Lab46 Wiki

User Tools

Site Tools

You are here: start » user » nsr1 » open_swan_vpn
user:nsr1:open_swan_vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
user:nsr1:open_swan_vpn [2010/11/02 03:06] nsr1user:nsr1:open_swan_vpn [2010/11/02 03:21] (current) nsr1
Line 1: Line 1:
 +==== Open Swan VPN ====
  
 +OpenSwan is a VPN that implements IPsec. Through the addition of the xl2tp package we can implement a complete VPN setup that works with that mac and the iPhone natively.  The current OpenSwan package (as of November 2010) require kernel modifications to run and is therefore a little trickier to install.  However the StrongSwan package doesn't so it's pretty easy to install.
 +
 +=== Setup ===
 +
 +== Building StrongSwan from source ==
 +
 +  apt-get install build-essential fakeroot dpkg-dev devscripts
 +  apt-get source strongswan
 +  apt-get install libcurl4-openssl-dev ipsec-tools
 +  apt-get build-dep strongswan
 +
 +This set of commands gets the tools needed to build packages (you probably have them, but this is safe), gets the source for strongswan, gets some tools that are needed by strongswan, and then makes sure that all the build dependencies are satisfied.  These commands probably need to be run as root.  Be mindful that the source will be checked out to whatever directory you're currently in.
 +  cd strongswan-*.*.*/
 +As of this writing the command is actually
 +  cd strongswan-4.2.4/
 +But this will increment with time.  Next you want to increment the version, this indicates that you're making you're version to the debian package system.  It also lets you look over the changelog.
 +  dch -i
 +The -i indicated that you are incrementing the release number.
 +
 +Next you want to change the build rules to enable NAT translation.  This isn't enabled by default and is the whole reason we checked out the source instead of installing a binary.  The rules for building the strongswan package are found in the strongswan folder under debian/rules, you want to edit these
 +
 +  vim debian/rules
 +
 +Look for the line:
 +  –disable-md5 –disable-sha1 –disable-sha2 \
 +and change it to: 
 +     –disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport \
 +
 +Ready to build:
 +  dpkg-buildpackage -rfakeroot -uc -b
 +
 +And then to install:
 +   dpkg -i ../*.deb
 +   
 +If everything went well strongswan is now installed!
 +
 +== Configuring StrongSwan ==
 +
 +Important Files
 +   /etc/ipsec.conf
 +   /etc/ipsec.secrets
 +   
 +== Configuring L2TP ==
 +
 +Important Files
 +  /etc/xl2tpd/l2tp-secrets
 +  /etc/xl2tpd/xl2tpd.conf 
 +  /etc/ppp/options.xl2tpd
 +
 +=== Troubleshooting ===
 +
 +== Making Sure traffic is arriving to the Server ==
 +The thing to check for is that traffic is arriving at the server.  This can be done with a tcp dump on the server end
 +  tcpdump -i eth0 -n -p udp port 500 or udp port 4500
 +You will need to either be root or execute this command as a superuser because tcpdump grabs the raw unix socket information.  If traffic isn't arriving check for firewalls that may be blocking the traffic.
 +
 +== Watching how ipsec handles the incoming traffic ==
 +  tail -f /var/log/auth.log /var/log/daemon.log
 +  
 +== Looking at available shared secrets ==
 +  ipsec secrets
 +Needs to be executed by a super user or root
 +
 +== Checking the status of ipsec ==
 +    ipsec status
 +Needs to be executed by a super user or root
 +
 +== authby Problems ==
 +This comes from the [[https://lists.strongswan.org/pipermail/users/2006-June/001430.html|strong swan mailing list]]
 +> Hi
 +
 +> This is perhaps a stupid Question .. but with a simple apt-get install build-essential fakeroot dpkg-dev devscripts
 +apt-get source strongswan
 +apt-get install libcurl4-openssl-dev ipsec-tools
 +apt-get build-dep strongswan configuration
 +> auth=secret and a valid ipsec.secrets (one PSK Entry) i got this
 +> Message:
 +
 +> Jun  1 09:20:12 vm1 pluto[4383]: packet from 172.16.100.2:1333: initial
 +> Main Mode message received on 172.16.101.250:500 but no connection has
 +> been authorized with policy=PSK
 +
 +Have you enabled **nat_traversal=yes** in the config setup section?
 +
 +If the answer is no then any source port different from UDP/500
 +will be recejected independently of the fact that the authentication
 +is based on RSA or PSK.
 +   
 +
 +[[user:nsr1:open_swan_vpn:discussion|Discussion Log]]

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki