The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi,
I am trying to set up a VPN on OpenWrt 10.03.1-rc3 using ipsec-tools (racoon) and l2tpd. I've gotten to the point where the iPhone tries to make a connection, as evidenced by watching racoon -F, but it doesn't succeed. Does anybody have any working configuration files that I could take a look at? I'm just looking for a simple home setup using pre-shared keys. No need for certificates.
Thanks in advance!
Frederik
http://rpc.one.pl has several guides for using racoon on OpenWrt. One of them covers racoon + l2tp. It's in polish, so just run it through google translate.
(Last edited by aport on 18 Nov 2010, 19:44)
Thanks, I got it working now, with iOS4 (iPhone) & iOS3 (iPad) and openwrt 10.03.1-rc3 & repository packages.
openwrt IP: 192.168.12.4
gateway/dns server: 192.168.12.1
(dummy range below can't be on your actual network)
dummy IP range for VPN: 192.168.222.10 and beyond
dummy IP for local IP for xl2tp: 192.168.222.1
Install the packages
opkg install ipsec-tools libopenssl openssl-util xl2tpd kmod-ppp ppp kmod-crypto-aes kmod-crypto-authenc kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-ipsec kmod-ipsec4/etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 192.168.222.10-192.168.222.100
local ip = 192.168.222.1
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = vanrenterghem.biz
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd/etc/ppp/chap-secrets
#USERNAME PROVIDER PASSWORD IPADDRESS
username * password *
username@mydomain.com * password */etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.12.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000/etc/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
remote anonymous {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
generate_policy on;
proposal_check obey;
#my_identifier asn1dn;
#peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 28800 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}/etc/racoon/psk.txt
# IPv4/v6 addresses
192.168.12.171 password
192.168.12.20 password
# USER_FQDN
someone@mydomain.com password
# FQDN
www.mydomain.com passwordMake sure the psk.txt and chap-secrets files can only be read by root.
chmod 600 /etc/racoon/psk.txt
chmod 600 /etc/ppp/chap-secretsEnable forwarding of the dummy IP range to your actual network. This openwrt box doesn't have a firewall running, since it's within the private network already. You may need to open up some extra ports if you do have a firewall.
iptables -t nat -A POSTROUTING -s 192.168.222.0/24 -o eth0.1 -j MASQUERADETest it all out, using 2 ssh connections to your openwrt box, by running racoon & xl2tpd in the foreground at first:
racoon -Fxl2tpd -DThis configuration doesn't work yet from any connecting IP - only the ones mentioned in psk.txt. Not sure yet how to use the username instead.
Best regards,
Frederik Vanrenterghem
certificates?
I do not know the iphone but it should support the x509. You will be independent of the ip address and you can have dyndns.
Secondly, you can simulate the racoon server for cisco client iphone
http://rpc.one.pl/index.php/lista-artyk … hybrid-rsa
http://rpc.one.pl/index.php/lista-artyk … -xauth-psk
Do not know if the iphone supports plainrsa. Then, enough to make you rsa key pair name and fqdn in psk.key
(Last edited by rpc on 20 Nov 2010, 01:15)
Can't quite get this to work. ipsec negotiation fails with
2011-02-01 13:15:21: ERROR: pfkey UPDATE failed: No such file or directory
2011-02-01 13:15:21: ERROR: pfkey ADD failed: No such file or directory
...
2011-02-01 13:15:36: ERROR: <clientip> give up to get IPsec-SA due to time up to wait.I've triple checked that all firewall rules are correct, accepting both proto 50 and 51 and added both tcp and udp port 500 and 1701 just to be sure (for testing), but so far no luck.
Edit: ah: https://dev.openwrt.org/ticket/7431
(Last edited by Jhime on 1 Feb 2011, 14:09)
You might want to give l2tpv3tun a shot (openl2tp.org). It should work with either racoon or openswan and handle most clients.
l2tpv3tun was static only afaict. I'm aiming for roadwarrior (eventually).
Address Assignment
Almost all L2TP clients expect the IP addresses of the PPP session to be assigned by the server. Therefore, when configuring an OpenL2TP server, the mechanism by which IP addresses are assigned must be set. There are three alternatives:
Fixed IP addresses, preconfigured for each connecting client.
Dynamic IP addresses, obtained from an IP address pool.
Dynamic IP addresses, obtained via a RADIUS lookup.
4th alternative:
Dynamic IP addresses, obtained from an DHCP server via the ppp-dhcpc.so plugin for pppd
btw, to remove the RPC dependency of openl2tp (reduces size of executable and dependencies):
add the following line to the makefile
L2TP_FEATURE_RPC_MANAGEMENT=n
and remove the '#ifdef L2TP_FEATURE_RPC_MANAGEMENT' + '#endif' lines from the plugin/ppp_unix.c file in the openl2tp source.
Then configure openl2tp through /etc/openl2tpd.conf
I revisited this topic and made it work:
The discussion might have continued from here.