Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I am trying to set up a IPSec L2TP server on Ubuntu so I can route all traffic from my iPhone through my home DSL connection. I used this as a general guide:
I am able to establish the VPN connection, but I only have access to addresses on my home network through the VPN. I can't access anything on the internet. Safari can browse web pages only within my LAN. The iPhone queries my DNS server successfully, so I am fairly confident this is not a DNS issue.
Can anyone point me in the right direction? Why can't I access anything on the WAN? Suggestions?
Ok, I think my problem has to do with NAT-Traversal. I have almost no idea what that is, but I notice if I set "nat_traversal=no" in /etc/ipsec.conf then I can connect to my VPN, but not access the WAN. Port 4500/udp is not shown in "netstat -antu" when I do this. However, if I set "nat_traversal=yes" then Port 4500/udp does appear with netstat, but I cannot connect to my VPN.
I think I need nat_traversal on, but I don't know where to go from here. I suppose my kernel maybe does not support NAT-T. Not sure.
Obviously, the external ip addresses are not real.
My router is passing 500/udp and 4500/udp and protocol 50 to the server at 192.168.0.31. Fortunately, I have a router that will pass protocol 50 (Dlink Dir 655) -- I think many cheapo routers will not do this.
My /etc/ipsec.conf file looks like this:
===================
version 2.0 # conforms to second version of ipsec.conf specification
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=192.168.0.31
leftnexthop=192.168.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any #I found the iPhone works with 17/%any both inside and outside my LAN.
#rightprotoport=17/0 #It seems to be reported that OS X requires this. Experiment to find what works for you.
==================
Here's my /etc/xl2tdp/xl2tpd.conf:
==================
[global]
ipsec saref = yes
[lns default]
ip range = 192.168.0.231-192.168.0.239
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
==================
Here is my /etc/ppp/options.xl2tpd:
==================
# This file is filled with comments. I took them all out.
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
==================
Here is what I get when I run ipsec verify:
==================
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
================
BTW, I am using PSKs. The authentication stuff all seems to be working. Ipsec connects fine and the VPN appears to establish normally on the iPhone. However, if I try to ping an address on my LAN from the iPhone, I get no response. If I open Safari, I cannot get to any external sites. Actually, I can browse to local sites within my LAN. The iPhone queries my DNS server successfully (DNS also runs on 192.168.0.31), but Safari does not connect to the site.
I am not fully grasping the left/right stuff in /etc/ipsec.conf . I am also not certain I have nat traversal working. I think nat traversal should be working with the kernel I am running (Linux clark 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux).
Ok, there's a lot of information. Any suggestions would be greatly appreciated.
My configuration was apparently fine except for the /etc/ppp/chap-secrets file. This is that file now:
=========
# Secrets for authentication using CHAP
# client server secret IP addresses
user222 l2tpd "password333" *
l2tpd user222 "password333" *
=========
I previously only had one line in this file. Apparently, the 2nd reverse line is also required because chap authentication needs to work in both directions.
Actually, I thought my configuration was refusing chap, so I remain confused about that. Oh well, it works.
I placed these four lines in my /etc/rc.local file:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart #not sure why, but ipsec was not starting after reboot. This should fix that.
Other things I did that are probably necessary:
...
echo 1 > /proc/sys/net/ipv4/ip_forward
It was actually probably this change that allowed things to work for you. Otherwise your Ubuntu box will not forward packets between the two endpoints. (Or did you make this change early on?)
BTW, I am regularly using this VPN setup. I sit on a GO train (commuter train in Toronto) every day for about 45 minutes and this setup is great. The VPN connection establishes in just a few seconds. Once I am connected, it's as though I am sitting at home -- my iphone is connected to my home LAN. I regularly connect from my iphone 3G to PCs at my home (via VNC and RDP) and do lots of other stuff. The connection occasionally drops, but in general it is quite reliable.
The iphone is on a dynamic IP address when connected over 3G. My VPN server is at my home and it's on a static IP address. If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
One thing I have noticed is that my particular VPN setup seems to work only for the iphone. I have tried to set up a VPN from my laptop (running windoze) and I cannot connect. Maybe I could get it working for both, but it's not worth the effort from my laptop -- I just funnel traffic I want encrypted through an SSH tunnel instead ... less hassle.
I'd be interested to know if anyone else gets this working on the iphone.
If your VPN server is on a dynamic address, that adds a complication you will need to work out. There are services like DynDNS that can help with that (... but that's another thread).
Yes, that's what I mean. My router has Tomato firmware and has a DynDNS that it keeps updated at all times, but I don't know if the server can handle that.
Quote:
Set left=12.34.56.78 [should be set to your external IP address on the machine users will connect to]
I've been using an SSH tunnel from Windows computers, too. I know I've used PPTP in the past without too much hassle, but I don't know if that's encrypted, and [edit:] Windows does have native support for both "PPTP VPN" and "L2TP IPSec VPN".
I run Tomato also. I've simply got UDP ports 500, 1701, and 4500 forwarded to the box running the VPN server. I could be wrong, but I don't think the "protocol 50" thing mentioned in one of my earlier posts is necessary.
Unless I am missing something, I don't see why dynamic DNS would be an issue with your setup. I suppose if the IP address changed during a connection then you would get dropped, but that would be a rare event.
I think I am correct in saying once connected to the VPN everything gets routed through the VPN. Local web sites (ie. http://192.168.0.x) appear just like I am at home on my local network. I regularly open VNC, RDP, and SSH sessions using addresses local to my LAN at home.
Regular web browsing is actually a bit slower when connected to the VPN because my upload speed at home becomes the download speed on the iphone. My DSL connection at home is about 8M/720kb, so I am limited to 720kbps download on the iphone. In downtown Toronto where I work this makes little difference because of existing network congestion -- I rarely see 500kbps download on 3G downtown (connected to the VPN or not). However, I live about 50km north of the city and I see 2M or higher on 3G there, so the VPN becomes the bottleneck there -- it's actually faster when not connected to the VPN.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.