File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd.mdwn
Revision 1.8: download - view: text, annotated - select for diffs
Mon Apr 8 20:30:38 2019 UTC (19 months, 3 weeks ago) by sevan
Branches: MAIN
CVS tags: HEAD
Markup

    1: [[!meta title="how to create an L2TP ipsec tunnel between an Android or iPhone or iOS device to NetBSD"]]
    2: 
    3: You need NetBSD-current later than 2013-07-01 with a kernel with `options IPSEC`. Install the pkgsrc package net/xl2tpd.
    4: 
    5: ## Network Topology
    6: 
    7:                               -------------
    8:           192.168.2.4/24  ---| NetBSD Host |--- 1.2.3.4
    9:        [internal interface]   -------------   [external interface]
   10: 
   11: We are going to use 192.168.2.80 as the local endpoint of each ppp interface and 192.168.2.81-89
   12: for up to 9 simultaneous tunnels. We will provide DNS from 192.168.2.4.
   13: 
   14: ## Configuration files
   15: 
   16: All the configuration files except the firewall rules are provided as part of the xl2tp package, copy them in the right places. in ipsec.conf change @LOCAL_ADDRESS@ to your external address 1.2.3.4. Set the key in /etc/racoon/psk.txt (this will be your secret). Set the username and passwd in /etc/ppp/chap-secrets. Enable ipsec, racoon and xl2tpd in rc.conf. You'll need to include all the ppp interfaces in your firewall config file to allow traffic to and from them. I use npf, and I've automated this using /etc/ppp/ip-up file to generate my npf.conf file dynamically from the list of active interfaces and use npfctl reload /tmp/npf.conf to reload the rules. The npf file I am using is in /usr/share/examples/npf/l2tp_gw-npf.conf.
   17: 
   18: To debug problems you can use tcpdump on the external, internal, ppp interfaces, and npflog device. 
   19: 
   20: ## Sample messages output.
   21: 
   22: This is aggressive mode (OS/X); the iPhone (iOS) uses main mode.
   23: 
   24:      racoon: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>5.6.7.8[500]
   25:      racoon: INFO: begin Aggressive mode.
   26:      racoon: INFO: received broken Microsoft ID: FRAGMENTATION
   27:      racoon: INFO: received Vendor ID: RFC 3947
   28:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
   29:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
   30:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
   31:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
   32:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
   33:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
   34:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
   35:      racoon: INFO: received Vendor ID: DPD 
   36:      racoon: [5.6.7.8] INFO: Selected NAT-T version: RFC 3947 
   37:      racoon: INFO: Adding remote and local NAT-D payloads. 
   38:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[500] with algo #2  
   39:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2  
   40:      racoon: INFO: NAT-T: ports changed to: 5.6.7.8[4500]<->1.2.3.4[4500] 
   41:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[4500] with algo #2  
   42:      racoon: INFO: NAT-D payload #0 verified 
   43:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[4500] with algo #2  
   44:      racoon: INFO: NAT-D payload #1 doesn't match 
   45:      racoon: INFO: NAT detected: PEER 
   46:      racoon: INFO: ISAKMP-SA established 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
   47:      racoon: [5.6.7.8] INFO: received INITIAL-CONTACT 
   48:      racoon: INFO: purging spi=249311193. 
   49:      racoon: INFO: respond new phase 2 negotiation: 1.2.3.4[4500]<=>5.6.7.8[4500] 
   50:      racoon: INFO: Update the generated policy : 192.168.1.103/32[55576] 1.2.3.4/32[1701] proto=udp dir=in 
   51:      racoon: INFO: Adjusting my encmode UDP-Transport->Transport 
   52:      racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
   53:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=258257246(0xf64b15e) 
   54:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=236082834(0xe125692) 
   55:      xl2tpd[454]: Connection established to 5.6.7.8, 55576.  Local: 34593, Remote: 6 (ref=0/0).  LNS session is 'default' 
   56:      xl2tpd[454]: set queue size for /dev/pts/0 to 32768 
   57:      xl2tpd[454]: Call established with 5.6.7.8, Local: 12914, Remote: 28785, Serial: 1 
   58:      pppd[26068]: pppd 2.4.4 started by root, uid 0
   59:      pppd[26068]: set_up_tty: Changed queue size of 12 from 1024 to 32768
   60:      pppd[26068]: tty_establish_ppp: Changed queue size of 12 from 1024 to 32768
   61:      pppd[26068]: Using interface ppp0
   62:      pppd[26068]: Connect: ppp0 <--> /dev/pts/0
   63:      racoon: INFO: 192.168.2.80[500] used for NAT-T 
   64:      pppd[26068]: found interface sk0 for proxy arp
   65:      racoon: INFO: 192.168.2.80[500] used as isakmp port (fd=22) 
   66:      pppd[26068]: local  IP address 192.168.2.80
   67:      racoon: INFO: 192.168.2.80[4500] used for NAT-T 
   68:      pppd[26068]: remote IP address 192.168.2.81
   69:      racoon: INFO: 192.168.2.80[4500] used as isakmp port (fd=23) 
   70:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[500] used as isakmp port (fd=24) 
   71:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[4500] used as isakmp port (fd=25) 
   72:      racoon: INFO: deleting a generated policy. 
   73:      racoon: INFO: purged IPsec-SA proto_id=ESP spi=236082834. 
   74:      racoon: INFO: ISAKMP-SA expired 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
   75:      racoon: INFO: ISAKMP-SA deleted 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
   76:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, serial 1 () 
   77:      pppd[26068]: LCP terminated by peer (User request)
   78:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, port 55576 (), Local: 34593, Remote: 6 
   79:      pppd[26068]: Connect time 1.3 minutes.
   80:      pppd[26068]: Sent 1723454 bytes, received 389800 bytes.
   81:      pppd[26068]: Terminating on signal 15
   82:      pppd[26068]: Modem hangup
   83:      pppd[26068]: Connection terminated.
   84:      pppd[26068]: Exit.
   85: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb