File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Thu Jul 4 16:31:48 2013 UTC (9 months, 2 weeks ago) by wiki
Branches: MAIN
CVS tags: HEAD
web commit by christos

[[!meta title="how to create an L2TP ipsec tunnel between an Android or iPhone or iOS device to NetBSD"]]

You need NetBSD-current later than 2013-07-01 with a kernel with "options IPSEC". Install the pkgsrc package net/xl2tpd.

## Network Topology

                              -------------
          192.168.2.4/24  ---| NetBSD Host |--- 1.2.3.4
       [internal interface]   -------------   [external interface]

We are going to use 192.168.1.80 as the local endpoint of each ppp interface and 192.168.2.81-89
for up to 9 simultaneous tunnels. We will provide DNS from 192.168.2.4.

## Configuration files

All the configuration files except the firewall rules are provided as part of the xl2tp package, copy them in the right places. in ipsec.conf change @LOCAL_ADDRESS@ to your external address 1.2.3.4. Set the key in /etc/racoon/psk.txt (this will be your secret). Set the username and passwd in /etc/ppp/chap-secrets. Enable ipsec, racoon and xl2tpd in rc.conf. You'll need to include all the ppp interfaces in your firewall config file to allow traffic to and from them. I use npf, and I've automated this using /etc/ppp/ip-up file to generate my npf.conf file dynamically from the list of active interfaces and use npf reload to reload the rules. The npf file I am using is in /usr/share/examples/npf/l2tp_gw-npf.conf.

To debug problems you can use tcpdump on the external, internal, ppp interfaces, and npflog device. 

## Sample messages output.

This is aggressive mode (iOS); the iPhone uses main mode.

     racoon: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>5.6.7.8[500]
     racoon: INFO: begin Aggressive mode.
     racoon: INFO: received broken Microsoft ID: FRAGMENTATION
     racoon: INFO: received Vendor ID: RFC 3947
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
     racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
     racoon: INFO: received Vendor ID: DPD 
     racoon: [5.6.7.8] INFO: Selected NAT-T version: RFC 3947 
     racoon: INFO: Adding remote and local NAT-D payloads. 
     racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[500] with algo #2  
     racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2  
     racoon: INFO: NAT-T: ports changed to: 5.6.7.8[4500]<->1.2.3.4[4500] 
     racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[4500] with algo #2  
     racoon: INFO: NAT-D payload #0 verified 
     racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[4500] with algo #2  
     racoon: INFO: NAT-D payload #1 doesn't match 
     racoon: INFO: NAT detected: PEER 
     racoon: INFO: ISAKMP-SA established 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
     racoon: [5.6.7.8] INFO: received INITIAL-CONTACT 
     racoon: INFO: purging spi=249311193. 
     racoon: INFO: respond new phase 2 negotiation: 1.2.3.4[4500]<=>5.6.7.8[4500] 
     racoon: INFO: Update the generated policy : 192.168.1.103/32[55576] 1.2.3.4/32[1701] proto=udp dir=in 
     racoon: INFO: Adjusting my encmode UDP-Transport->Transport 
     racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
     racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=258257246(0xf64b15e) 
     racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=236082834(0xe125692) 
     xl2tpd[454]: Connection established to 5.6.7.8, 55576.  Local: 34593, Remote: 6 (ref=0/0).  LNS session is 'default' 
     xl2tpd[454]: set queue size for /dev/pts/0 to 32768 
     xl2tpd[454]: Call established with 5.6.7.8, Local: 12914, Remote: 28785, Serial: 1 
     pppd[26068]: pppd 2.4.4 started by root, uid 0
     pppd[26068]: set_up_tty: Changed queue size of 12 from 1024 to 32768
     pppd[26068]: tty_establish_ppp: Changed queue size of 12 from 1024 to 32768
     pppd[26068]: Using interface ppp0
     pppd[26068]: Connect: ppp0 <--> /dev/pts/0
     racoon: INFO: 192.168.2.80[500] used for NAT-T 
     pppd[26068]: found interface sk0 for proxy arp
     racoon: INFO: 192.168.2.80[500] used as isakmp port (fd=22) 
     pppd[26068]: local  IP address 192.168.2.80
     racoon: INFO: 192.168.2.80[4500] used for NAT-T 
     pppd[26068]: remote IP address 192.168.2.81
     racoon: INFO: 192.168.2.80[4500] used as isakmp port (fd=23) 
     racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[500] used as isakmp port (fd=24) 
     racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[4500] used as isakmp port (fd=25) 
     racoon: INFO: deleting a generated policy. 
     racoon: INFO: purged IPsec-SA proto_id=ESP spi=236082834. 
     racoon: INFO: ISAKMP-SA expired 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
     racoon: INFO: ISAKMP-SA deleted 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
     xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, serial 1 () 
     pppd[26068]: LCP terminated by peer (User request)
     xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, port 55576 (), Local: 34593, Remote: 6 
     pppd[26068]: Connect time 1.3 minutes.
     pppd[26068]: Sent 1723454 bytes, received 389800 bytes.
     pppd[26068]: Terminating on signal 15
     pppd[26068]: Modem hangup
     pppd[26068]: Connection terminated.
     pppd[26068]: Exit.


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb