Annotation of wikisrc/tutorials/how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd.mdwn, revision 1.1

1.1     ! wiki        1: You need NetBSD-current later than 2013-07-01 with a kernel with "options IPSEC". Install the pkgsrc package net/xl2tpd.
        !             2: 
        !             3: ## Network Topology
        !             4: 
        !             5:                                       -------------
        !             6:       192.168.2.4/24  ---| NetBSD Host |--- 1.2.3.4
        !             7:        [internal interface]   -------------   [external interface]
        !             8: 
        !             9: We are going to use 192.168.1.80 as the local endpoint of each ppp interface and 192.168.2.80-89
        !            10: for up to 9 simultaneous tunnels. We will provide DNS from 192.168.2.4.
        !            11: 
        !            12: ## Configuration files
        !            13: 
        !            14: All the configuration files except the firewall rules are provided as part of the xl2tp package, copy them in the right places. in ipsec.conf change @LOCAL_ADDRESS@ to your external address 1.2.3.4. Set the key in /etc/racoon/psk.txt (this will be your secret). Set the username and passwd in /etc/ppp/chap-secrets. Enable ipsec, racoon and xl2tpd in rc.conf. You'll need to include all the ppp interfaces in your firewall config file to allow traffic to and from them. I use npf, and I've automated this using /etc/ppp/ip-up file to generate my npf.conf file dynamically from the list of active interfaces and use npf reload to reload the rules. The npf file I am using is in /usr/share/examples/npf/l2tp_gw-npf.conf.
        !            15: 
        !            16: To debug problems you can use tcpdump on the external, internal, ppp interfaces, and npflog device. 
        !            17: 
        !            18: ## Sample messages output.
        !            19: 
        !            20: This is aggressive mode (iOS); the iPhone uses main mode.
        !            21: 
        !            22:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
        !            23:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
        !            24:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
        !            25:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
        !            26:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
        !            27:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
        !            28:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
        !            29:      racoon: INFO: received Vendor ID: DPD 
        !            30:      racoon: [5.6.7.8] INFO: Selected NAT-T version: RFC 3947 
        !            31:      racoon: INFO: Adding remote and local NAT-D payloads. 
        !            32:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[500] with algo #2  
        !            33:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2  
        !            34:      racoon: INFO: NAT-T: ports changed to: 5.6.7.8[4500]<->1.2.3.4[4500] 
        !            35:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[4500] with algo #2  
        !            36:      racoon: INFO: NAT-D payload #0 verified 
        !            37:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[4500] with algo #2  
        !            38:      racoon: INFO: NAT-D payload #1 doesn't match 
        !            39:      racoon: INFO: NAT detected: PEER 
        !            40:      racoon: INFO: ISAKMP-SA established 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
        !            41:      racoon: [5.6.7.8] INFO: received INITIAL-CONTACT 
        !            42:      racoon: INFO: purging spi=249311193. 
        !            43:      racoon: INFO: respond new phase 2 negotiation: 1.2.3.4[4500]<=>5.6.7.8[4500] 
        !            44:      racoon: INFO: Update the generated policy : 192.168.1.103/32[55576] 1.2.3.4/32[1701] proto=udp dir=in 
        !            45:      racoon: INFO: Adjusting my encmode UDP-Transport->Transport 
        !            46:      racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
        !            47:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=258257246(0xf64b15e) 
        !            48:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=236082834(0xe125692) 
        !            49:      xl2tpd[454]: Connection established to 5.6.7.8, 55576.  Local: 34593, Remote: 6 (ref=0/0).  LNS session is 'default' 
        !            50:      xl2tpd[454]: set queue size for /dev/pts/0 to 32768 
        !            51:      xl2tpd[454]: Call established with 5.6.7.8, Local: 12914, Remote: 28785, Serial: 1 
        !            52:      pppd[26068]: pppd 2.4.4 started by root, uid 0
        !            53:      pppd[26068]: set_up_tty: Changed queue size of 12 from 1024 to 32768
        !            54:      pppd[26068]: tty_establish_ppp: Changed queue size of 12 from 1024 to 32768
        !            55:      pppd[26068]: Using interface ppp0
        !            56:      pppd[26068]: Connect: ppp0 <--> /dev/pts/0
        !            57:      racoon: INFO: 192.168.2.80[500] used for NAT-T 
        !            58:      pppd[26068]: found interface sk0 for proxy arp
        !            59:      racoon: INFO: 192.168.2.80[500] used as isakmp port (fd=22) 
        !            60:      pppd[26068]: local  IP address 192.168.2.80
        !            61:      racoon: INFO: 192.168.2.80[4500] used for NAT-T 
        !            62:      pppd[26068]: remote IP address 192.168.2.81
        !            63:      racoon: INFO: 192.168.2.80[4500] used as isakmp port (fd=23) 
        !            64:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[500] used as isakmp port (fd=24) 
        !            65:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[4500] used as isakmp port (fd=25) 
        !            66:      racoon: INFO: deleting a generated policy. 
        !            67:      racoon: INFO: purged IPsec-SA proto_id=ESP spi=236082834. 
        !            68:      racoon: INFO: ISAKMP-SA expired 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
        !            69:      racoon: INFO: ISAKMP-SA deleted 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
        !            70:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, serial 1 () 
        !            71:      pppd[26068]: LCP terminated by peer (User request)
        !            72:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, port 55576 (), Local: 34593, Remote: 6 
        !            73:      pppd[26068]: Connect time 1.3 minutes.
        !            74:      pppd[26068]: Sent 1723454 bytes, received 389800 bytes.
        !            75:      pppd[26068]: Terminating on signal 15
        !            76:      pppd[26068]: Modem hangup
        !            77:      pppd[26068]: Connection terminated.
        !            78:      pppd[26068]: Exit.
        !            79: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb