Hello,<div><br></div><div>I would like to setup a VPN server for my personal usage to connect my devices to my home Lan from the internet, so it looks like this:</div><div><br></div><div>Android ------|</div><div> | INTERNET |----- Internet IP + Modem/Router + 192.168.1.1 ------| LAN 192.168.1.0 |----- 192.168.1.3 + CentOS 6.2</div>
<div>Laptop ------|</div><div><br></div><div>I'm using a dynamic dns to reach my CentOS server from the web, and my router has the following routing rules:</div><div>L2TP-IKE <a href="http://0.0.0.0:500/UDP">0.0.0.0:500/UDP</a> ---> <a href="http://192.168.1.3:500/UDP">192.168.1.3:500/UDP</a></div>
<div>L2TP-NAT <a href="http://0.0.0.0:4500/UDP">0.0.0.0:4500/UDP</a> ---> <a href="http://192.168.1.3:4500/UDP">192.168.1.3:4500/UDP</a></div><div>L2TP-Traffic <a href="http://0.0.0.0:1701/UDP">0.0.0.0:1701/UDP</a> ---> <a href="http://192.168.1.3:1701/UDP">192.168.1.3:1701/UDP</a></div>
<div><br></div><div>iptables is stop on the server as my Router handles the firewall.</div><div><br></div><div>So I tryed to follow some tutorial like:</div><div><a href="https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd">https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd</a></div>
<div><br></div><div>Here is my current configuration:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><b>/etc/ipsec.conf</b></div></blockquote><div><i>version 2.0 # conforms to second version of ipsec.conf specification</i></div>
<div><i><br></i></div><div><i>config setup</i></div><div><i> # Debug-logging controls: “none” for (almost) none, “all” for lots.</i></div><div><i> # klipsdebug=none</i></div><div><i> # plutodebug=”control parsing”</i></div>
<div><i> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</i></div><div><i> protostack=netkey</i></div><div><i> nat_traversal=yes</i></div><div><i> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12s">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12s</a></i></div>
<div><i><br></i></div><div><i> oe=off</i></div><div><i><br></i></div><div><i> # Enable this if you see “failed to find any available worker”</i></div><div><i> nhelpers=0</i></div><div><i><br></i></div>
<div><i>conn L2TP-PSK-NAT</i></div><div><i> rightsubnet=vhost:%no,%priv</i></div><div><i> also=L2TP-PSK-noNAT</i></div><div><i><br></i></div><div><i>conn L2TP-PSK-noNAT</i></div><div><i> leftnexthop=%defaultroute</i></div>
<div><i> authby=secret</i></div><div><i> pfs=no</i></div><div><i> auto=add</i></div><div><i> keyingtries=3</i></div><div><i> rekey=no</i></div><div><i> type=transport</i></div><div>
<i> left=%defaultroute</i></div><div><i> # leftprotoport=17/%any</i></div><div><i> leftprotoport=17/1701</i></div><div><i> right=%any</i></div><div style="font-weight:bold"><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div style="font-weight:bold">/etc/ipsec.d/l2tp.secrets</div></blockquote><div><i>192.168.1.3 %any <a href="http://0.0.0.0">0.0.0.0</a>: PSK "pskpassword"</i></div><div><b><br></b></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div><b>/etc/xl2tpd/xl2tpd.conf</b></div></blockquote><div><div><i>[global]</i></div><div><i>; you cannot leave out listen-addr, causes possible wrong src ip on return packets</i></div><div><i>listen-addr = 192.168.1.3</i></div>
<div><i>;ipsec saref = yes ; For SAref + MAST only</i></div><div><i>debug tunnel = yes</i></div><div><i>;force userspace = yes</i></div><div><i><br></i></div><div><i>[lns default]</i></div><div><i>ip range = 192.168.1.150-192.168.1.200</i></div>
<div><i>local ip = 192.168.1.3</i></div><div><i>assign ip = yes</i></div><div><i>require chap = yes</i></div><div><i>refuse pap = yes</i></div><div><i>require authentication = yes</i></div><div><i>name = JubhomeVPN</i></div>
<div><i>ppp debug = yes</i></div><div><i>pppoptfile = /etc/ppp/options.xl2tpd</i></div><div><i>length bit = yes</i></div></div><div><br></div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><b>/etc/ppp/options.xl2tpd</b></div>
</blockquote></div><div><div><i>ipcp-accept-local</i></div><div><i>ipcp-accept-remote</i></div><div><i>ms-dns 192.168.1.1</i></div><div><i>ms-dns 8.8.8.8</i></div><div><i>noccp</i></div><div><i>auth</i></div><div><i>crtscts</i></div>
<div><i>idle 1800</i></div><div><i>mtu 1200</i></div><div><i>mru 1200</i></div><div><i>nodefaultroute</i></div><div><i>debug</i></div><div><i>lock</i></div><div><i>proxyarp</i></div><div><i>connect-delay 5000</i></div></div>
<div><i><br></i></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><b>/etc/ppp/chap-secrets</b></div></blockquote><div><div style="font-style:italic"># Secrets for authentication using CHAP</div><div style="font-style:italic">
# client server secret IP addresses</div><div style="font-style:italic">user1 * user1pwd *</div><div style="font-style:italic"><br></div><div><span style="font-style:normal">Everything is set as it should in </span><span style="background-color:rgb(255,255,255);color:rgb(72,72,72);font-family:Verdana,sans-serif;font-size:12px">/etc/sysctl.conf</span><div style="display:inline!important">
</div></div></div><div><div style="display:inline!important"><br></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><b><i>ipsec verify </i>returns:</b></div></blockquote><div><div><i>~> ipsec verify</i></div>
<div><i>Checking your system to see if IPsec got installed and started correctly:</i></div><div><i>Version check and ipsec on-path [OK]</i></div><div><i>Linux Openswan U2.6.38dr2/K2.6.32-220.17.1.el6.x86_64 (netkey)</i></div>
<div><i>Checking for IPsec support in kernel [OK]</i></div><div><i> SAref kernel support [N/A]</i></div><div><i> NETKEY: Testing XFRM related proc values [OK]</i></div>
<div><i> [OK]</i></div><div><i> [OK]</i></div><div><i>Testing against enforced SElinux mode [OK]</i></div><div><i>Checking that pluto is running [OK]</i></div>
<div><i> Pluto listening for IKE on udp 500 [OK]</i></div><div><i> Pluto listening for NAT-T on udp 4500 [OK]</i></div><div><i>Checking for 'ip' command [OK]</i></div>
<div><i>Checking /bin/sh is not /bin/dash [WARNING]</i></div><div><i>Checking for 'iptables' command [OK]</i></div><div><i>Opportunistic Encryption Support [DISABLED]</i></div>
</div><div><i><br></i></div><div><i><br></i></div>