| View previous topic :: View next topic |
| Author |
Message |
Quinny
n00b
Joined: 27 Feb 2003
Posts: 38
Location: Netherlands
|
 Posted: Fri Jul 21, 2006 8:23 am Post subject: |
 |
|
Any pointers to a Linux client setup?
My VPN server has been working perfect for about one and a half years now, in the beginning I used to have to restart the ipsec daemon periodically, but I fixed that about a year ago. Windows clients can connect, disconnect and reconnect as often as they like, it's really stable.
The only thing is connections aren't dropped soon enough when a connection breaks. For example: wireless lan dies, windows says: VPN connection disabled, but I can't reconnect, because ipsec of l2tp still thinks I'm logged in, so I have to restart the daemon to drop it manually. But I can't do that when other people are using the VPN too, off course...
But I'm going off-topic in my own post, I'd really like to use my Linux laptop as a client for my VPN, any help? Links to documentation?
<edit>
OK, found some documentation, tried it > My VPN server is running openswan 2.3.0, portage currently only has 2.4.4. They don't seem to be compatible, when I try to connect to the server, the server crashes. (something aboud SHA1 being not implemented)
It says it'll restart itself but then doesn't do that because of an error in the script somewhere so I have to restart it manually.
Copied the older version from the server to the client, including patches and stuff, but it won't compile. The other VPN is in production use (the one that crashed) so I'm not even going to try and update that one at the moment (don't know who are using it atm..)
In any case, a linux client for this VPN setup seems harder than it is  |
|
| Back to top |
|
 |
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Fri Jul 28, 2006 12:57 pm Post subject: |
|
|
I was not able to get this to work, I was pointing the problems at SELINUX though.
Try this type of config for Linux to Linux...
I do not have rights config because I do not have that box anymore.. I was able to make the connection however it seemed the routing was not correct.
| Code: |
conn roadwarrior-gentoo
authby=rsasig
left=<external-ip>
leftid=@vpn
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQNxbQYtVgyoDeqk0eFtXZiwN3DC(cut)
right=%any
rightid=@lappy
rightsubnet=10.0.0.0/24
rightrsasigkey=0sAQN2eCQDz1U6/9ZgkwQI+VP0ITqYtK(cut)
auto=add
|
Good luck..
Also to everyone I am not updating this anymore here.. I have a new version on http://teh.sh.nu/HowTo
Right now it is just psk ipsec/l2tp but soon will have linux to linux connect and A subnet passthrough for remote offices.
_________________
write quit bang |
|
| Back to top |
|
|
plut0
Apprentice
Joined: 21 Dec 2004
Posts: 272
|
| Posted: Mon Jul 31, 2006 3:23 am Post subject: |
|
|
I followed the tutorial at, http://teh.sh.nu/HowTo, but I cannot connect. When I try to connect the client just "hangs". Eventually it times out with this message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." OR "The L2TP connection attempt failed because security negotiation timed out." The client is running Windows XP SP2. I am connecting internally and shut down the firewall for debugging purporses.
I am at a loss on how to debug this. I know very little about openswan and how to log events. If anyone can point me in the right direction I will post more information.
Thanks! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Jul 31, 2006 11:53 am Post subject: |
|
|
If you are using the default logging setup on gentoo (syslog-ng) all logging will go to /var/log/messages.
tail -f /var/log/messages
while tring to connect to the server. Post the relevant lines.
_________________
write quit bang |
|
| Back to top |
|
|
plut0
Apprentice
Joined: 21 Dec 2004
Posts: 272
|
| Posted: Mon Jul 31, 2006 3:44 pm Post subject: |
|
|
| I deleted my configs and copy/pasting everything again...now I can connect. Musta been a typo somewhere! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Aug 01, 2006 12:52 pm Post subject: |
|
|
Cool I think your the first one to test my howto on my page.. Glad it works well for you.
-Brett
_________________
write quit bang |
|
| Back to top |
|
|
khuongdp
n00b
Joined: 09 Nov 2003
Posts: 73
|
| Posted: Fri Aug 18, 2006 8:48 pm Post subject: |
|
|
| Anybody tried openswan-2.4.6 ...ebuild? |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Aug 28, 2006 8:32 pm Post subject: |
|
|
@khuongdp : No I have not.
Other news:
In the FWIW department.. I was able to establish a linux to linux roadwarrior connect.
Notice left == local on both ends.
Server / Gateway
| Code: |
conn linux-to-linux
authby=rsasig
left=<external ip>
leftid=@vpn.domain.net
leftsubnet=172.17.170.0/24
leftrsasigkey=0sAQOapWmExxxx.....
right=%any
rightid=@road.you.com
rightsubnet=vhost:%no,%priv
rightrsasigkey=0sAQN/WxhRxxxx......
auto=ignore
|
Client
| Code: |
conn linux-to-linux
authby=rsasig
right=<external ip>
rightid=@vpn.domain.net
rightsubnet=172.17.170.0/24
rightrsasigkey=0sAQOapWmExxxx.......
left=%defaultroute
leftid=@road.you.com
leftrsasigkey=0sAQN/WxhRxxxx.......
auto=add
|
Problems...
the leftid/rightid do not appear to be working. With this conn set to auto=add a XP roadwarrior will try to use it and of course not be able to connect.
Firewall rules.. I run iptables DROP ALL policies on this box and firewall rules a proving to be a pain. Looks like it needs forward rules from ext inerface to internal interface however that opens up your network.. need to get by that.
If anyone out there is following this thread and wants to mess with this and try to figure out why the ids are not being used properly that would be great.
_________________
write quit bang |
|
| Back to top |
|
|
newfangled
n00b
Joined: 14 Jul 2003
Posts: 20
Location: London, England
|
| Posted: Wed Nov 22, 2006 1:43 am Post subject: |
|
|
I've been playing with this for a while now.. (actually I tried a few months ago but then gave up and have been too busy until now) I've followed the new HOWTO (thanks btw) but can't get things working. I have both client and server behind NAT routers. But really I don't expect to know anything about the client's IP, routing etc.. for testing I do, but under normal circumstances it's down to whatever the hotel/coffee shop thinks is best
I've spent a good couple days on google and there is so much information (some conflicting) but mostly related to mutli-homed hosts and not NAT-T nastiness.
I've applied the registry change to the Windows XP test client and plan to have OS X and XP SP2 clients. Here are the versions of my gentoo software:
| Code: | [root@oak ~]# emerge -pv openswan ppp xl2tpd ipsec-tools
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-misc/openswan-2.4.4 0 kB
[ebuild R ] net-dialup/ppp-2.4.3-r16 USE="gtk ipv6 pam -activefilter
-atm -dhcp -eap-tls -mppe-mppc -radius" 0 kB
[ebuild R ] net-dialup/xl2tpd-1.1.05 0 kB
[ebuild R ] net-firewall/ipsec-tools-0.6.3 USE="ipv6 pam readline -idea
-rc5 (-selinux)" 0 kB
|
Here's my ipsec.conf: (note for the purposes of this forum 1.2.3.4 is the WAN address on the server's router and 192.168.99.1 is the LAN side of the router. The server has 192.168.99.2 and the remote client is behind a router with a WAN IP of 5.6.7.8 and the remote subnet is DIFFERENT at 192.168.2.0/24)
| Code: | version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.99.0/24
conn %default
keyingtries=3
compress=no
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
authby=secret
pfs=no
type=tunnel
conn roadwarrior-net
leftsubnet=192.168.99.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-osx-xp
leftprotoport=17/1701
rightprotoport=17/%any
rekey=no
also=roadwarrior
conn roadwarrior
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
# Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf |
I've tried every combination of left, leftid, leftnexthop etc.. and with and without those roadwarrior-net|all entries.
Here's the log:
| Code: | Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: responding to Main Mode from unknown peer 5.6.7.8
Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: Main mode peer ID is ID_FQDN: '@sequioa'
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: I did not send a certificate because I do not have one.
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: cannot respond to IPsec SA request because no connection is known for 1.2.3.4/32===192.168.99.2:17/1701...5.6.7.8[@sequioa]:17/1701
Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: sending encrypted notification INVALID_ID_INFORMATION to 5.6.7.8:4500
Nov 22 00:36:02 [pluto] "roadwarrior"[2] 5.6.7.8 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x255feb6a (perhaps this is a duplicated packet)
|
I have only had success using the following in my roadwarrior config (and eliminating any conflicting parts obviously):
| Code: | ...
left=%defaultroute
leftsubnet=1.2.3.4/32
right=%any
rightsubnet=vhost:%no,%priv
auto=add
... |
When using this ipsec.conf I see the following in my log:
| Code: | Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: responding to Main Mode from unknown peer 5.6.7.8
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: Main mode peer ID is ID_FQDN: '@sequioa'
Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: I did not send a certificate because I do not have one.
Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov 21 22:58:46 [pluto] "roadwarrior"[8] 5.6.7.8 #7: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: responding to Quick Mode {msgid:a74830e0}
Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: STATE_QUICK_R2: IPsec SA established {ESP=>0x66f2baa9 <0xa6018990 xfrm=3DES_0-HMAC_MD5 NATD=5.6.7.8:4500 DPD=none}
Nov 21 22:58:53 [l2tpd] Maximum retries exceeded for tunnel 44988. Closing._
Nov 21 22:58:53 [l2tpd] Connection 22 closed to 5.6.7.8, port 1701 (Timeout)_
Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received Delete SA(0x66f2baa9) payload: deleting IPSEC State #8
Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: deleting connection "roadwarrior-osx-xp" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received and ignored informational message
Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received Delete SA payload: deleting ISAKMP State #7
Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0} |
So this leads me to believe that at the very least my PSK and router setup is OK? However I think things should work with the first version of ipsec.conf based on this forum and others so my worry is I have been wasting all this time because openswan-2.4.4 doesn't really have the NAT-T patch despite it saying so in the logs??? Has anyone else used 2.4.4 successfully in a similar situation?
Thanks in advace for any help. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Mon Jan 01, 2007 4:10 pm Post subject: |
|
|
You should try OpenSwan 2.4.7 (actually masked by ~ARCH). It includes fixes for NAT-T [EDIT: client-side] implementations including those by Microsoft. Set leftnexthop to the LAN address of your internet router. I tried it and it works (well, almost) perfectly as I can make a successful connection to the NAT'ed server from my NAT'ed Windows workstation. Note my server currently crashes when the connection is closed but I might have just missed something.
Just my 2c.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Last edited by VinzC on Mon Jan 01, 2007 4:58 pm; edited 1 time in total |
|
| Back to top |
|
|
newfangled
n00b
Joined: 14 Jul 2003
Posts: 20
Location: London, England
|
| Posted: Mon Jan 01, 2007 4:50 pm Post subject: |
|
|
Thanks for the tip, I hadn't noticed the addition of the 2.4.7 ebuild since I got this up and running. I created an overlay for the 2.4.4 with the NAT-T patch added to the portage provided patch file and it works well with all my clients. My config files are as stated above and if anyone wants more information about the overlay I will provide it, but it wasn't difficult to figure it out.
I'll play with the masked ebuild and see if it is a better solution. I don't have a problem with crashes after disconnection so maybe it is something in the latest ebuild.
One thing I would say is that the connection can be really slow at times.. it can take a while just to refresh window contents of samba shares when viewed over the VPN. What kind of performance are other people seeing? How much upstream bandwidth do you have? |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Mon Jan 01, 2007 4:57 pm Post subject: |
|
|
I already experienced slow connections the first time I played with OpenSwan. Once the load increased the line seemed to drop down completely. You might be experiencing such kinds of problems.
As for the bandwidth I still have to do some more tests. But I must first get the server back on  and it's about 25 miles from where I am ATM...
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Jan 02, 2007 2:56 pm Post subject: |
|
|
I am thinking about trying the latest ~ openswan again. I had the same error as you but I want to try your leftnexthop=lanip .. You scaring me a bit with the server "crashing" can you explain what happens?
FWIW I have never had any speed issues.. 768k up 1M down.
_________________
write quit bang |
|
| Back to top |
|
|
newfangled
n00b
Joined: 14 Jul 2003
Posts: 20
Location: London, England
|
| Posted: Tue Jan 02, 2007 3:14 pm Post subject: |
|
|
| VinzC wrote: |
As for the bandwidth I still have to do some more tests. But I must first get the server back on and it's about 25 miles from where I am ATM... |
Heh so crashing after closing a session must be tons of fun for you 
I've done some more testing where I VNC (via ssh) to a client box and then connect to the VPN and it seems fine with one or two users (all I need) so there must have been another reason for the speed issues. The server is a Pentium D and it doesn't break a sweat but the ADSL at that site is only 256k UP 2M DOWN. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Tue Jan 02, 2007 5:37 pm Post subject: |
|
|
Well the server didn't crash. I saw from the logs today morning it got back control again one hour and a half later. There were probably network problems at that very moment, a true coïncidence. I made another connection attempt. Successful this time. So I have some more opportunities for testing later on  .
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Jan 02, 2007 6:24 pm Post subject: |
|
|
Ah, Well I gave it a go anyways. All good on my end. Thanks for the info.
The Howto on my site is also now fully up to date and in sync with my current system.
_________________
write quit bang |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Wed Jan 03, 2007 9:57 am Post subject: |
|
|
| dashnu wrote: | Ah, Well I gave it a go anyways. All good on my end. Thanks for the info.
The Howto on my site is also now fully up to date and in sync with my current system. |
Good to know. BTW didn't you have to unmask (keyword) OpenSwan? I'm currently trying to setup OpenSwan as client; see you soon for feedback .
Also, just a little note: would you mind not forcing a new window (using JScript) in your Howto? I know you can tweak Firefox to stay in single-window mode but it is best to let the visitor decide whether a new window or a new tab.
EDIT: Ah, yes, one more detail, I didn't have (until now) to duplicate lines (with user accounts and peer IP flipped) in /etc/ppp/chap.secrets. It seems to work correctly with user account in the leftmost column and the server (the star sign) in the second one. Maybe it's ppp-2.4.* specific 
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Wed Jan 03, 2007 10:18 am Post subject: |
|
|
As for the speed issues, a friend who has good knowledge of FreeSwan told me that the slowdown could be caused by exchanging packets of larger size. Since IPSEC encapsulates IP (correct?), unnecessary packet fragmentation might occur. If I understood correctly, one has to play a little with MTU values to fix the problem.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Wed Jan 03, 2007 4:43 pm Post subject: |
|
|
| VinzC wrote: |
Good to know. BTW didn't you have to unmask (keyword) OpenSwan? I'm currently trying to setup OpenSwan as client; see you soon for feedback . |
Yea I will update that.
| VinzC wrote: |
Also, just a little note: would you mind not forcing a new window (using JScript) in your Howto? I know you can tweak Firefox to stay in single-window mode but it is best to let the visitor decide whether a new window or a new tab.
|
I am far from a web developer... and the response you will get from me is use the direct link.
| VinzC wrote: |
EDIT: Ah, yes, one more detail, I didn't have (until now) to duplicate lines (with user accounts and peer IP flipped) in /etc/ppp/chap.secrets. It seems to work correctly with user account in the leftmost column and the server (the star sign) in the second one. Maybe it's ppp-2.4.* specific |
Interesting, I will mess around with this a bit. Thanks for the info.
as to the mtu stuff. I have been tinkering with it for about a month now. This can be a problem especially with DSL users. One of my end-users connection terminates while sending large packets. I have tried everything fiddling with icmp filter pmtu discovery.... still no luck. I would question if mtu could cause slowdown.. I would think the fragmented packet would just get lost on either end. A side note: be careful when messing with mtu directly on you interfaces. you could lock yourself out.
_________________
write quit bang |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Wed Jan 03, 2007 11:44 pm Post subject: Successful connection: Linux Client |
|
|
Hi again.
I've just made a successful connection between a NAT'ed OpenSwan server and:
- NAT'ed Windows XP;
- a Gentoo Linux client that is directly connected to the Internet.
I've followed Jacco de Leuuw's guide but it was incomplete to some extent. I've somehow guessed the missing information. The IPSec/secrets configuration has driven me mad but I've got it working now  . Here are my *client* configuration files for a road-warrior config  using PSK .
| /etc/ipsec/ipsec.secrets: | #Openswan Secrets File
# Syntax:
# Client FQDNS/public IP address, Remote server internal IP, "PSK", shared secret
client.public.fqdns 1.2.3.4 : PSK "biglongl0ngsh@reds3cret" |
Note:- Use client.public.fqdns if you have one or your [fixed] public IP address (not quite road-warrior, I know ). For instance I have subscribed to DynDNS since my IP address is variable and set by my ISP. If you don't have a fully qualified DNS and have a variable IP address, then... er... things get nasty - I haven't got that far yet .
- 1.2.3.4 is the LAN IP address of your VPN server (remember it's behind NAT)
| /etc/ipsec/ipsec.conf: | version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
nhelpers=0
conn exclude-lo
authby=never
left=127.0.0.1
leftsubnet=127.0.0.0/8
right=127.0.0.2
rightsubnet=127.0.0.0/8
type=passthrough
auto=route
conn L2TP-PSK-CLIENT
authby=secret
pfs=no
rekey=no
keyingtries=3
type=transport
left=%defaultroute
leftid=client.public.fqdns
leftprotoport=17/1701
right=123.123.123.123
rightid=1.2.3.4
rightsubnet=1.2.3.0/24
rightprotoport=17/1701
auto=add
include /etc/ipsec/ipsec.d/examples/no_oe.conf |
Note:- 123.123.123.123 is your VPN server's *public* IP address but a fully qualified domain name string can be used - the latter depends on proper DNS resolution. I used the FQDNS (another DynDNS record) since my server's public IP is variable.
- Address 1.2.3.4 refers to the VPJ server's local IP in /etc/ipsec/ipsec.secrets.
Run /etc/init.d/ipsec [re]start. You can make sure ipsec link establishes properly:
| ipsec auto --up L2TP-PSK-CLIENT: | 104 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I1: initiate
003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [Dead Peer Detection]
003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [RFC 3947] method set to=110
106 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TP-PSK-CLIENT" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
108 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "L2TP-PSK-CLIENT" #4: STATE_QUICK_I1: initiate
004 "L2TP-PSK-CLIENT" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1d12308b <0xda528de9 xfrm=AES_0-HMAC_SHA1 NATD=123.123.123.123:4500 DPD=none} |
Next create l2tp configuration file. I have installed (masked by ~ARCH) xl2tpd 1.1.06 for both my server and client.
| /etc/xl2tpd/xl2tpd.conf: | ; Connect as a client to a server at client.public.fqdns
[lac L2TP-CLIENT]
lns = client.public.fqdns
require chap = yes
refuse pap = yes
require authentication = yes
; Name should be the same as the username in the PPP authentication!
name = pppusername
ppp debug = yes
pppoptfile = /etc/ppp/options-client.xl2tpd
length bit = yes |
Now the global ppp client options file. (You must create a separate option file if you're also running a VPN server on the client machine.)
| /etc/ppp/options-client.xl2tpd: | ipcp-accept-local
ipcp-accept-remote
noipdefault
refuse-eap
noccp
noauth
# crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000 |
The noipdefault keyword is required to get an IP address from the range defined at the server's side (in the server's /etc/xl2tpd/xl2tpd.conf). Example:
| /etc/xl2tpd/xl2tpd.conf: | ; l2tpd.conf
;
[global]
port = 1701
[lns default]
ip range = 1.2.3.200-1.2.3.209
local ip = 1.2.3.4
... |
Run /etc/init.d/xl2tpd [re]start and finally create/edit ppp secret file:
| /etc/ppp/chap-secrets: | # Secrets for authentication using CHAP
# client server secret IP addresses
pppusername * password * |
Initiate the connection with echo "c L2TP-CLIENT" > /var/run/l2tp-control (if ipsec link is still active). Make sure module ppp_async is loaded:
| lsmod | grep ppp: | ppp_async 7488 0
ppp_generic 15764 1 ppp_async
slhc 5504 1 ppp_generic
crc_ccitt 1792 1 ppp_async
|
You should see something like this in the log:
| echo "c L2TP-CLIENT: | Jan 3 23:30:42 athena xl2tpd[28453]: Connecting to host client.public.fqdns, port 1701
Jan 3 23:30:44 athena xl2tpd[28453]: Connection established to 123.123.123.123, 1701. Local: 64636, Remote: 63141 (ref=0/0).
Jan 3 23:30:44 athena xl2tpd[28453]: Calling on tunnel 64636
Jan 3 23:30:44 athena xl2tpd[28453]: check_control: Received out of order control packet on tunnel 63141 (got 0, expected 1)
Jan 3 23:30:44 athena xl2tpd[28453]: handle_packet: bad control packet!
Jan 3 23:30:44 athena xl2tpd[28453]: check_control: Received out of order control packet on tunnel 63141 (got 0, expected 1)
Jan 3 23:30:44 athena xl2tpd[28453]: handle_packet: bad control packet!
Jan 3 23:30:44 athena xl2tpd[28453]: Call established with 123.123.123.123, Local: 19192, Remote: 12178, Serial: 3 (ref=0/0)
Jan 3 23:30:44 athena pppd[32172]: pppd 2.4.4 started by root, uid 0
Jan 3 23:30:44 athena pppd[32172]: using channel 4
Jan 3 23:30:44 athena pppd[32172]: Using interface ppp0
Jan 3 23:30:44 athena pppd[32172]: Connect: ppp0 <--> /dev/pts/3
Jan 3 23:30:44 athena pppd[32172]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0x2d3cf00b> <pcomp> <accomp>]
Jan 3 23:30:44 athena pppd[32172]: rcvd [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MD5> <magic 0xaab13ac0> <pcomp> <accomp>]
Jan 3 23:30:44 athena pppd[32172]: sent [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MD5> <magic 0xaab13ac0> <pcomp> <accomp>]
Jan 3 23:30:44 athena pppd[32172]: rcvd [LCP ConfAck id=0x1 <mru 1410> <asyncmap 0x0> <magic 0x2d3cf00b> <pcomp> <accomp>]
Jan 3 23:30:44 athena pppd[32172]: rcvd [CHAP Challenge id=0xda <2f8e0cb3fc5e533ac4c506565703f73bb839>, name = "LinuxVPN"]
Jan 3 23:30:44 athena pppd[32172]: sent [CHAP Response id=0xda <d6a439dac48ec8cd8a03eddd11702f63>, name = "pppusername"]
Jan 3 23:30:45 athena pppd[32172]: rcvd [CHAP Success id=0xda "Access granted"]
Jan 3 23:30:45 athena pppd[32172]: CHAP authentication succeeded: Access granted
Jan 3 23:30:45 athena pppd[32172]: CHAP authentication succeeded
Jan 3 23:30:45 athena pppd[32172]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
Jan 3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 1.2.3.4>]
Jan 3 23:30:45 athena pppd[32172]: sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 1.2.3.4>]
Jan 3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfNak id=0x1 <addr 1.2.3.200>]
Jan 3 23:30:45 athena pppd[32172]: sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 1.2.3.200>]
Jan 3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 1.2.3.200>]
Jan 3 23:30:45 athena pppd[32172]: Cannot determine ethernet address for proxy ARP
Jan 3 23:30:45 athena pppd[32172]: local IP address 1.2.3.200
Jan 3 23:30:45 athena pppd[32172]: remote IP address 1.2.3.4
Jan 3 23:30:45 athena pppd[32172]: Script /etc/ppp/ip-up started (pid 32173)
Jan 3 23:30:45 athena pppd[32172]: Script /etc/ppp/ip-up finished (pid 32173), status = 0x1
|
Here are the full commands to initiate and close the VPN connection (respectively):
| Code: | | ipsec auto --up L2TP-PSK-CLIENT && echo "c L2TP-CLIENT" > /var/run/l2tp-control |
| Code: | | echo "d L2TP-CLIENT" > /var/run/l2tp-control && ipsec auto --down L2TP-PSK-CLIENT |
 Don't forget to add a route to subnet 1.2.3.0/24:
| Code: | | route add -net 1.2.3.0/24 dev ppp0 |
After this I was able to ping any machine in the remote LAN, including the server, of course.
Here are the packages I used:- net-misc/openswan-2.4.7
- net-firewall/ipsec-tools-0.6.3
- net-dialup/xl2tpd-1.1.06
- net-dialup/ppp-2.4.4-r4
Hope this helped. Please post if any comment or question.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jan 04, 2007 2:29 pm Post subject: |
|
|
Good info man. I am going to test this today. Mind if I add it to my howto, I will give you credit?
It is kinda a bummer that we have to go through all this to nail up a linux client. Using PSK leftid / rightid do not seem to work and if you have another conn like i described in the thread somewhere (straight ipsec / ipsec) the roadwarrior conn will not properly identify to the correct connection.
I am working on setting up my own CA and using certs, I am having a few troubles but will post that info once I get it working. This is how it _should_ be done in production. Once certs are working connections will identify correctly and we can then use just ipsec for linux clients.
thanks again.
_________________
write quit bang |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jan 04, 2007 2:38 pm Post subject: |
|
|
Just noticed you have client external IP in ipsec.secret does %any work ?
_________________
write quit bang |
|
| Back to top |
|
|
newfangled
n00b
Joined: 14 Jul 2003
Posts: 20
Location: London, England
|
| Posted: Thu Jan 04, 2007 3:51 pm Post subject: |
|
|
I have a CA and use certs, let me know what you need help with.
As for MTU, I played with that when I set this up but didn't want to take it too low as the VPN usage is only ever going to be light and I didn't want to compromise the other activities this server is used for. It works but I guess I just expected more responsive performance as I am used to ssh, vnc, and X11 forwarding over the same connection. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jan 04, 2007 4:38 pm Post subject: |
|
|
So, I went through this howto http://www.natecarlson.com/linux/ipsec-l2tp.php for certs. I get all the way to the end without problems but I can not convert it to pk12.
| Code: | frogger sslca # openssl pkcs12 -export -in danp-laptop/danp.client.pem -inkey danp-laptop/danp.client.key -certfile demoCA/cacert.pem -out danp-client.p12
unable to load private key
|
I must be missing something..
What guide did you follow?
_________________
write quit bang |
|
| Back to top |
|
|
newfangled
n00b
Joined: 14 Jul 2003
Posts: 20
Location: London, England
|
| Posted: Thu Jan 04, 2007 5:33 pm Post subject: |
|
|
Can you post a recursive listing of everything under your sslca directory? The howto looks correct, the most obvious step for an error is after the signing step not moving the newcert.pem and newreq.key to your danp-laptop directory. Hence that is why I asked for the directory listing.
I already had a CA setup for signing certs used with courier-imap, apache etc.. So I just created host requests, signed them and then did the PKCS12 export. When I get home I can check for steps I took. |
|
| Back to top |
|
|
|
Networking & Security
