[Openswan Users] CentOS 6.2 L2TP + IPsec
Syf
syf.lecho at laposte.net
Thu Nov 8 07:51:16 EST 2012
Hello,
I would like to setup a VPN server for my personal usage to connect my
devices to my home Lan from the internet, so it looks like this:
Android ------|
| INTERNET |----- Internet IP +
Modem/Router + 192.168.1.1 ------| LAN 192.168.1.0 |----- 192.168.1.3 +
CentOS 6.2
Laptop ------|
I'm using a dynamic dns to reach my CentOS server from the web, and my
router has the following routing rules:
L2TP-IKE 0.0.0.0:500/UDP ---> 192.168.1.3:500/UDP
L2TP-NAT 0.0.0.0:4500/UDP ---> 192.168.1.3:4500/UDP
L2TP-Traffic 0.0.0.0:1701/UDP ---> 192.168.1.3:1701/UDP
iptables is stop on the server as my Router handles the firewall.
So I tryed to follow some tutorial like:
https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
Here is my current configuration:
*/etc/ipsec.conf*
*version 2.0 # conforms to second version of ipsec.conf specification*
*
*
*config setup*
* # Debug-logging controls: “none” for (almost) none, “all” for
lots.*
* # klipsdebug=none*
* # plutodebug=”control parsing”*
* # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey*
* protostack=netkey*
* nat_traversal=yes*
* virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12s*
*
*
* oe=off*
*
*
* # Enable this if you see “failed to find any available worker”*
* nhelpers=0*
*
*
*conn L2TP-PSK-NAT*
* rightsubnet=vhost:%no,%priv*
* also=L2TP-PSK-noNAT*
*
*
*conn L2TP-PSK-noNAT*
* leftnexthop=%defaultroute*
* authby=secret*
* pfs=no*
* auto=add*
* keyingtries=3*
* rekey=no*
* type=transport*
* left=%defaultroute*
* # leftprotoport=17/%any*
* leftprotoport=17/1701*
* right=%any*
/etc/ipsec.d/l2tp.secrets
*192.168.1.3 %any 0.0.0.0: PSK "pskpassword"*
*
*
*/etc/xl2tpd/xl2tpd.conf*
*[global]*
*; you cannot leave out listen-addr, causes possible wrong src ip on return
packets*
*listen-addr = 192.168.1.3*
*;ipsec saref = yes ; For SAref + MAST only*
*debug tunnel = yes*
*;force userspace = yes*
*
*
*[lns default]*
*ip range = 192.168.1.150-192.168.1.200*
*local ip = 192.168.1.3*
*assign ip = yes*
*require chap = yes*
*refuse pap = yes*
*require authentication = yes*
*name = JubhomeVPN*
*ppp debug = yes*
*pppoptfile = /etc/ppp/options.xl2tpd*
*length bit = yes*
*/etc/ppp/options.xl2tpd*
*ipcp-accept-local*
*ipcp-accept-remote*
*ms-dns 192.168.1.1*
*ms-dns 8.8.8.8*
*noccp*
*auth*
*crtscts*
*idle 1800*
*mtu 1200*
*mru 1200*
*nodefaultroute*
*debug*
*lock*
*proxyarp*
*connect-delay 5000*
*
*
*/etc/ppp/chap-secrets*
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 * user1pwd *
Everything is set as it should in /etc/sysctl.conf
*ipsec verify returns:*
*~> ipsec verify*
*Checking your system to see if IPsec got installed and started correctly:*
*Version check and ipsec on-path [OK]*
*Linux Openswan U2.6.38dr2/K2.6.32-220.17.1.el6.x86_64 (netkey)*
*Checking for IPsec support in kernel [OK]*
* SAref kernel support [N/A]*
* NETKEY: Testing XFRM related proc values [OK]*
* [OK]*
* [OK]*
*Testing against enforced SElinux mode [OK]*
*Checking that pluto is running [OK]*
* Pluto listening for IKE on udp 500 [OK]*
* Pluto listening for NAT-T on udp 4500 [OK]*
*Checking for 'ip' command [OK]*
*Checking /bin/sh is not /bin/dash [WARNING]*
*Checking for 'iptables' command [OK]*
*Opportunistic Encryption Support [DISABLED]*
*
*
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121108/0b858b01/attachment.html>
More information about the Users
mailing list