OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with iptables, based on my previous experience. iOS and OSX VPN clients work fine, but not working for Windows. FYI.
Gordon Turner <tur...@ftn.net> wrote: > On 2014-07-22 05:33, Daniel Polak wrote: > >> I'll give it a go with what I found but if anyone who has it working >> with local authentication can post their ipsec.conf and npppd.conf, I >> would appreciate it! >> > > Here are my notes, granted I am in the middle of getting things sorted > out, so these are not validated. > > > NOTE: My current issue is that I am trying to run this behind a router / > firewall, which is likely the source of my problems. > > > I am getting an old laptop setup to test the configuration with OpenBSD as > the router / firewall. > > In the notes below the ipsec.conf, `public_ip` should be the public ip on > the internet, if you place the OpenBSD box as the router / firewall. > > > - References: > http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd > http://undeadly.org/cgi?action=article&sid=20120427125048 > http://comments.gmane.org/gmane.os.openbsd.misc/209636 > http://stackoverflow.com/questions/14967962/openbsd- > ipsec-vpn-not-routing-traffic > http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/ > > - Claims to have it working, on internet facing machine: > https://www.mail-archive.com/misc@openbsd.org/msg125930.html > > - Reference for supported protocols and authentication methods for iOS: > http://support.apple.com/kb/HT1288 > > > --- > > > Requirements > ----------- > - Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 clients. > - Support for iOS, preferably native VPN client > - Support for OSX, preferably native VPN client > > - VPN endpoint running on an internal server. > - Forwarding appropriate ports from a router. > > > Description > ----------- > - Use npppd, IPsec and Packet Filter (pf). > - Configuration files `/etc/npppd/npppd.conf`, `/etc/npppd/npppd-users`, > `/etc/ipsec.conf` and `/etc/pf.conf`. > > > npppd Setup > ----------- > - npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable of > L2TP, PPTP, and PPPoE. > > - Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/ > man8/npppd.8?&manpath=OpenBSD-current&sec=8&query=npppd > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/ > man5/npppd.conf.5?&manpath=OpenBSD-current&sec=5&query=npppd.conf > > > - Example of L2TP and authenticates using a local ï¬le. > - Example npppd.conf file, `/etc/npppd/npppd.conf`: > ``` > authentication LOCAL type local { > users-file "/etc/npppd/npppd-users" > } > > tunnel L2TP_ipv4 protocol l2tp { > listen on 0.0.0.0 > } > > ipcp IPCP { > pool-address 192.168.2.150-192.168.2.199 > dns-servers 8.8.8.8 > } > > interface pppx0 address 192.168.2.1 ipcp IPCP > bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 > ``` > - NOTE: `pool-address` valus should be a block of addresses in the same > subnet of the internal network. > - NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS > servers should be used if available. > > > - Example npppd-users file, `/etc/npppd/npppd-users`: > ``` > jtest: \ > :password=SEEKRIT:\ > :framed-ip-address=192.168.2.150: > ``` > - NOTE: Replace `SEEKRIT` with your password. > - NOTE: The `framed-ip-address` value should be in the `pool-address` > block from `/etc/npppd/npppd.conf`. > > > IPsec Setup > ---------------- > - IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and > Authentication Header (AH), which provide security services for IP > datagrams. > > - Reference: > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/ > man4/ipsec.4?&manpath=OpenBSD-current&query=ipsec > > > - Example ipsec.conf file, `/etc/ipsec.conf`: > ``` > public_ip = "192.168.2.2" > > ike passive esp transport \ > proto udp from $public_ip to any port 1701 \ > main auth "hmac-sha1" enc "aes" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk "SEEKRIT" > ``` > - NOTE: Replace `192.168.2.2` with the ip of the server. > - NOTE: Replace SEEKRIT with your password. > > > Packet Filter Setup > ------------------- > - Packet Filter is OpenBSD's system for filtering TCP/IP traffic and doing > Network Address Translation. > > - Reference: > http://www.openbsd.org/faq/pf/ > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/ > man4/pf.4?&manpath=OpenBSD-current&arch=amd64&query=pf > > > - Example pf.conf file, `/etc/pf.conf`: > ``` > pass quick proto { esp, ah } from any to any > pass in quick on egress proto udp from any to any port {500, 4500, 1701} > keep state > pass on enc0 from any to any keep state (if-bound) > ``` > > sysctl Changes > -------------- > - NOTE: Not sure if needed. > > - Make changes to `/etc/sysctl.conf` and reboot > ``` > ... > # CHANGED > net.inet.ip.forwarding=1 > ... > # CHANGED > net.pipex.enable=1 > ... > ``` > ``` > sudo reboot > ``` > > > NAT and Port Forwarding > ---------------------- > - If the VPN end point is behind a NATed firewall the following ports must > be forwarded: > - UDP 500 - Internet Key Exchange (IKE) > - UDP 1701 - L2TP traffic > - UDP 4500 - IPSec Network Address Translation (NAT-T) > > > Startup > ------- > - Apply pf.conf rules: > ``` > sudo pfctl -f /etc/pf.conf > ``` > > - Start isakmpd: > ``` > sudo /etc/rc.d/isakmpd -f start > ``` > > - Apply ipsec rules: > ``` > sudo ipsecctl -v > ``` > > ``` > sudo isakmpd -K -d > ``` > - NOTE: -d starts in foreground > > > - Start npppd: > ``` > sudo /usr/sbin/npppd -d > ``` > - NOTE: -d starts in foreground > > > Monitoring > ---------- > - To monitor npppd vpn sessions use npppctl: > ``` > npppctl session all > ``` > > - Reference: > http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/ > man8/npppctl.8?&manpath=OpenBSD-current&sec=8&query=npppctl > > - To monitor ipsec use ipsecctl: > ``` > sudo ipsecctl -s all > ``` > > > Start ipsec and isakmpd at Boot > --------------------- > - Add following to /etc/rc.conf.local to start isakmpd at boot: > ``` > isakmpd_flags="-K" > ipsec=YES > ```
