[Openswan Users] Trying to get openswan working with android

Scott Webster Wood treii28 at gmail.com
Fri Feb 24 00:41:31 EST 2012

Is there a good step-by-step guide available anywhere on setting  up an 
openswan server in linux and possibly for connecting with an android 
phone? I'm trying to set up an l2tp server to connect to my home network 
and just can't seem to get it to work. I initially tried toying with 
tinyca to create my public/private keys then went down to a direct 
creation method with openssl when I noticed it was getting errors for 
not using des3 based keys (something I couldn't find a distinct option 
for in tinyca)

The first help page I found suggested copying the example l2tp-psk.conf 
file down and told you to modify just two lines, the left and 
leftnexthop lines. For left I put the ip address for the wan0 wireless 
device on that computer which is connected to the router for the 
broadband connection, for the leftnexthop I tried both the internal 
gateway address and the external dhcp provided address from comcast. 
(the guide was unclear as to which I was supposed to be using)

I still as of yet have not found a definitive, intuitive guide on how to 
set up the keys. I'm still unclear if I am supposed to be setting up two 
(one public/private CA with a signed p12 to send to my phone)  or four 
(pub/priv CA and a pub/priv set for the android phone, with a 5th 
converted/signed p12 of the phone's public key). I am assuming four but 
am still unclear as to where the private key is supposed to go for the 
android device. (I'm assuming in /etc/ipsec.d/private)  I couldn't find 
any good guides on what the difference or purpose of the four 'cert' 
directories are (aacerts, cacerts, certs and ocspcerts)

So, can anyone either point me to a HOWTO that doesn't start by assuming 
you are already a world's expert in setting up VPNs or at least tell me 
how I can go about setting one up using openswan to talk to an android 
phone? Here's my layout:

The server I hope to use is a linux mint fresh install. It has a built 
in 100baseT and a wireless 802.11 device. I am currently using both (see 
below). I am currently trying to configure the thing to work the 
'easiest' route using the wireless subnet as that is the one that is 
one-hop from the outside NAT.
My network consists of two subnets. I share a home so the 'outer' 
network is connected to comcast which all my devices connect to 
wirelessly via a Cisco Valet router upstairs on 192.168.1.*/24 subnet 
using a NAT scheme.
The linux box is at (dedicated lease) on this subnet via 
the wifi device wan0.
The second subnet is a ethernet 100baseT connection to a second D-Link 
(non-wireless) router on 192.168.2.*.
The linux box is connected via the ethernet/eth0 at 
dedicated lease.
Both routers have VPN passthrough turned on.

The cell phone I hope to connect with is a T-Mobile HTC MyTouch 4G slide 
running android gingerbread 2.3.4 - this includes the ability to add 
keys and create vpn connections from within the settings menus and 
supports PPTP, L2TP, L2TP/IPSec PSK and L2TP/IPSec CRT.

Among the other things I am wondering is I am not 100% familiar with 
what the router VPN passthrough is supposed to be doing. Is the 
leftnexthop doing a uPNP request of some sort or do I still need to set 
up some kind of port forwarding or port triggering in the router so it 
knows that is answering the VPN connection requests?
Another thing was that when trying to set up a L2TP/IPSec PSK connection 
after importing the key it asks me for some things I was unclear about. 
It asks to set IPSec pre-shared key which I assume is the name I gave to 
the key I imported in the Security settings (it didn't seem to bark at 
me when I entered that name) I assume the L2TP secret is the password 
challenge that I set on that request key? Finally, when I try 'connect 
to network' it asks me for both a username and password. No where in the 
process of setting up the keys did I ever see anything specific to 
'username' so I'm wondering what this corresponds to. (common name setting?)

Any and all help getting this thing working is greatly appreciated.


More information about the Users mailing list