[Openswan Users] Openswan and iphone L2TP/IPsec configuration example

Paul Wouters paul at xelerance.com
Wed Nov 25 11:44:31 EST 2009


On Wed, 25 Nov 2009, Alexander Damhuis wrote:

>> Why not use L2TP? People are using that on their iphones to Openswan without
>> problems.
>>
>
> I was trying that exactly and I fail with the L2TP portion of it right now - can you pinpoint me to useful info, configuration examples or someone, I could ask for examples?
>
> That would be very kind.

Below is my ipsec.conf using PSK and xl2tpd.conf. This is using openswan 2.6.24rc2 with NETKEY.

config setup
 	nat_traversal=yes
 	virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:193.110.157.60/32
 	protostack=netkey
 	interfaces="%defaultroute"
 	oe=off

conn l2tp-psk
 	authby=secret
 	pfs=no
 	auto=add
 	rekey=no
 	#tempoverlapip=yes
         type=transport
 	leftsendcert=always
 	left=193.110.157.131
 	leftprotoport=17/1701
 	right=%any
 	rightprotoport=17/%any
 	rightsubnet=vhost:%priv,%no


xl2tpd.conf:

[global]
listen-addr = 193.110.157.131 
debug tunnel = yes

[lns default]
ip range = 193.111.228.2-193.111.228.127
local ip = 193.111.228.1
require chap = yes
refuse pap = yes
require authentication = yes
name = OpenswanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd is stock xl2tpd with only the nameservers changed

Note that my public IP/interface is 193.110.157.131, and my "internal network"
is 193.111.228.0/24. Most people will use RFC1918 where i have 193.111.228.x
numbers.

/etc/ppp/chap-secrets:

# Secrets for authentication using PAP
# client	server	secret			IP addresses
test           *       "test"              193.111.228.101
*               test   "test"              193.111.228.101
test1           *       "test"              193.111.228.0/25
*               test1   "test"              193.111.228.0/25
test2           *       "test"              193.111.228.0/25
*               test2   "test"              193.111.228.0/25

My public interface (193.110.157.131) is set to have an MTU of 1472.

/etc/sysctl.conf contains:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

That should get anyone going with a simple PSK/L2TP setup.

Paul


More information about the Users mailing list