Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

[ndoggac]

*** Working Again As of Latest Edit ***

This setup will allow you to login to your own Ubuntu VPN server using your Iphone's default IOS VPN settings.

Install the necessary packages.
sudo apt-get install openswan ppp xl2tpd


Using the following setup:

192.168.1.22 Ubuntu Server IP Address
192.168.1.1 Gateway Internal IP

On your router, forward ports 500/udp and 4500/udp to the server at 192.168.1.22. This procedure can be found elsewhere and is not covered here.

===================
Here’s my /etc/ipsec.conf file.
(no changes necessary from text below)
===================

Code:

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
  oe=off
  protostack=netkey

include /etc/ipsec.d/l2tp-psk.conf

==================
Here’s my /etc/ipsec.d/l2tp-psk.conf file.
(change left & leftnexthop values)
Important NOTE: dpd entries allow you to connect multiple times without having to restart IPSEC...Thanks to user "FTT" for this
==================

Code:

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  type=transport
  left=192.168.1.22
  leftnexthop=192.168.1.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any 
  dpddelay=15
  dpdtimeout=30
  dpdaction=clear
  #Uncomment the line below for OSX on MAC?  untested!
  #rightprotoport=17/0

==================
Here's my /etc/xl2tpd/xl2tpd.conf file.
(change ip range & local ip)
Important NOTES: "local ip" value must be outside "ip range"
Both "local ip" and "ip range" MUST be outside the DHCP range on your local router or DHCP server.
==================

Code:

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.231-192.168.1.239
local ip = 192.168.1.230
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================
Here’s my /etc/ppp/options.xl2tpd file.
(change ms-dns value)
==================

Code:

require-mschap-v2
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================
Here’s my /etc/ppp/chap-secrets file.
(change username & password values)
Example uses (username=test and password=testpass)
Important NOTE: The 233 IP Address must be in the "ip range" from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
==================

Code:

test l2tpd testpass 192.168.1.233
l2tpd test testpass 192.168.1.233

==================
Here’s my /etc/ipsec.secrets file. (change IP address & Secret values)
==================

Code:

192.168.1.22   %any:  PSK "TestSecret"

================

Run these three commands to restart everything

sudo /etc/init.d/pppd-dns restart
sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

==================

Run the following command, you should get the text below.

sudo ipsec verify

==================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]


If the two netkey / ICMP lines fail, don't worry...it should still work. Not sure why this happens for some and not others. I tried changing the ipv4 ICMP settings and got no change in the verify results. Not quite sure what the problem is here yet??

=========

Last but not least, place the following line into your /etc/rc.local file
(This allows forwarding of packets so you can access WAN addresses, not just LAN addresses and persistent across reboots.)

echo 1 > /proc/sys/net/ipv4/ip_forward

=========

Running the following command enables it currently, no need to reboot

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

================================================== =============

Now for the Iphone Setup

Settings -> General -> Network -> VPN -> Add VPN Configuration

L2TP
Description: WhateverYouWantToCallIt
Server: WANipAddress (could be a DynamicDNS URL)
Account: test
RSA SecurID=OFF
Password: testpass
Secret: TestSecret
Send All Traffic=On

Save it, then turn your VPN on, it should connect and you will see a VPN icon in the upper status bar (left side on 3gs, right side on 4). Now all your traffic will be protected in WiFi hotspots, 3G, etc.

Hope this helps. Let me know if there are any typos or mistakes.
Anyone care to test this with an Android phone and post the setting differences if any?

[mök]

Thanks for sharing.

You do not make use of the -source package, therefore you do not need it.

The ipsec.conf file is indentation sensitive. You might want to repost the file with correct indentation.

The virtual_private line makes it impossible to connect if the client has a 192.168.x.y address somewhere in a nat-ed network. You should only exclude the immediate subnet where your server lives.

The ipsec.conf file will give you a warning that KLIPS cannot be found on each startup. include protostack=netkey to avoid the warning.

You reference an example file /etc/ipsec.d/examples/no_oe.conf that does not exist.

[dsuchter]

I'm having a problem getting this to work for my iPhone 4 and my Ubuntu Maverick netbook endpoint. I'm real close to working, but on my iPhone I get an error:

Code:

VPN Connection
A connection could not be established to the PPP server. Try reconnecting. If the problem continues, verify your settings and contact your Administrator

Any idea what might cause this?

I also noticed an extremely minor error in your post - you transposed the "d" and "p" in "xl2tpd" (<= this is correct, but if you expand the acronym for what you wrote you'd get, 'x Layer 2 Tunneling Daemon Protocol'). That's not a huge problem, of course, but for someone like me who tried to follow *precisely* by using cut-and-paste, it threw me off for a second.

Thanks for the great post so far-

[dsuchter]

bump

[ndoggac]

thanks to mok and dsuchter for their corrections.

Fixes made:
removed source package from installation line per Mok
changed 192.168.0.0 to 192.168.1.0 per Mok
added protostack=netkey to ipsec.conf per Mok
removed no_oe.conf reference (leftover from testing) per Mok
fixed the transposed "d" and "p" in xl2tpd per dsuchter

I can't get the text to indent in the post. Any help on doing that would be appreciated.

[dsuchter]

thanks to mok and dsuchter for their corrections.

I can't get the text to indent in the post. Any help on doing that would be appreciated.

Wrap it in CODE tags (the hash-symbol button on the post-editing widget will get you these tags, or you can manually type them in using square brackets).

Code:

no indent
  two spaces
    four spaces
  two spaces

[ndoggac]

Thanks for that dsuchter. I think maybe the package got updated on me, some of my conf files have additional settings in them, and I can't get it to work right now either. Will have to tackle it this weekend. Sorry I can't be more help.

[dsuchter]

I've found plenty of other people posting about trying to get this to work, but this thread is about the only one with Maverick 10.10 + iPhone, specifically, and I think that' s important. This may be a bug in Ubuntu (or something upstream), so I'm really curious if you ever had this working via Maverick <=> iOS, and if so precisely which builds and versions of each (I'm on Maverick 32-bit netbook edition and using iOS 4.2.1 as my client iPhone4 hardware).

Here's the possibly related bug: https://bugs.launchpad.net/ubuntu/+s...tp/+bug/663184

[ndoggac]

I definitely had this working before as the VPN icon in the upper left of the Iphone screen appeared, and I verified my external IP address was that of my local home LAN while connecting both via 3G and from public WIFI spots. I'm running IOS 4.0.1 on an Iphone 3GS and Maverick 64-bit Ubuntu on a dedicated "always on" server. I hadn't updated the server in quite a while, and the other day pulled about 100 updates or so. After that it stopped working, and I noticed that added text was in some of my configuration files...so I'm not exactly sure what happened.

[ndoggac]

Noticed in my original post....Openswan version is different from what it is now. May have caused the problem. Still working on this.

originally
Linux Openswan U2.4.9/K2.6.24-23-generic

now it is
Linux Openswan U2.6.23/K2.6.32-28-server


I also noticed one line in the verify screen is different

then
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]

now
Checking for RSA private key (/etc/ipsec.secrets) [OK]