This howto will document the needed components for an L2TP/IPsec tunnel as supported by iPhone/Android clients. There are many different IPsec implementations for Linux, like Openswan and strongSwan, but I prefer ipsec-tools because of it's light footprint. Note that I use my own init script that runs setkey.conf. I also include a hotplug script to restart racoon on WAN ifup, this is needed so that setkey.conf runs with the new IP address.
Ok, let's get started. First, we install all the required packages:
# opkg install iptables-mod-ipsec kmod-crypto-authenc kmod-crypto-cbc kmod-crypto-deflate kmod-crypto-des kmod-crypto-hmac kmod-crypto-iv kmod-crypto-md5 kmod-crypto-rng kmod-crypto-wq kmod-zlib kmod-ipsec kmod-ipsec4 libopenssl xl2tpd ppp
# opkg install http://enduser.subsignal.org/~trondah/packages/ipsec-tools_0.8.0-1_ar71xx.ipk
Now, let's configure racoon.
/etc/racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main;
nat_traversal on;
generate_policy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt (this file needs to be chmod 0600):
# * is a wildcard, means any IP address
* changeme
/etc/setkey.conf:
#!/bin/sh
# This shell script is run by the racoon init script with your WAN address as an argument
setkey -c <<EOF
flush;
spdflush;
# All tunnels to this host shall use ESP transport mode
spdadd $1[l2tp] 0.0.0.0/0 udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 $1[l2tp] udp -P in ipsec esp/transport//require;
EOF
Now on to xl2ptd.
/etc/xl2tpd/xl2tpd.conf:
[global]
port = 1701
access control = no
ipsec saref = yes
[lns default]
exclusive = yes
ip range = 192.168.1.81-192.168.1.89
local ip = 192.168.1.80
;hidden bit = no
length bit = yes
name = VPNServer
ppp debug = yes
require authentication = yes
unix authentication = no
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd
/etc/ppp/options.xl2tpd
lock
auth
name "l2tp-server"
dump
# CCP seems to confuse Android clients, better turn it off
noccp
novj
novjccomp
nopcomp
noaccomp
require-mschap
require-mschap-v2
ms-dns 192.168.1.80
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000
nodefaultroute
noipdefault
proxyarp
mtu 1400
mru 1400
xl2tpd will use ppp for chap authentication.
/etc/ppp/chap-secrets:
#USERNAME PROVIDER PASSWORD IPADDRESS
someuser * somepassword *
You'll need to open up your firewall for UDP port 500, 4500, and ESP encapsulated packets to port 1701.
# IPsec/NAT-T
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'IPsec NAT-T'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '4500'
# IPsec/IKE
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'IPsec IKE'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '500'
# IPsec/ESP
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'IPsec ESP'
option 'src' 'wan'
option 'proto' 'udp'
# L2TP/ESP
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'L2TP ESP'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1701'
option 'extra' '-m policy --strict --dir in --pol ipsec --proto esp'
You'll also want to allow forwarding to/from ppp interfaces.
/etc/firewall.user:
# Allow forwarding from/to VPN interfaces
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
Now you can start racoon/xl2tpd:
/etc/init.d/racoon start
/etc/init.d/xl2tpd start
And you're done! Easy wasn't it
(Last edited by arokh on 5 Jan 2012, 16:32)