Results 1 to 10 of 57

Thread: Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

Threaded View

  1. #1
    Join Date
    May 2008
    Location
    Atlantic City, NJ
    Beans
    25
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Guide: Openswan, XL2TP and PPP on Ubuntu Maverick for iPhone VPN Connection

    *** Working Again As of Latest Edit ***

    This setup will allow you to login to your own Ubuntu VPN server using your Iphone's default IOS VPN settings.

    Install the necessary packages.
    sudo apt-get install openswan ppp xl2tpd


    Using the following setup:

    192.168.1.22 Ubuntu Server IP Address
    192.168.1.1 Gateway Internal IP

    On your router, forward ports 500/udp and 4500/udp to the server at 192.168.1.22. This procedure can be found elsewhere and is not covered here.

    ===================
    Here’s my /etc/ipsec.conf file.
    (no changes necessary from text below)
    ===================
    Code:
    version 2.0
    
    config setup
      nat_traversal=yes
      virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
      oe=off
      protostack=netkey
    
    include /etc/ipsec.d/l2tp-psk.conf
    ==================
    Here’s my /etc/ipsec.d/l2tp-psk.conf file.
    (change left & leftnexthop values)
    Important NOTE: dpd entries allow you to connect multiple times without having to restart IPSEC...Thanks to user "FTT" for this
    ==================
    Code:
    conn L2TP-PSK-NAT
      rightsubnet=vhost:%priv
      also=L2TP-PSK-noNAT
    
    conn L2TP-PSK-noNAT
      authby=secret
      pfs=no
      auto=add
      keyingtries=3
      rekey=no
      type=transport
      left=192.168.1.22
      leftnexthop=192.168.1.1
      leftprotoport=17/1701
      right=%any
      rightprotoport=17/%any 
      dpddelay=15
      dpdtimeout=30
      dpdaction=clear
      #Uncomment the line below for OSX on MAC?  untested!
      #rightprotoport=17/0
    ==================
    Here's my /etc/xl2tpd/xl2tpd.conf file.
    (change ip range & local ip)
    Important NOTES: "local ip" value must be outside "ip range"
    Both "local ip" and "ip range" MUST be outside the DHCP range on your local router or DHCP server.
    ==================
    Code:
    [global]
    ipsec saref = yes
    [lns default]
    ip range = 192.168.1.231-192.168.1.239
    local ip = 192.168.1.230
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
    ==================
    Here’s my /etc/ppp/options.xl2tpd file.
    (change ms-dns value)
    ==================
    Code:
    require-mschap-v2
    ms-dns 192.168.1.1
    asyncmap 0
    auth
    crtscts
    lock
    hide-password
    modem
    debug
    name l2tpd
    proxyarp
    lcp-echo-interval 30
    lcp-echo-failure 4
    ==================
    Here’s my /etc/ppp/chap-secrets file.
    (change username & password values)
    Example uses (username=test and password=testpass)
    Important NOTE: The 233 IP Address must be in the "ip range" from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
    ==================
    Code:
    test l2tpd testpass 192.168.1.233
    l2tpd test testpass 192.168.1.233
    ==================
    Here’s my /etc/ipsec.secrets file. (change IP address & Secret values)
    ==================
    Code:
    192.168.1.22   %any:  PSK "TestSecret"
    ================

    Run these three commands to restart everything

    sudo /etc/init.d/pppd-dns restart
    sudo /etc/init.d/xl2tpd restart
    sudo /etc/init.d/ipsec restart

    ==================

    Run the following command, you should get the text below.

    sudo ipsec verify

    ==================

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
    Checking for IPsec support in kernel [OK]
    NETKEY detected, testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
    ipsec showhostkey: no default key in "/etc/ipsec.secrets"
    Checking that pluto is running [OK]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking NAT and MASQUERADEing [OK]
    Checking for 'ip' command [OK]
    Checking for 'iptables' command [OK]
    Opportunistic Encryption Support [DISABLED]


    If the two netkey / ICMP lines fail, don't worry...it should still work. Not sure why this happens for some and not others. I tried changing the ipv4 ICMP settings and got no change in the verify results. Not quite sure what the problem is here yet??

    =========

    Last but not least, place the following line into your /etc/rc.local file
    (This allows forwarding of packets so you can access WAN addresses, not just LAN addresses and persistent across reboots.)

    echo 1 > /proc/sys/net/ipv4/ip_forward

    =========

    Running the following command enables it currently, no need to reboot

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward

    ================================================== =============

    Now for the Iphone Setup

    Settings -> General -> Network -> VPN -> Add VPN Configuration

    L2TP
    Description: WhateverYouWantToCallIt
    Server: WANipAddress (could be a DynamicDNS URL)
    Account: test
    RSA SecurID=OFF
    Password: testpass
    Secret: TestSecret
    Send All Traffic=On

    Save it, then turn your VPN on, it should connect and you will see a VPN icon in the upper status bar (left side on 3gs, right side on 4). Now all your traffic will be protected in WiFi hotspots, 3G, etc.

    Hope this helps. Let me know if there are any typos or mistakes.
    Anyone care to test this with an Android phone and post the setting differences if any?
    Last edited by ndoggac; June 8th, 2011 at 04:52 PM. Reason: Fixin Stuff

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •