Open Swan VPN
OpenSwan is a VPN that implements IPsec. Through the addition of the xl2tp package we can implement a complete VPN setup that works with that mac and the iPhone natively. The current OpenSwan package (as of November 2010) require kernel modifications to run and is therefore a little trickier to install. However the StrongSwan package doesn't so it's pretty easy to install.
Setup
Building StrongSwan from source
apt-get install build-essential fakeroot dpkg-dev devscripts apt-get source strongswan apt-get install libcurl4-openssl-dev ipsec-tools apt-get build-dep strongswan
This set of commands gets the tools needed to build packages (you probably have them, but this is safe), gets the source for strongswan, gets some tools that are needed by strongswan, and then makes sure that all the build dependencies are satisfied. These commands probably need to be run as root. Be mindful that the source will be checked out to whatever directory you're currently in.
cd strongswan-*.*.*/
As of this writing the command is actually
cd strongswan-4.2.4/
But this will increment with time. Next you want to increment the version, this indicates that you're making you're version to the debian package system. It also lets you look over the changelog.
dch -i
The -i indicated that you are incrementing the release number.
Next you want to change the build rules to enable NAT translation. This isn't enabled by default and is the whole reason we checked out the source instead of installing a binary. The rules for building the strongswan package are found in the strongswan folder under debian/rules, you want to edit these
vim debian/rules
Look for the line:
–disable-md5 –disable-sha1 –disable-sha2 \
and change it to:
–disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport \
Ready to build:
dpkg-buildpackage -rfakeroot -uc -b
And then to install:
dpkg -i ../*.deb
If everything went well strongswan is now installed!
Configuring StrongSwan
Important Files
/etc/ipsec.conf /etc/ipsec.secrets
Configuring L2TP
Important Files
/etc/xl2tpd/l2tp-secrets /etc/xl2tpd/xl2tpd.conf /etc/ppp/options.xl2tpd
Troubleshooting
Making Sure traffic is arriving to the Server
The thing to check for is that traffic is arriving at the server. This can be done with a tcp dump on the server end
tcpdump -i eth0 -n -p udp port 500 or udp port 4500
You will need to either be root or execute this command as a superuser because tcpdump grabs the raw unix socket information. If traffic isn't arriving check for firewalls that may be blocking the traffic.
Watching how ipsec handles the incoming traffic
tail -f /var/log/auth.log /var/log/daemon.log
Looking at available shared secrets
ipsec secrets
Needs to be executed by a super user or root
Checking the status of ipsec
ipsec status
Needs to be executed by a super user or root
authby Problems
This comes from the strong swan mailing list
Hi
This is perhaps a stupid Question .. but with a simple apt-get install build-essential fakeroot dpkg-dev devscripts
apt-get source strongswan apt-get install libcurl4-openssl-dev ipsec-tools apt-get build-dep strongswan configuration
auth=secret and a valid ipsec.secrets (one PSK Entry) i got this
Message:
Jun 1 09:20:12 vm1 pluto[4383]: packet from 172.16.100.2:1333: initial
Main Mode message received on 172.16.101.250:500 but no connection has
been authorized with policy=PSK
Have you enabled nat_traversal=yes in the config setup section?
If the answer is no then any source port different from UDP/500 will be recejected independently of the fact that the authentication is based on RSA or PSK.