Results 1 to 10 of 57

Thread: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

Hybrid View

  1. #1
    Join Date
    May 2008
    Location
    Atlantic City, NJ
    Beans
    25
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    *** Working Again As of Latest Edit ***

    This setup will allow you to login to your own Ubuntu VPN server using your Iphone's default IOS VPN settings.

    Install the necessary packages.
    sudo apt-get install openswan ppp xl2tpd


    Using the following setup:

    192.168.1.22 Ubuntu Server IP Address
    192.168.1.1 Gateway Internal IP

    On your router, forward ports 500/udp and 4500/udp to the server at 192.168.1.22. This procedure can be found elsewhere and is not covered here.

    ===================
    Here’s my /etc/ipsec.conf file.
    (no changes necessary from text below)
    ===================
    Code:
    version 2.0
    
    config setup
      nat_traversal=yes
      virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
      oe=off
      protostack=netkey
    
    include /etc/ipsec.d/l2tp-psk.conf
    ==================
    Here’s my /etc/ipsec.d/l2tp-psk.conf file.
    (change left & leftnexthop values)
    Important NOTE: dpd entries allow you to connect multiple times without having to restart IPSEC...Thanks to user "FTT" for this
    ==================
    Code:
    conn L2TP-PSK-NAT
      rightsubnet=vhost:%priv
      also=L2TP-PSK-noNAT
    
    conn L2TP-PSK-noNAT
      authby=secret
      pfs=no
      auto=add
      keyingtries=3
      rekey=no
      type=transport
      left=192.168.1.22
      leftnexthop=192.168.1.1
      leftprotoport=17/1701
      right=%any
      rightprotoport=17/%any 
      dpddelay=15
      dpdtimeout=30
      dpdaction=clear
      #Uncomment the line below for OSX on MAC?  untested!
      #rightprotoport=17/0
    ==================
    Here's my /etc/xl2tpd/xl2tpd.conf file.
    (change ip range & local ip)
    Important NOTES: "local ip" value must be outside "ip range"
    Both "local ip" and "ip range" MUST be outside the DHCP range on your local router or DHCP server.
    ==================
    Code:
    [global]
    ipsec saref = yes
    [lns default]
    ip range = 192.168.1.231-192.168.1.239
    local ip = 192.168.1.230
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
    ==================
    Here’s my /etc/ppp/options.xl2tpd file.
    (change ms-dns value)
    ==================
    Code:
    require-mschap-v2
    ms-dns 192.168.1.1
    asyncmap 0
    auth
    crtscts
    lock
    hide-password
    modem
    debug
    name l2tpd
    proxyarp
    lcp-echo-interval 30
    lcp-echo-failure 4
    ==================
    Here’s my /etc/ppp/chap-secrets file.
    (change username & password values)
    Example uses (username=test and password=testpass)
    Important NOTE: The 233 IP Address must be in the "ip range" from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
    ==================
    Code:
    test l2tpd testpass 192.168.1.233
    l2tpd test testpass 192.168.1.233
    ==================
    Here’s my /etc/ipsec.secrets file. (change IP address & Secret values)
    ==================
    Code:
    192.168.1.22   %any:  PSK "TestSecret"
    ================

    Run these three commands to restart everything

    sudo /etc/init.d/pppd-dns restart
    sudo /etc/init.d/xl2tpd restart
    sudo /etc/init.d/ipsec restart

    ==================

    Run the following command, you should get the text below.

    sudo ipsec verify

    ==================

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
    Checking for IPsec support in kernel [OK]
    NETKEY detected, testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
    ipsec showhostkey: no default key in "/etc/ipsec.secrets"
    Checking that pluto is running [OK]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking NAT and MASQUERADEing [OK]
    Checking for 'ip' command [OK]
    Checking for 'iptables' command [OK]
    Opportunistic Encryption Support [DISABLED]


    If the two netkey / ICMP lines fail, don't worry...it should still work. Not sure why this happens for some and not others. I tried changing the ipv4 ICMP settings and got no change in the verify results. Not quite sure what the problem is here yet??

    =========

    Last but not least, place the following line into your /etc/rc.local file
    (This allows forwarding of packets so you can access WAN addresses, not just LAN addresses and persistent across reboots.)

    echo 1 > /proc/sys/net/ipv4/ip_forward

    =========

    Running the following command enables it currently, no need to reboot

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward

    ================================================== =============

    Now for the Iphone Setup

    Settings -> General -> Network -> VPN -> Add VPN Configuration

    L2TP
    Description: WhateverYouWantToCallIt
    Server: WANipAddress (could be a DynamicDNS URL)
    Account: test
    RSA SecurID=OFF
    Password: testpass
    Secret: TestSecret
    Send All Traffic=On

    Save it, then turn your VPN on, it should connect and you will see a VPN icon in the upper status bar (left side on 3gs, right side on 4). Now all your traffic will be protected in WiFi hotspots, 3G, etc.

    Hope this helps. Let me know if there are any typos or mistakes.
    Anyone care to test this with an Android phone and post the setting differences if any?
    Last edited by ndoggac; June 8th, 2011 at 04:52 PM. Reason: Fixin Stuff

  2. #2
    Join Date
    Jan 2011
    Beans
    6

    Re: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    Thanks for sharing.

    You do not make use of the -source package, therefore you do not need it.

    The ipsec.conf file is indentation sensitive. You might want to repost the file with correct indentation.

    The virtual_private line makes it impossible to connect if the client has a 192.168.x.y address somewhere in a nat-ed network. You should only exclude the immediate subnet where your server lives.

    The ipsec.conf file will give you a warning that KLIPS cannot be found on each startup. include protostack=netkey to avoid the warning.

    You reference an example file /etc/ipsec.d/examples/no_oe.conf that does not exist.

  3. #3
    Join Date
    Feb 2008
    Beans
    12

    Re: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    I'm having a problem getting this to work for my iPhone 4 and my Ubuntu Maverick netbook endpoint. I'm real close to working, but on my iPhone I get an error:
    Code:
    VPN Connection
    A connection could not be established to the PPP server. Try reconnecting. If the problem continues, verify your settings and contact your Administrator
    Any idea what might cause this?

    I also noticed an extremely minor error in your post - you transposed the "d" and "p" in "xl2tpd" (<= this is correct, but if you expand the acronym for what you wrote you'd get, 'x Layer 2 Tunneling Daemon Protocol'). That's not a huge problem, of course, but for someone like me who tried to follow *precisely* by using cut-and-paste, it threw me off for a second.

    Thanks for the great post so far-

  4. #4
    Join Date
    Feb 2008
    Beans
    12

    Re: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    bump

  5. #5
    Join Date
    May 2008
    Location
    Atlantic City, NJ
    Beans
    25
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    thanks to mok and dsuchter for their corrections.

    Fixes made:
    removed source package from installation line per Mok
    changed 192.168.0.0 to 192.168.1.0 per Mok
    added protostack=netkey to ipsec.conf per Mok
    removed no_oe.conf reference (leftover from testing) per Mok
    fixed the transposed "d" and "p" in xl2tpd per dsuchter

    I can't get the text to indent in the post. Any help on doing that would be appreciated.

  6. #6
    Join Date
    Feb 2008
    Beans
    12

    Re: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    Quote Originally Posted by ndoggac View Post
    thanks to mok and dsuchter for their corrections.

    I can't get the text to indent in the post. Any help on doing that would be appreciated.
    Wrap it in CODE tags (the hash-symbol button on the post-editing widget will get you these tags, or you can manually type them in using square brackets).

    Code:
    no indent
      two spaces
        four spaces
      two spaces

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •