[Openswan Users] Trying to get openswan working with android

Paul Wouters pwouters at redhat.com
Fri Feb 24 09:56:28 EST 2012


On Fri, 24 Feb 2012, Scott Webster Wood wrote:

> Is there a good step-by-step guide available anywhere on setting  up an 
> openswan server in linux and possibly for connecting with an android phone? 
> I'm trying to set up an l2tp server to connect to my home network and just 
> can't seem to get it to work.

For PSK, try this one:

https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd

> I initially tried toying with tinyca to create 
> my public/private keys then went down to a direct creation method with 
> openssl when I noticed it was getting errors for not using des3 based keys 
> (something I couldn't find a distinct option for in tinyca)

I think the "des3" is only to protect your private keys (eg passphrase)

> I still as of yet have not found a definitive, intuitive guide on how to set 
> up the keys. I'm still unclear if I am supposed to be setting up two (one 
> public/private CA with a signed p12 to send to my phone)  or four (pub/priv 
> CA and a pub/priv set for the android phone, with a 5th converted/signed p12 
> of the phone's public key). I am assuming four but am still unclear as to 
> where the private key is supposed to go for the android device. (I'm assuming 
> in /etc/ipsec.d/private)  I couldn't find any good guides on what the 
> difference or purpose of the four 'cert' directories are (aacerts, cacerts, 
> certs and ocspcerts)

I would stay away from certs if possible. With L2TP, not many devices
support X.509, as they usually only supports L2TP/PSK or "Cisco ipsec"
(AKA XAUTH+ModeCFG)

> The cell phone I hope to connect with is a T-Mobile HTC MyTouch 4G slide 
> running android gingerbread 2.3.4 - this includes the ability to add keys and 
> create vpn connections from within the settings menus and supports PPTP, 
> L2TP, L2TP/IPSec PSK and L2TP/IPSec CRT.

So like I said, try L2TP/IPSec PSK with the above link (You can ignore
the "mast" and "saref" parts there.

> Another thing was that when trying to set up a L2TP/IPSec PSK connection 
> after importing the key it asks me for some things I was unclear about. It 
> asks to set IPSec pre-shared key which I assume is the name I gave to the key 
> I imported in the Security settings (it didn't seem to bark at me when I 
> entered that name)

The PreShared Key is the "shared secret". It lives in
/etc/ipsec.secrets. It has no "name" or anything, just the value that
is the secret.

> I assume the L2TP secret is the password challenge that I

No. L2TP can provide its own 'encryption', but no one uses that. Never
use it.

> set on that request key? Finally, when I try 'connect to network' it asks me 
> for both a username and password. No where in the process of setting up the 
> keys did I ever see anything specific to 'username' so I'm wondering what 
> this corresponds to. (common name setting?)

Those go into /etc/ppp/chap-secrets, see the above link.

Paul


More information about the Users mailing list