You need NetBSD-current later than 2013-07-01 with a kernel with options IPSEC
. Install the pkgsrc package net/xl2tpd.
Network Topology
-------------
192.168.2.4/24 ---| NetBSD Host |--- 1.2.3.4
[internal interface] ------------- [external interface]
We are going to use 192.168.2.80 as the local endpoint of each ppp interface and 192.168.2.81-89 for up to 9 simultaneous tunnels. We will provide DNS from 192.168.2.4.
Configuration files
All the configuration files except the firewall rules are provided as part of the xl2tp package, copy them in the right places. in ipsec.conf change @LOCAL_ADDRESS@ to your external address 1.2.3.4. Set the key in /etc/racoon/psk.txt (this will be your secret). Set the username and passwd in /etc/ppp/chap-secrets. Enable ipsec, racoon and xl2tpd in rc.conf. You'll need to include all the ppp interfaces in your firewall config file to allow traffic to and from them. I use npf, and I've automated this using /etc/ppp/ip-up file to generate my npf.conf file dynamically from the list of active interfaces and use npfctl reload /tmp/npf.conf to reload the rules. The npf file I am using is in /usr/share/examples/npf/l2tp_gw-npf.conf.
To debug problems you can use tcpdump on the external, internal, ppp interfaces, and npflog device.
Sample messages output.
This is aggressive mode (OS/X); the iPhone (iOS) uses main mode.
racoon: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>5.6.7.8[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: received Vendor ID: DPD
racoon: [5.6.7.8] INFO: Selected NAT-T version: RFC 3947
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[500] with algo #2
racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2
racoon: INFO: NAT-T: ports changed to: 5.6.7.8[4500]<->1.2.3.4[4500]
racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[4500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[4500] with algo #2
racoon: INFO: NAT-D payload #1 doesn't match
racoon: INFO: NAT detected: PEER
racoon: INFO: ISAKMP-SA established 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4
racoon: [5.6.7.8] INFO: received INITIAL-CONTACT
racoon: INFO: purging spi=249311193.
racoon: INFO: respond new phase 2 negotiation: 1.2.3.4[4500]<=>5.6.7.8[4500]
racoon: INFO: Update the generated policy : 192.168.1.103/32[55576] 1.2.3.4/32[1701] proto=udp dir=in
racoon: INFO: Adjusting my encmode UDP-Transport->Transport
racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=258257246(0xf64b15e)
racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=236082834(0xe125692)
xl2tpd[454]: Connection established to 5.6.7.8, 55576. Local: 34593, Remote: 6 (ref=0/0). LNS session is 'default'
xl2tpd[454]: set queue size for /dev/pts/0 to 32768
xl2tpd[454]: Call established with 5.6.7.8, Local: 12914, Remote: 28785, Serial: 1
pppd[26068]: pppd 2.4.4 started by root, uid 0
pppd[26068]: set_up_tty: Changed queue size of 12 from 1024 to 32768
pppd[26068]: tty_establish_ppp: Changed queue size of 12 from 1024 to 32768
pppd[26068]: Using interface ppp0
pppd[26068]: Connect: ppp0 <--> /dev/pts/0
racoon: INFO: 192.168.2.80[500] used for NAT-T
pppd[26068]: found interface sk0 for proxy arp
racoon: INFO: 192.168.2.80[500] used as isakmp port (fd=22)
pppd[26068]: local IP address 192.168.2.80
racoon: INFO: 192.168.2.80[4500] used for NAT-T
pppd[26068]: remote IP address 192.168.2.81
racoon: INFO: 192.168.2.80[4500] used as isakmp port (fd=23)
racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[500] used as isakmp port (fd=24)
racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[4500] used as isakmp port (fd=25)
racoon: INFO: deleting a generated policy.
racoon: INFO: purged IPsec-SA proto_id=ESP spi=236082834.
racoon: INFO: ISAKMP-SA expired 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4
racoon: INFO: ISAKMP-SA deleted 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4
xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, serial 1 ()
pppd[26068]: LCP terminated by peer (User request)
xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, port 55576 (), Local: 34593, Remote: 6
pppd[26068]: Connect time 1.3 minutes.
pppd[26068]: Sent 1723454 bytes, received 389800 bytes.
pppd[26068]: Terminating on signal 15
pppd[26068]: Modem hangup
pppd[26068]: Connection terminated.
pppd[26068]: Exit.