==== Open Swan VPN ==== OpenSwan is a VPN that implements IPsec. Through the addition of the xl2tp package we can implement a complete VPN setup that works with that mac and the iPhone natively. The current OpenSwan package (as of November 2010) require kernel modifications to run and is therefore a little trickier to install. However the StrongSwan package doesn't so it's pretty easy to install. === Setup === == Building StrongSwan from source == apt-get install build-essential fakeroot dpkg-dev devscripts apt-get source strongswan apt-get install libcurl4-openssl-dev ipsec-tools apt-get build-dep strongswan This set of commands gets the tools needed to build packages (you probably have them, but this is safe), gets the source for strongswan, gets some tools that are needed by strongswan, and then makes sure that all the build dependencies are satisfied. These commands probably need to be run as root. Be mindful that the source will be checked out to whatever directory you're currently in. cd strongswan-*.*.*/ As of this writing the command is actually cd strongswan-4.2.4/ But this will increment with time. Next you want to increment the version, this indicates that you're making you're version to the debian package system. It also lets you look over the changelog. dch -i The -i indicated that you are incrementing the release number. Next you want to change the build rules to enable NAT translation. This isn't enabled by default and is the whole reason we checked out the source instead of installing a binary. The rules for building the strongswan package are found in the strongswan folder under debian/rules, you want to edit these vim debian/rules Look for the line: –disable-md5 –disable-sha1 –disable-sha2 \ and change it to: –disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport \ Ready to build: dpkg-buildpackage -rfakeroot -uc -b And then to install: dpkg -i ../*.deb If everything went well strongswan is now installed! == Configuring StrongSwan == Important Files /etc/ipsec.conf /etc/ipsec.secrets == Configuring L2TP == Important Files /etc/xl2tpd/l2tp-secrets /etc/xl2tpd/xl2tpd.conf /etc/ppp/options.xl2tpd === Troubleshooting === == Making Sure traffic is arriving to the Server == The thing to check for is that traffic is arriving at the server. This can be done with a tcp dump on the server end tcpdump -i eth0 -n -p udp port 500 or udp port 4500 You will need to either be root or execute this command as a superuser because tcpdump grabs the raw unix socket information. If traffic isn't arriving check for firewalls that may be blocking the traffic. == Watching how ipsec handles the incoming traffic == tail -f /var/log/auth.log /var/log/daemon.log == Looking at available shared secrets == ipsec secrets Needs to be executed by a super user or root == Checking the status of ipsec == ipsec status Needs to be executed by a super user or root == authby Problems == This comes from the [[https://lists.strongswan.org/pipermail/users/2006-June/001430.html|strong swan mailing list]] > Hi > > This is perhaps a stupid Question .. but with a simple apt-get install build-essential fakeroot dpkg-dev devscripts apt-get source strongswan apt-get install libcurl4-openssl-dev ipsec-tools apt-get build-dep strongswan configuration > auth=secret and a valid ipsec.secrets (one PSK Entry) i got this > Message: > > Jun 1 09:20:12 vm1 pluto[4383]: packet from 172.16.100.2:1333: initial > Main Mode message received on 172.16.101.250:500 but no connection has > been authorized with policy=PSK Have you enabled **nat_traversal=yes** in the config setup section? If the answer is no then any source port different from UDP/500 will be recejected independently of the fact that the authentication is based on RSA or PSK. [[user:nsr1:open_swan_vpn:discussion|Discussion Log]]