Author Topic: VPN (Need a place for my notes)  (Read 8904 times)

Dap-P

  • Veteran
  • ***
  • Posts: 106
    • View Profile
VPN (Need a place for my notes)
« on: January 29, 2014, 03:52:50 pm »
Hi all,
I am trying to make VPN work, and i just need a place to put my notes, and perhaps sometimes some help/advice/testers
I dont have a lot of time, and my head is filled with a lot of things lately, so thats why i dump this here

This is what i know for now:

VPN is working if the Core has a public addressable IP, ie not 192.168.x.x, 10.x.x.x, 172.16.x.x
It is working with and without NAT, (protocol 50 or udp port 4500)

What you need to make it work:

In firewall, allow udp 500, udp 4500, and ip 50 (protocol 50)

And you need to accept 1701 out of the IPSEC tunnel:
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT


There needs to be a ppp-up script that allows the remote end in iptables. Next time i work on VPN, i'll try to make it.
could be that just ifup ppp0 is enough -> need to test

It's possible that for devices to use 'internet' over VPN masquerading is needed:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.0/24 -j MASQUERADE


Conclusions:
- If VPN is working internally, it is working with a public outside ip
- Is setup with a private outside ip, 1701 traffic doesn't want to go through the ipsec tunnel, and thus failing
  This could be because i have only tested this with android clients, i need to try with windows, or mac (or linux)
- It's easiest to setup with firewall disabled.
- There is still some work that need to be done on scripting and automatic adding of firewall rules.


Anton
« Last Edit: February 09, 2014, 08:45:15 pm by Dap-P »

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #1 on: January 29, 2014, 07:59:46 pm »
Please let me know if you need testers- following the directions on the wiki I was able to get my android phone to connect to the VPN. 

I was never able to get the standard Win VPN to connect as I think they use ipsec ikev2 and openswan is only ikev1.  I was trying to replace openswan with strongswan to get ikev2 and broke my install... haven't tried it since reinstall.


Dap-P

  • Veteran
  • ***
  • Posts: 106
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #2 on: February 03, 2014, 12:52:09 am »
I've been able to setup VPN with android clients, after some fiddling with the conf files

For now, i use these :
/etc/ipsec.conf http://paste.ubuntu.com/6864517/
/etc/xl2tpd/xl2tpd.conf http://paste.ubuntu.com/6864407/
(just replace the listen-addr with your external interface ip)

And a password without special characters in /etc/ppp/chap-secrets

Still need to find out what settings are actually necessary for the setup.

Anton

polly

  • Administrator
  • Guru
  • *****
  • Posts: 209
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #3 on: February 03, 2014, 11:00:10 am »
Nice! ... really like to get this working as well ... :-)
I will give it a try this week.

Cheers,
ochorocho

Alblasco1702

  • Regular Poster
  • **
  • Posts: 45
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #4 on: February 03, 2014, 04:47:26 pm »
I'm helping DAP-P and i'm trying to make it work automatic.

Alblasco1702

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #5 on: February 08, 2014, 04:55:19 am »
Going to put it here so I don't lose it.  This config allows me to connect from the internal network- not yet an external.  This is for a username:password of:  outside:outside.

Also, I have UDP ports 500, 1701 and 4500 set to core input on the core's firewall.

This is not meant to be a guide- this is what pseudo works for me.

/etc/ipsec.conf
Code: [Select]
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT


conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=192.168.80.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any

/etc/ipsec.secrets
Code: [Select]
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

x.x.x.x %any: PSK "outside"

/etc/xl2tpd/xl2tpd.conf
Code: [Select]
[global]
ipsec saref = no

[lns default]
ip range = 192.168.80.200-192.168.80.210
local ip = 192.168.80.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxMCE_VPN_Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/xl2tpd/l2tp-secrets
Code: [Select]
# Secrets for authenticating l2tp tunnels
* * outside


/etc/ppp/options.xl2tpd
Code: [Select]
refuse-mschap-v2
refuse-mschap
ms-dns 192.168.80.1
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


/etc/ppp/chap-secrets
Code: [Select]
# Secrets for authentication using CHAP
outside * outside *

After changes, I use:
Code: [Select]
/etc/init.d/xl2tpd restart
/etc/init.d/ipsec restart
/etc/init.d/pppd-dns restart

Then on my android (Galaxy S4), I have to go to Settings -> More networks -> VPN -> Advanced IPsec VPN and create a VPN connection with the following options:

  • L2TP pre-shared key (IKEv1
  • Pre-shared key (PSK) (as set in /etc/xl2tpd/l2tp-secrets I think)
  • Agressive mode, Perfect forward secrecy and disable split tunnel are all unchecked
  • Group 17 (MODP-6144) under IKE groups
  • IKE lifetime set to 8 hours
  • IPsec encryption and integrity algorithms set to All
  • IPsec lifetime set to 1 hour

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5549
  • DOES work for LinuxMCE.
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #6 on: February 08, 2014, 09:28:49 pm »
Basically guys, what is it going to take, to have VPN work out of the box for the most common platforms? I typically don't have to go into advanced in each of the VPN clients and set things like this.

-Thom

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #7 on: February 09, 2014, 04:10:03 am »
Basically guys, what is it going to take, to have VPN work out of the box for the most common platforms? I typically don't have to go into advanced in each of the VPN clients and set things like this.

-Thom

I think that's the point- right now, in my experience, it has not been straight forward.  In addition to the ports not being automatically added, the config files are not correct when you tag a user to use VPN in the webadmin -> users page.  While my knowledge of VPNs is marginal- at best- I've been researching this and trying different combinations a while to finally get a point of repeatability

The goal, if I could speak for the ones actually doing the work, is to not have any of this duck-tape.  Going to webadmin, set the PSK, allowed users and their passwords and then the viewable folders in a simple 4 step approach that allows win/*nix/mac/android devices connect nearly effortlessly is where I would like to see this go.  I have a variety of clients from the various OS's, a stable 1204 install and periodically the time to play with this.  Anton/Dap-P and Alblasco1702 have the skills to make this work- I'm just filling forum space with my current setup and limitations.

Dap-P

  • Veteran
  • ***
  • Posts: 106
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #8 on: February 09, 2014, 04:24:50 pm »
After some more research, the only thing that seems to need a change is the ipsec.conf.
Better said, only the last line in /etc/ipsec.conf
If you change that from
Code: [Select]
rightprotoport=17/%any to
Code: [Select]
rightprotoport=17/0 it seems to work for me.

i've tried changing the template (/usr/pluto/templates/ipsec.conf.tmpl) But if i then use the webadmin to configure things, it leaves me with an empty /etc/ipsec.conf file.

Is there somebody that can confirm changing this line is a working solution?

golgoj4

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1193
  • hrumpf!
    • View Profile
    • Mah Website
Re: VPN (Need a place for my notes)
« Reply #9 on: February 09, 2014, 04:43:39 pm »
Basically guys, what is it going to take, to have VPN work out of the box for the most common platforms? I typically don't have to go into advanced in each of the VPN clients and set things like this.

-Thom

See thread title. Notes. not 'magic vpn auto config' I asked him to do this in a roundabout way so lets not take to lecturing over something nobody else has taken to doing.

Linuxmce - Where everyone is never wrong, but we are always behind xbmc in the media / ui department.

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #10 on: February 09, 2014, 05:19:46 pm »

Is there somebody that can confirm changing this line is a working solution?

I'll try this asap, but I think I've been getting a not authorized PSK connection while tailing var/log/auth.log.  Only been able to get around it by editing the ipsec.secrets file and changing the leftmost string to the value set in ipsec.conf (I'm using 192.168.80.1) and then adding PSK after the colon and before the actual PSK.

This is connecting though my android using L2TP IKEv1.  What are you using for your client?

Dap-P

  • Veteran
  • ***
  • Posts: 106
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #11 on: February 09, 2014, 06:15:44 pm »
After some more testing, these are my findings:

in /etc/ipsec.conf 2 lines need to change
rightsubnet=vhost:%priv into rightsubnet=vhost:%priv,%no
rightprotoport=17/%any into rightprotoport=17/0

If someone can test this (also with an iphone/ipad)
If it is not working on an apple device, can you add the following lines in the "conn L2TP-PSK" section of /etc/ipsec.conf
dpddelay=10
dpdtimeout=90
dpdaction=clear
And see if it is working?

ofcourse you need to enable the port in the firewall also,
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
to allow l2tp traffic out of the ipsec tunnel
and allow udp port 500 and 4500 in the webadmin

Anton
« Last Edit: February 09, 2014, 08:47:21 pm by Dap-P »

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #12 on: February 10, 2014, 04:36:46 am »
Dap-P, this does not work for me on my android or ipad mini- get this:
Code: [Select]
Feb  9 21:29:04 dcerouter pluto[32533]: packet from 192.168.80.182:60500: initial Main Mode message received on 192.168.80.1:500 but no connection has been authorized with policy=PSK
This is with left=%defaultroute in /etc/ipsec.conf and the 1st entry as %any in /etc/ipsec.secrets.

It works if I change the left in /etc/ipsec.conf to 192.168.80.1, change the 1st %any to 192.168.80.1 in /etc/ipsec.secrets.

Dap-P

  • Veteran
  • ***
  • Posts: 106
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #13 on: February 10, 2014, 05:38:22 pm »
I am not sure if a VPN on the internal network will work in any circumstance, with this setup
Can you try from outside your LinuxMCE network?

Anton

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: VPN (Need a place for my notes)
« Reply #14 on: March 21, 2014, 04:11:19 pm »
Sorry for the delay- I am able to connect- here's my setup (Android, Samsung Galaxy S4 running 4.4.2).

/etc/ipsec.conf
Code: [Select]
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv,%no
  also=L2TP-PSK-noNAT
  dpddelay=10
  dpdtimeout=90
  dpdaction=clear

conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=%defaultroute
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/0

I have UDP ports 500, 4500 and 1701 set as core input on my firewall.

As for the phone, I added an advanced IPsec VPN.  Plugged in a connection name, selected connection as L2TP pre-share key (IKEv1), plugged in the address and my preshare key.  Saved, clicked connect, put in user and password and it connected.

Connection is quick- watching the auth.log using "tail -f /var/log/auth.log" it connects in 10 lines.  Granted that doesn't mean much, but when connecting before it would be 50+ lines. 

I still have an error:
Code: [Select]
netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 64500 don't match. Using that_client port.

So thinking the 1701 in the firewall is still not correct.