After searching Google for three days trying to figure out how to make IPSec + L2TP work, I am thankful that I came across this post. If it helps anyone, I am running WhiteRussian RC5 and am able to get IPSec + L2TP to work with PSK. I have been failing miserably to get certificates to work. I also came across a post that claimed it was possible to get both PSK and Certs to work.
If it helps anyone, here are some notes on getting IPSec + L2TP with PSK (PreShared Keys) to work on WhiteRussion RC5.
It makes no difference in the configuration below, but I choose to separate my wireless network from my wired network. The instructions for doing that are here: http://wiki.openwrt.org/OpenWrtDocs/Configuration. Search for "To separate the LAN from the WIFI".
(1) I started with WhiteRussian RC5 on a WRT54GS v1.1 (8 MB flash and 32 MB memory). I used the micro squashfs install.
(2) You will need to install all of the packages listed below. If you prefer a different time package over openntpd, feel free to substitute. It may be that the list below is not enough. I apologize in advance if I missed something.
cd /tmp
ipkg install openntpd
ipkg install openswan
ipkg install ppp
ipkg install l2tpd
wget http://psg.com/~brian/software/openwrt/l2tpd_0.70pre-2_mipsel.ipk
ipkg install l2tpd_0.70pre-2_mipsel.ipk
(3) Assuming that you installed openntpd, you will need to properly configure it. Since I live in the United States, I choose to use us.pool.ntp.org. If you don't live in the United States, you can visit http://www.pool.ntp.org/ to find a better value than the default. I edited the file /etc/ntpd.conf and changed the line that read servers pool.ntp.org to:
(3) This next step is dangerous I am comfortable with doing this because my WRT54GS is sitting on an isolated testbed network. I have not yet gotten around to learning how to write firewall rules, so I totally disabled the firewall ruleset. Do not do this on an OpenWRT that is supposed to be protecting something. I would deeply appreciate it someone posted a set of firewall rules for allowing IPSec + L2TP traffic. My basic understanding that the ruleset needs to allow protocol 50 (ESP), protocol 51 (AH), port 500 (ISAKMP?) and port 4500 (only needed for NAT-T).
cd /etc/init.d
mkdir .disabled
mv S45firewall .disabled
(4) Create/edit /etc/modules.d/60-l2tp. This will cause the thee PPP kernel modules to get loaded automatically at boot.
slhc
ppp_generic
ppp_async
(5) At this point, you need to reboot your router to make sure that everything is properly set up. After reboot, check that your router has the current time with:
root@OpenWrt:~# date
Fri Apr 14 04:32:06 PDT 2006
root@OpenWrt:~#
Check that the proper modules got loaded. Depending on the packages that you have loaded, you may see more modules loaded. It only important (for our purposes) that you see slhc, ppp_generic, and ppp_async have been loaded.
root@OpenWrt:~# lsmod
Module Size Used by Tainted: P
ppp_async 7948 0 (unused)
ppp_generic 22868 0 [ppp_async]
slhc 6352 0 [ppp_generic]
wlcompat 14896 0 (unused)
wl 423640 0 (unused)
switch-adm 6132 0 (unused)
switch-core 4896 0 [switch-adm]
diag 3320 0 (unused)
root@OpenWrt:~#
There is no point in going on if both of these test do not pass.
(6) Create/edit the /etc/ipsec.secrets file. Please change the password from "my-preshared-key" to something only you know. As soon a some little cracker comes along and reads this post, you can be sure "my-preshared-key" is going to be part of the default password that hacking toolkits will try. Why would you want to make life easy for a cracker?
(7) Create/Edit the /etc/ipsec.conf file. Replace the 172.16.27.2 with the WAN interface IP address for your router.
version 2.0
config setup
interfaces="ipsec0=vlan1"
plutodebug=none
nat_traversal=no
conn L2TP-PSK
authby=secret
pfs=no
ike=aes-sha,3des-sha
esp=aes-sha1,3des-sha1
left=172.16.27.2
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
### Disable Opportunistic Encryption
## OE does not work unless it is properly configured. Since we are not
## properly configuring it, we are disabling it instead.
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
(8) Create/Edit the /etc/l2tpd/l2tpd.conf file. Here are some important notes. The listen-addr is the WAN address of your router. The local-ip address is a special address on your inside/protected network that is reserved just for L2TP. The local-ip address will be used by L2TP clients for their default route (at least that what I found in various bits of docs). The ip-range is supposed to be a range of IP addresses handed out to the clients as they connect. I found, in my testing, that the clients were just DHCP'ing for addresses from DNSmasq. Your mileage may vary. While you are testing, you may want to set the ppp debug to on. I turned off all of the debugging once things worked because it sped it up the connection time. Why this is, I'm not sure, but I think it is "expensive" to write the debugging information to the system log. The name parameter serves no purpose as far as I can tell. It is not referenced anywhere else.
;
; This is a minimal sample l2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by l2tpd as its address on pppX interfaces.
[global]
listen-addr = 172.16.27.2
[lns default]
ip range = 172.16.45.96-172.16.45.127
local ip = 172.16.45.2
require chap = yes
refuse pap = yes
require authentication = yes
name = ARoseByAnyOtherName
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
(9) Create/edit /etc/ppp/chap-secrets. There are versions of PPP that can use radius to get the secrets. Obviously, these instructions don't cover those versions. In fact, my personal plan, now that I was able to get PSK (pre-shared keys) working is to get Certs working. I hope that it is obvious that you need to protect the information in this file. From various bits of experimentation, I found that L2TP did not use the IP address that I set in this file. I don't know if that is something I'm doing wrong or a bug.
As noted above, please change the usernames and passwords in this file. Why would you want to make a crackers life easier?
#USERNAME PROVIDER PASSWORD IPADDRESS
narzola * "password" *
bteed * "wordpass" *
(10) Create/edit /etc/ppp/options.l2tp. Uncomment #debug if you want debugging messages. The ipcp-max-configure 5, lcp-echo-interval 5, and lcp-echo-failure 5 cause the link to fail faster when you have something misconfigured. It is harmless to remove all three if you prefer the defaults.
ipcp-accept-local
ipcp-accept-remote
ipcp-max-configure 5
lcp-echo-interval 5
lcp-echo-failure 5
auth
idle 1800
mtu 1410
mru 1410
proxyarp
lock
#debug
(11) Rename l2tpd to S61l2tpd. This is just good form. By renaming this file, you will be certain that l2tpd will be started after ipsec (S60ipsec).
cd /etc/init.d
mv l2tpd S61l2tpd
(12) Reboot your router. Log in and use the logread command to see the system log file. You need to make sure that OpenSwan started. The following two sets of messages should be in your logfile (but not necessarily next to each other). Instead of 172.16.27.2, you will see your WAN interface IP address in the messages.
Apr 14 05:01:06 (none) kern.warn pluto[3495]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Apr 14 05:01:10 (none) kern.warn pluto[3495]: listening for IKE messages
Apr 14 05:01:10 (none) kern.warn pluto[3495]: adding interface ipsec0/vlan1 172.16.27.2:500
You need to make sure that the L2TP daemon started correctly:
Apr 14 05:03:34 (none) kern.info l2tpd[3597]: This binary does not support kernel L2TP.
Apr 14 05:03:34 (none) kern.info l2tpd[3598]: l2tpd version 0.69 started on OpenWrt PID:3598
Apr 14 05:03:34 (none) kern.info l2tpd[3598]: Linux version 2.4.30 on a mips, listening on IP address 172.16.27.2, port 1701
(13) Configure your NT or MacOS computer to make the VPN connection. I don't have the time to write instructions for that at the moment. I can say that my 10.4.6 PowerBook and my Windows XP Pro (fully patched) were both able to make a connection. It took a few tries, but everything works. On the MacOS side, there are fewer options and everything worked pretty much the first time (after I installed the lock patch). On the Windows side, it was a little more complicated, but with a little tweaking, it worked.
I hope this helps someone. Many thanks to all of the folks who made OpenWRT possible.
Nelson