pool-address in the same subnet may not work as you expect it.
proxyarp needed. at least I’v seen a discussion regarding this, so I have
separate network for vpn-clients.
This might have changed.
framed-ip-address - yes, it should be within subnet range used for l2tp-clients
//mxb
On 22 jul 2014, at 13:55, Gordon Turner <tur...@ftn.net> wrote:
> Thanks mxb,
>
> Can you confirm the `npppd.conf` note?
> - NOTE: `pool-address` valus should be a block of addresses in the same
> subnet of the internal network.
>
> And the npppd-users note?
> - NOTE: The `framed-ip-address` value should be in the `pool-address` block
> from `/etc/npppd/npppd.conf`.
>
> Are these statements correct?
>
> Gord.
>
> On 2014-07-22 07:15, mxb wrote:
>> As been the original author of undeadly.org article I can state that
>> info in is stil partially valid, except npppd.conf part.
>> So here it goes:
>> tunnel L2TP protocol l2tp {
>> listen on 1.2.3.4
>> l2tp-hostname "vpn"
>> l2tp-vendor-name "OpenBSD"
>> l2tp-accept-dialin yes
>> mru 1360
>> lcp-timeout 18
>> authentication-method mschapv2
>> tcp-mss-adjust yes
>> pipex yes
>> mppe no
>> # ingress-filter yes
>> }
>> ipcp IPCP {
>> pool-address "172.17.0.0/24"
>> dns-servers 172.16.0.1
>> allow-user-selected-address no
>> }
>> interface tun0 address 172.17.0.1 ipcp IPCP
>> authentication LOCAL type local {
>> users-file "/etc/npppd/npppd-users"
>> }
>> authentication RADIUS type radius {
>> authentication-server {
>> address 172.16.0.231 secret “SECRETPASSWORD"
>> }
>> accounting-server {
>> address 172.16.0.231 secret “SECRETPASSWORD"
>> }
>> }
>> bind tunnel from L2TP authenticated by RADIUS to tun0
>> Below comes ipsec.conf. Woking with OSX and Win7(Win8)
>> ike passive esp transport \
>> proto udp from 1.2.3.4 to any port 1701 \
>> main auth "hmac-sha1" enc "3des" group modp1024 \
>> quick auth "hmac-sha1" enc "aes" \
>> psk “P4SSWORD" \
>> tag rwarrior
>> This setup is on 5.4-current
>> //mxb
>> On 22 jul 2014, at 13:05, chenghan tv <chenghan...@gmail.com> wrote:
>>> OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with
>>> iptables, based on my previous experience. iOS and OSX VPN clients work
>>> fine, but not working for Windows. FYI.
>>> Gordon Turner <tur...@ftn.net> wrote:
>>>> On 2014-07-22 05:33, Daniel Polak wrote:
>>>>> I'll give it a go with what I found but if anyone who has it working
>>>>> with local authentication can post their ipsec.conf and npppd.conf, I
>>>>> would appreciate it!
>>>> Here are my notes, granted I am in the middle of getting things sorted
>>>> out, so these are not validated.
>>>> NOTE: My current issue is that I am trying to run this behind a router /
>>>> firewall, which is likely the source of my problems.
>>>> I am getting an old laptop setup to test the configuration with OpenBSD as
>>>> the router / firewall.
>>>> In the notes below the ipsec.conf, `public_ip` should be the public ip on
>>>> the internet, if you place the OpenBSD box as the router / firewall.
>>>> - References:
>>>> http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
>>>> http://undeadly.org/cgi?action=article&sid=20120427125048
>>>> http://comments.gmane.org/gmane.os.openbsd.misc/209636
>>>> http://stackoverflow.com/questions/14967962/openbsd-
>>>> ipsec-vpn-not-routing-traffic
>>>> http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
>>>> - Claims to have it working, on internet facing machine:
>>>> https://www.mail-archive.com/misc@openbsd.org/msg125930.html
>>>> - Reference for supported protocols and authentication methods for iOS:
>>>> http://support.apple.com/kb/HT1288
>>>> ---
>>>> Requirements
>>>> -----------
>>>> - Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 clients.
>>>> - Support for iOS, preferably native VPN client
>>>> - Support for OSX, preferably native VPN client
>>>> - VPN endpoint running on an internal server.
>>>> - Forwarding appropriate ports from a router.
>>>> Description
>>>> -----------
>>>> - Use npppd, IPsec and Packet Filter (pf).
>>>> - Configuration files `/etc/npppd/npppd.conf`, `/etc/npppd/npppd-users`,
>>>> `/etc/ipsec.conf` and `/etc/pf.conf`.
>>>> npppd Setup
>>>> -----------
>>>> - npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable of
>>>> L2TP, PPTP, and PPPoE.
>>>> - Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>>>> man8/npppd.8?&manpath=OpenBSD-current&sec=8&query=npppd
>>>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>>>> man5/npppd.conf.5?&manpath=OpenBSD-current&sec=5&query=npppd.conf
>>>> - Example of L2TP and authenticates using a local file.
>>>> - Example npppd.conf file, `/etc/npppd/npppd.conf`:
>>>> ```
>>>> authentication LOCAL type local {
>>>> users-file "/etc/npppd/npppd-users"
>>>> }
>>>> tunnel L2TP_ipv4 protocol l2tp {
>>>> listen on 0.0.0.0
>>>> }
>>>> ipcp IPCP {
>>>> pool-address 192.168.2.150-192.168.2.199
>>>> dns-servers 8.8.8.8
>>>> }
>>>> interface pppx0 address 192.168.2.1 ipcp IPCP
>>>> bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
>>>> ```
>>>> - NOTE: `pool-address` valus should be a block of addresses in the same
>>>> subnet of the internal network.
>>>> - NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
>>>> servers should be used if available.
>>>> - Example npppd-users file, `/etc/npppd/npppd-users`:
>>>> ```
>>>> jtest: \
>>>> :password=SEEKRIT:\
>>>> :framed-ip-address=192.168.2.150:
>>>> ```
>>>> - NOTE: Replace `SEEKRIT` with your password.
>>>> - NOTE: The `framed-ip-address` value should be in the `pool-address`
>>>> block from `/etc/npppd/npppd.conf`.
>>>> IPsec Setup
>>>> ----------------
>>>> - IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
>>>> Authentication Header (AH), which provide security services for IP
>>>> datagrams.
>>>> - Reference:
>>>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>>>> man4/ipsec.4?&manpath=OpenBSD-current&query=ipsec
>>>> - Example ipsec.conf file, `/etc/ipsec.conf`:
>>>> ```
>>>> public_ip = "192.168.2.2"
>>>> ike passive esp transport \
>>>> proto udp from $public_ip to any port 1701 \
>>>> main auth "hmac-sha1" enc "aes" group modp1024 \
>>>> quick auth "hmac-sha1" enc "aes" \
>>>> psk "SEEKRIT"
>>>> ```
>>>> - NOTE: Replace `192.168.2.2` with the ip of the server.
>>>> - NOTE: Replace SEEKRIT with your password.
>>>> Packet Filter Setup
>>>> -------------------
>>>> - Packet Filter is OpenBSD's system for filtering TCP/IP traffic and doing
>>>> Network Address Translation.
>>>> - Reference:
>>>> http://www.openbsd.org/faq/pf/
>>>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>>>> man4/pf.4?&manpath=OpenBSD-current&arch=amd64&query=pf
>>>> - Example pf.conf file, `/etc/pf.conf`:
>>>> ```
>>>> pass quick proto { esp, ah } from any to any
>>>> pass in quick on egress proto udp from any to any port {500, 4500, 1701}
>>>> keep state
>>>> pass on enc0 from any to any keep state (if-bound)
>>>> ```
>>>> sysctl Changes
>>>> --------------
>>>> - NOTE: Not sure if needed.
>>>> - Make changes to `/etc/sysctl.conf` and reboot
>>>> ```
>>>> ...
>>>> # CHANGED
>>>> net.inet.ip.forwarding=1
>>>> ...
>>>> # CHANGED
>>>> net.pipex.enable=1
>>>> ...
>>>> ```
>>>> ```
>>>> sudo reboot
>>>> ```
>>>> NAT and Port Forwarding
>>>> ----------------------
>>>> - If the VPN end point is behind a NATed firewall the following ports must
>>>> be forwarded:
>>>> - UDP 500 - Internet Key Exchange (IKE)
>>>> - UDP 1701 - L2TP traffic
>>>> - UDP 4500 - IPSec Network Address Translation (NAT-T)
>>>> Startup
>>>> -------
>>>> - Apply pf.conf rules:
>>>> ```
>>>> sudo pfctl -f /etc/pf.conf
>>>> ```
>>>> - Start isakmpd:
>>>> ```
>>>> sudo /etc/rc.d/isakmpd -f start
>>>> ```
>>>> - Apply ipsec rules:
>>>> ```
>>>> sudo ipsecctl -v
>>>> ```
>>>> ```
>>>> sudo isakmpd -K -d
>>>> ```
>>>> - NOTE: -d starts in foreground
>>>> - Start npppd:
>>>> ```
>>>> sudo /usr/sbin/npppd -d
>>>> ```
>>>> - NOTE: -d starts in foreground
>>>> Monitoring
>>>> ----------
>>>> - To monitor npppd vpn sessions use npppctl:
>>>> ```
>>>> npppctl session all
>>>> ```
>>>> - Reference:
>>>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>>>> man8/npppctl.8?&manpath=OpenBSD-current&sec=8&query=npppctl
>>>> - To monitor ipsec use ipsecctl:
>>>> ```
>>>> sudo ipsecctl -s all
>>>> ```
>>>> Start ipsec and isakmpd at Boot
>>>> ---------------------
>>>> - Add following to /etc/rc.conf.local to start isakmpd at boot:
>>>> ```
>>>> isakmpd_flags="-K"
>>>> ipsec=YES
>>>> ```
>
> --
> http://gordonturner.ca
