limited to 720kbps download on the iphone. In downtown Toronto where I work this makes little difference because of existing network congestion -- I rarely see 500kbps download on 3G downtown (connected to the VPN or not). However, I live about 50km north of the city and I see 2M or higher on 3G there, so the VPN becomes the bottleneck there -- it's actually faster when not connected to the VPN.
|
|
|
All times are GMT -5. The time now is 02:37 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|