Re: l2tp / ipsec issue

Tue, 22 Jul 2014 04:58:29 -0700 

Thanks mxb,

Can you confirm the `npppd.conf` note?
- NOTE: `pool-address` valus should be a block of addresses in the same subnet of the internal network. 

And the npppd-users note?

- NOTE: The `framed-ip-address` value should be in the `pool-address` 
block from `/etc/npppd/npppd.conf`.


Are these statements correct?

Gord.

On 2014-07-22 07:15, mxb wrote:

As been the original author of undeadly.org article I can state that
info in is stil partially valid, except npppd.conf part.
So here it goes:

tunnel L2TP protocol l2tp {
        listen on 1.2.3.4
        l2tp-hostname "vpn"
        l2tp-vendor-name "OpenBSD"
        l2tp-accept-dialin yes
        mru 1360
        lcp-timeout 18
        authentication-method mschapv2
        tcp-mss-adjust yes
        pipex yes
        mppe no
#       ingress-filter yes
}

ipcp IPCP {
        pool-address "172.17.0.0/24"
        dns-servers 172.16.0.1
        allow-user-selected-address no
}

interface tun0 address 172.17.0.1 ipcp IPCP

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

authentication RADIUS type radius {
        authentication-server {
                address 172.16.0.231 secret “SECRETPASSWORD"
        }

        accounting-server {
                address 172.16.0.231 secret “SECRETPASSWORD"
        }
}

bind tunnel from L2TP authenticated by RADIUS to tun0

Below comes ipsec.conf. Woking with OSX and Win7(Win8)

ike passive esp transport \
        proto udp from 1.2.3.4 to any port 1701 \
        main auth "hmac-sha1" enc "3des" group modp1024 \
        quick auth "hmac-sha1" enc "aes" \
        psk “P4SSWORD" \
        tag rwarrior



This setup is on 5.4-current

//mxb

On 22 jul 2014, at 13:05, chenghan tv <chenghan...@gmail.com> wrote:


OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with

iptables, based on my previous experience.  iOS and OSX VPN clients 
work

fine, but not working for Windows. FYI.

Gordon Turner <tur...@ftn.net> wrote:


On 2014-07-22 05:33, Daniel Polak wrote:


I'll give it a go with what I found but if anyone who has it working

with local authentication can post their ipsec.conf and npppd.conf, 
I

would appreciate it!




Here are my notes, granted I am in the middle of getting things 
sorted

out, so these are not validated.



NOTE: My current issue is that I am trying to run this behind a 
router /

firewall, which is likely the source of my problems.



I am getting an old laptop setup to test the configuration with 
OpenBSD as

the router / firewall.


In the notes below the ipsec.conf, `public_ip` should be the public 
ip on

the internet, if you place the OpenBSD box as the router / firewall.


- References:
http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
http://undeadly.org/cgi?action=article&sid=20120427125048
http://comments.gmane.org/gmane.os.openbsd.misc/209636
http://stackoverflow.com/questions/14967962/openbsd-
ipsec-vpn-not-routing-traffic
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/

- Claims to have it working, on internet facing machine:
https://www.mail-archive.com/misc@openbsd.org/msg125930.html


- Reference for supported protocols and authentication methods for 
iOS:

http://support.apple.com/kb/HT1288


---


Requirements
-----------

- Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 
clients.

 - Support for iOS, preferably native VPN client
 - Support for OSX, preferably native VPN client

- VPN endpoint running on an internal server.
- Forwarding appropriate ports from a router.


Description
-----------
- Use npppd, IPsec and Packet Filter (pf).

 - Configuration files `/etc/npppd/npppd.conf`, 
`/etc/npppd/npppd-users`,

`/etc/ipsec.conf` and `/etc/pf.conf`.


npppd Setup
-----------

- npppd is a Point-to-Point Protocol (PPP) and tunneling daemon 
capable of

L2TP, PPTP, and PPPoE.

- Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
man8/npppd.8?&manpath=OpenBSD-current&sec=8&query=npppd
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
man5/npppd.conf.5?&manpath=OpenBSD-current&sec=5&query=npppd.conf


- Example of L2TP and authenticates using a local file.
- Example npppd.conf file, `/etc/npppd/npppd.conf`:
```
authentication LOCAL type local {
       users-file "/etc/npppd/npppd-users"
}

tunnel L2TP_ipv4 protocol l2tp {
       listen on 0.0.0.0
}

ipcp IPCP {
       pool-address 192.168.2.150-192.168.2.199
       dns-servers 8.8.8.8
}

interface pppx0 address 192.168.2.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
```

- NOTE: `pool-address` valus should be a block of addresses in the 
same

subnet of the internal network.
- NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
servers should be used if available.


- Example npppd-users file, `/etc/npppd/npppd-users`:
```
jtest: \
   :password=SEEKRIT:\
   :framed-ip-address=192.168.2.150:
```
- NOTE: Replace `SEEKRIT` with your password.
- NOTE: The `framed-ip-address` value should be in the `pool-address`
block from `/etc/npppd/npppd.conf`.


IPsec Setup
----------------

- IPsec is a pair of protocols, Encapsulating Security Payload (ESP) 
and

Authentication Header (AH), which provide security services for IP
datagrams.

- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
man4/ipsec.4?&manpath=OpenBSD-current&query=ipsec


- Example ipsec.conf file, `/etc/ipsec.conf`:
```
public_ip = "192.168.2.2"

ike passive esp transport \
 proto udp from $public_ip to any port 1701 \
 main auth "hmac-sha1" enc "aes" group modp1024 \
 quick auth "hmac-sha1" enc "aes" \
 psk "SEEKRIT"
```
- NOTE: Replace `192.168.2.2` with the ip of the server.
- NOTE: Replace SEEKRIT with your password.


Packet Filter Setup
-------------------

- Packet Filter is OpenBSD's system for filtering TCP/IP traffic and 
doing

Network Address Translation.

- Reference:
http://www.openbsd.org/faq/pf/
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
man4/pf.4?&manpath=OpenBSD-current&arch=amd64&query=pf


- Example pf.conf file, `/etc/pf.conf`:
```
pass quick proto { esp, ah } from any to any

pass in quick on egress proto udp from any to any port {500, 4500, 
1701}

keep state
pass on enc0 from any to any keep state (if-bound)
```

sysctl Changes
--------------
- NOTE: Not sure if needed.

- Make changes to `/etc/sysctl.conf` and reboot
```
...
# CHANGED
net.inet.ip.forwarding=1
...
# CHANGED
net.pipex.enable=1
...
```
```
sudo reboot
```


NAT and Port Forwarding
----------------------

- If the VPN end point is behind a NATed firewall the following ports 
must

be forwarded:
 - UDP 500  - Internet Key Exchange (IKE)
 - UDP 1701 - L2TP traffic
 - UDP 4500 - IPSec Network Address Translation (NAT-T)


Startup
-------
- Apply pf.conf rules:
```
sudo pfctl -f /etc/pf.conf
```

- Start isakmpd:
```
sudo /etc/rc.d/isakmpd -f start
```

- Apply ipsec rules:
```
sudo ipsecctl -v
```

```
sudo isakmpd -K -d
```
- NOTE: -d starts in foreground


- Start npppd:
```
sudo /usr/sbin/npppd -d
```
- NOTE: -d starts in foreground


Monitoring
----------
- To monitor npppd vpn sessions use npppctl:
```
npppctl session all
```

- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
man8/npppctl.8?&manpath=OpenBSD-current&sec=8&query=npppctl

- To monitor ipsec use ipsecctl:
```
sudo ipsecctl -s all
```


Start ipsec and isakmpd at Boot
---------------------
- Add following to /etc/rc.conf.local to start isakmpd at boot:
```
isakmpd_flags="-K"
ipsec=YES
```




--
http://gordonturner.ca























					Reply via email to