Thanks, I got it working now, with iOS4 (iPhone) & iOS3 (iPad) and openwrt 10.03.1-rc3 & repository packages.
openwrt IP: 192.168.12.4
gateway/dns server: 192.168.12.1
(dummy range below can't be on your actual network)
dummy IP range for VPN: 192.168.222.10 and beyond
dummy IP for local IP for xl2tp: 192.168.222.1
Install the packages
opkg install ipsec-tools libopenssl openssl-util xl2tpd kmod-ppp ppp kmod-crypto-aes kmod-crypto-authenc kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-ipsec kmod-ipsec4
/etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 192.168.222.10-192.168.222.100
local ip = 192.168.222.1
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = vanrenterghem.biz
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
/etc/ppp/chap-secrets
#USERNAME PROVIDER PASSWORD IPADDRESS
username * password *
username@mydomain.com * password *
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.12.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
/etc/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
remote anonymous {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
generate_policy on;
proposal_check obey;
#my_identifier asn1dn;
#peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 28800 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
# IPv4/v6 addresses
192.168.12.171 password
192.168.12.20 password
# USER_FQDN
someone@mydomain.com password
# FQDN
www.mydomain.com password
Make sure the psk.txt and chap-secrets files can only be read by root.
chmod 600 /etc/racoon/psk.txt
chmod 600 /etc/ppp/chap-secrets
Enable forwarding of the dummy IP range to your actual network. This openwrt box doesn't have a firewall running, since it's within the private network already. You may need to open up some extra ports if you do have a firewall.
iptables -t nat -A POSTROUTING -s 192.168.222.0/24 -o eth0.1 -j MASQUERADE
Test it all out, using 2 ssh connections to your openwrt box, by running racoon & xl2tpd in the foreground at first:
This configuration doesn't work yet from any connecting IP - only the ones mentioned in psk.txt. Not sure yet how to use the username instead.
Best regards,
Frederik Vanrenterghem