[Openswan Users] Trying to get openswan working with android
Paul Wouters
pwouters at redhat.com
Fri Feb 24 09:56:28 EST 2012
On Fri, 24 Feb 2012, Scott Webster Wood wrote:
> Is there a good step-by-step guide available anywhere on setting up an
> openswan server in linux and possibly for connecting with an android phone?
> I'm trying to set up an l2tp server to connect to my home network and just
> can't seem to get it to work.
For PSK, try this one:
https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
> I initially tried toying with tinyca to create
> my public/private keys then went down to a direct creation method with
> openssl when I noticed it was getting errors for not using des3 based keys
> (something I couldn't find a distinct option for in tinyca)
I think the "des3" is only to protect your private keys (eg passphrase)
> I still as of yet have not found a definitive, intuitive guide on how to set
> up the keys. I'm still unclear if I am supposed to be setting up two (one
> public/private CA with a signed p12 to send to my phone) or four (pub/priv
> CA and a pub/priv set for the android phone, with a 5th converted/signed p12
> of the phone's public key). I am assuming four but am still unclear as to
> where the private key is supposed to go for the android device. (I'm assuming
> in /etc/ipsec.d/private) I couldn't find any good guides on what the
> difference or purpose of the four 'cert' directories are (aacerts, cacerts,
> certs and ocspcerts)
I would stay away from certs if possible. With L2TP, not many devices
support X.509, as they usually only supports L2TP/PSK or "Cisco ipsec"
(AKA XAUTH+ModeCFG)
> The cell phone I hope to connect with is a T-Mobile HTC MyTouch 4G slide
> running android gingerbread 2.3.4 - this includes the ability to add keys and
> create vpn connections from within the settings menus and supports PPTP,
> L2TP, L2TP/IPSec PSK and L2TP/IPSec CRT.
So like I said, try L2TP/IPSec PSK with the above link (You can ignore
the "mast" and "saref" parts there.
> Another thing was that when trying to set up a L2TP/IPSec PSK connection
> after importing the key it asks me for some things I was unclear about. It
> asks to set IPSec pre-shared key which I assume is the name I gave to the key
> I imported in the Security settings (it didn't seem to bark at me when I
> entered that name)
The PreShared Key is the "shared secret". It lives in
/etc/ipsec.secrets. It has no "name" or anything, just the value that
is the secret.
> I assume the L2TP secret is the password challenge that I
No. L2TP can provide its own 'encryption', but no one uses that. Never
use it.
> set on that request key? Finally, when I try 'connect to network' it asks me
> for both a username and password. No where in the process of setting up the
> keys did I ever see anything specific to 'username' so I'm wondering what
> this corresponds to. (common name setting?)
Those go into /etc/ppp/chap-secrets, see the above link.
Paul
More information about the Users
mailing list