[Openswan Users] Trying to get openswan working with android
Scott Webster Wood
treii28 at gmail.com
Fri Feb 24 00:41:31 EST 2012
Is there a good step-by-step guide available anywhere on setting up an
openswan server in linux and possibly for connecting with an android
phone? I'm trying to set up an l2tp server to connect to my home network
and just can't seem to get it to work. I initially tried toying with
tinyca to create my public/private keys then went down to a direct
creation method with openssl when I noticed it was getting errors for
not using des3 based keys (something I couldn't find a distinct option
for in tinyca)
The first help page I found suggested copying the example l2tp-psk.conf
file down and told you to modify just two lines, the left and
leftnexthop lines. For left I put the ip address for the wan0 wireless
device on that computer which is connected to the router for the
broadband connection, for the leftnexthop I tried both the internal
gateway address and the external dhcp provided address from comcast.
(the guide was unclear as to which I was supposed to be using)
I still as of yet have not found a definitive, intuitive guide on how to
set up the keys. I'm still unclear if I am supposed to be setting up two
(one public/private CA with a signed p12 to send to my phone) or four
(pub/priv CA and a pub/priv set for the android phone, with a 5th
converted/signed p12 of the phone's public key). I am assuming four but
am still unclear as to where the private key is supposed to go for the
android device. (I'm assuming in /etc/ipsec.d/private) I couldn't find
any good guides on what the difference or purpose of the four 'cert'
directories are (aacerts, cacerts, certs and ocspcerts)
So, can anyone either point me to a HOWTO that doesn't start by assuming
you are already a world's expert in setting up VPNs or at least tell me
how I can go about setting one up using openswan to talk to an android
phone? Here's my layout:
The server I hope to use is a linux mint fresh install. It has a built
in 100baseT and a wireless 802.11 device. I am currently using both (see
below). I am currently trying to configure the thing to work the
'easiest' route using the wireless subnet as that is the one that is
one-hop from the outside NAT.
My network consists of two subnets. I share a home so the 'outer'
network is connected to comcast which all my devices connect to
wirelessly via a Cisco Valet router upstairs on 192.168.1.*/24 subnet
using a NAT scheme.
The linux box is at 192.168.1.65 (dedicated lease) on this subnet via
the wifi device wan0.
The second subnet is a ethernet 100baseT connection to a second D-Link
(non-wireless) router on 192.168.2.*.
The linux box is connected via the ethernet/eth0 at 192.168.2.33
dedicated lease.
Both routers have VPN passthrough turned on.
The cell phone I hope to connect with is a T-Mobile HTC MyTouch 4G slide
running android gingerbread 2.3.4 - this includes the ability to add
keys and create vpn connections from within the settings menus and
supports PPTP, L2TP, L2TP/IPSec PSK and L2TP/IPSec CRT.
Among the other things I am wondering is I am not 100% familiar with
what the router VPN passthrough is supposed to be doing. Is the
leftnexthop doing a uPNP request of some sort or do I still need to set
up some kind of port forwarding or port triggering in the router so it
knows that 192.168.1.65 is answering the VPN connection requests?
Another thing was that when trying to set up a L2TP/IPSec PSK connection
after importing the key it asks me for some things I was unclear about.
It asks to set IPSec pre-shared key which I assume is the name I gave to
the key I imported in the Security settings (it didn't seem to bark at
me when I entered that name) I assume the L2TP secret is the password
challenge that I set on that request key? Finally, when I try 'connect
to network' it asks me for both a username and password. No where in the
process of setting up the keys did I ever see anything specific to
'username' so I'm wondering what this corresponds to. (common name setting?)
Any and all help getting this thing working is greatly appreciated.
SW
More information about the Users
mailing list