[Openswan Users] Home VPN Setup
Gabriel Smith
ga29smith at yahoo.com
Sun Oct 14 10:09:57 EDT 2012
I am sure you guys have seen such a request many times over but I hope you can stoop to my mortal level.
On to the nity-grity. The NATed IP of the VPN server is 192.168.10.254. I am to my external router with DynDNS. I am trying to connect to the VPN server with a Windows 7 machine.
ipsec.conf
---------------
version 2.0
# basic configuration
config setup
# Enable this if you're behind a router
nat_traversal=yes
# exclude networks used on server side so they don't conflict with your
NAT
virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16,%v4:172.16.0.0/12
# which IPsec stack to use. netkey is Linux Kernel Impl
protostack=netkey
#conn PSK
# also=L2TP-PSK-NAT
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
forceencaps=yes
keyingtries=3
# we cannot rekey for %any, let client
rekey
rekey=no
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=tunnel
# left=192.168.10.254
# leftnexthop=%defaultroute
left=%defaultroute
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
# The remote
user.
right=%any
rightprotoport=17/%any
xl2tpd.conf
----------------
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work. The best place to look for a list of all options is in
; the source code itself, until I have the time to write better documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
;
[global] ; Global parameters:
; port = 1701 ; * Bind to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
; access control =
yes ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of
/dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
; [lns
default] ; Our fallthrough LNS definition
; exclusive = no ; * Only permit one tunnel per host
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range =
192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit =
no ; * Use hidden AVP's?
; local ip = 192.168.1.2 ; * Our local IP to use
; length bit = yes ; * Use length bit in payload?
; require chap =
yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication =
no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
; name = myhostname ; * Report this as our hostname
; ppp debug =
no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws =
4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge
authenticate peer ;
; rx bps = 10000000 ; Receive tunnel speed
; tx bps = 10000000 ; Transmit tunnel speed
; bps = 100000 ; Define both receive and transmit speed in one option
; [lac
marko] ; Example VPN LAC definition
; lns = lns.marko.net ; * Who is our LNS?
; lns = lns2.marko.net ; * A backup LNS (not yet used)
; redial =
yes ; * Redial if disconnected?
; redial timeout = 15 ; * Wait n seconds between redials
; max redials = 5 ; * Give up after n consecutive failures
; hidden bit =
yes ; * User hidden AVP's?
; local ip = 192.168.1.1 ; * Force peer to use this IP for us
; remote ip = 192.168.1.2 ; * Force peer to use this as their IP
; length bit =
no ; * Use length bit in payload?
; require pap = no ; * Require PAP auth. by peer
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap =
yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to
authenticate
; name = marko ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac
; call rws =
10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; *
Include sequence numbers
; challenge = yes ; * Challenge authenticate peer
;
; [lac cisco] ; Another quick LAC
; lns = cisco.marko.net ; * Required, but can take from default
; require
authentication = yes
[global]
ipsec saref = yes
[lns default]
# The range of ips to assign the client when connecting
ip range = 10.8.1.2-10.8.1.255
local ip = 10.8.1.1
# We're going to us Chap-v2
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
options.xl2tpd
--------------------
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
a little snippet from auth.log with OUTSIDEIP replacing my outside ip
---------------------------------------------------------------------------------------------------
pluto[4724]: packet from
192.168.10.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
pluto[4724]: packet from 192.168.10.1:500: received Vendor ID payload [RFC 3947] method set to=115
pluto[4724]: packet from 192.168.10.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]
pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [IKE CGA version 1]
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: responding to Main Mode from unknown peer 192.168.10.1
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4724]:
"L2TP-PSK-NAT"[6] 192.168.10.1 #17: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.250'
pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: deleting connection "L2TP-PSK-NAT" instance with peer 192.168.10.1
{isakmp=#0/ipsec=#0}
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: new NAT mapping for #17, was 192.168.10.1:500, now 192.168.10.1:4500
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: the peer proposed: OUTSIDEIP/32:17/1701 -> 192.168.10.250/32:17/0
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: responding to Quick Mode proposal {msgid:00000001}
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: us: 192.168.10.254:17/1701
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: them:
192.168.10.1[192.168.10.250]:17/1701===192.168.10.250/32
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x85909965 <0xd962c523 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.10.250 NATD=192.168.10.1:4500 DPD=none}
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: the peer proposed: OUTSIDEIP/32:17/1701 -> 192.168.10.250/32:17/1701
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: NAT-Traversal: received 2 NAT-OA. using first,
ignoring others
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: responding to Quick Mode proposal {msgid:00000002}
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: us: 192.168.10.254:17/1701
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: them: 192.168.10.1[192.168.10.250]:17/1701===192.168.10.250/32
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: keeping refhim=4294901761 during rekey
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x1e9b7235 <0xad74b63b xfrm=AES_128-HMAC_SHA1
NATOA=192.168.10.250 NATD=192.168.10.1:4500 DPD=none}
Thank you,
Gabriel Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121014/70a1ea20/attachment-0001.html>
More information about the Users
mailing list