As been the original author of undeadly.org article I can state that info in is
stil partially valid, except npppd.conf part.
So here it goes:
tunnel L2TP protocol l2tp {
listen on 1.2.3.4
l2tp-hostname "vpn"
l2tp-vendor-name "OpenBSD"
l2tp-accept-dialin yes
mru 1360
lcp-timeout 18
authentication-method mschapv2
tcp-mss-adjust yes
pipex yes
mppe no
# ingress-filter yes
}
ipcp IPCP {
pool-address "172.17.0.0/24"
dns-servers 172.16.0.1
allow-user-selected-address no
}
interface tun0 address 172.17.0.1 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
authentication RADIUS type radius {
authentication-server {
address 172.16.0.231 secret “SECRETPASSWORD"
}
accounting-server {
address 172.16.0.231 secret “SECRETPASSWORD"
}
}
bind tunnel from L2TP authenticated by RADIUS to tun0
Below comes ipsec.conf. Woking with OSX and Win7(Win8)
ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk “P4SSWORD" \
tag rwarrior
This setup is on 5.4-current
//mxb
On 22 jul 2014, at 13:05, chenghan tv <[email protected]> wrote:
> OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with
> iptables, based on my previous experience. iOS and OSX VPN clients work
> fine, but not working for Windows. FYI.
>
> Gordon Turner <[email protected]> wrote:
>
>> On 2014-07-22 05:33, Daniel Polak wrote:
>>
>>> I'll give it a go with what I found but if anyone who has it working
>>> with local authentication can post their ipsec.conf and npppd.conf, I
>>> would appreciate it!
>>>
>>
>> Here are my notes, granted I am in the middle of getting things sorted
>> out, so these are not validated.
>>
>>
>> NOTE: My current issue is that I am trying to run this behind a router /
>> firewall, which is likely the source of my problems.
>>
>>
>> I am getting an old laptop setup to test the configuration with OpenBSD as
>> the router / firewall.
>>
>> In the notes below the ipsec.conf, `public_ip` should be the public ip on
>> the internet, if you place the OpenBSD box as the router / firewall.
>>
>>
>> - References:
>> http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
>> http://undeadly.org/cgi?action=article&sid=20120427125048
>> http://comments.gmane.org/gmane.os.openbsd.misc/209636
>> http://stackoverflow.com/questions/14967962/openbsd-
>> ipsec-vpn-not-routing-traffic
>> http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
>>
>> - Claims to have it working, on internet facing machine:
>> https://www.mail-archive.com/[email protected]/msg125930.html
>>
>> - Reference for supported protocols and authentication methods for iOS:
>> http://support.apple.com/kb/HT1288
>>
>>
>> ---
>>
>>
>> Requirements
>> -----------
>> - Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 clients.
>> - Support for iOS, preferably native VPN client
>> - Support for OSX, preferably native VPN client
>>
>> - VPN endpoint running on an internal server.
>> - Forwarding appropriate ports from a router.
>>
>>
>> Description
>> -----------
>> - Use npppd, IPsec and Packet Filter (pf).
>> - Configuration files `/etc/npppd/npppd.conf`, `/etc/npppd/npppd-users`,
>> `/etc/ipsec.conf` and `/etc/pf.conf`.
>>
>>
>> npppd Setup
>> -----------
>> - npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable of
>> L2TP, PPTP, and PPPoE.
>>
>> - Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>> man8/npppd.8?&manpath=OpenBSD-current&sec=8&query=npppd
>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>> man5/npppd.conf.5?&manpath=OpenBSD-current&sec=5&query=npppd.conf
>>
>>
>> - Example of L2TP and authenticates using a local file.
>> - Example npppd.conf file, `/etc/npppd/npppd.conf`:
>> ```
>> authentication LOCAL type local {
>> users-file "/etc/npppd/npppd-users"
>> }
>>
>> tunnel L2TP_ipv4 protocol l2tp {
>> listen on 0.0.0.0
>> }
>>
>> ipcp IPCP {
>> pool-address 192.168.2.150-192.168.2.199
>> dns-servers 8.8.8.8
>> }
>>
>> interface pppx0 address 192.168.2.1 ipcp IPCP
>> bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
>> ```
>> - NOTE: `pool-address` valus should be a block of addresses in the same
>> subnet of the internal network.
>> - NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
>> servers should be used if available.
>>
>>
>> - Example npppd-users file, `/etc/npppd/npppd-users`:
>> ```
>> jtest: \
>> :password=SEEKRIT:\
>> :framed-ip-address=192.168.2.150:
>> ```
>> - NOTE: Replace `SEEKRIT` with your password.
>> - NOTE: The `framed-ip-address` value should be in the `pool-address`
>> block from `/etc/npppd/npppd.conf`.
>>
>>
>> IPsec Setup
>> ----------------
>> - IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
>> Authentication Header (AH), which provide security services for IP
>> datagrams.
>>
>> - Reference:
>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>> man4/ipsec.4?&manpath=OpenBSD-current&query=ipsec
>>
>>
>> - Example ipsec.conf file, `/etc/ipsec.conf`:
>> ```
>> public_ip = "192.168.2.2"
>>
>> ike passive esp transport \
>> proto udp from $public_ip to any port 1701 \
>> main auth "hmac-sha1" enc "aes" group modp1024 \
>> quick auth "hmac-sha1" enc "aes" \
>> psk "SEEKRIT"
>> ```
>> - NOTE: Replace `192.168.2.2` with the ip of the server.
>> - NOTE: Replace SEEKRIT with your password.
>>
>>
>> Packet Filter Setup
>> -------------------
>> - Packet Filter is OpenBSD's system for filtering TCP/IP traffic and doing
>> Network Address Translation.
>>
>> - Reference:
>> http://www.openbsd.org/faq/pf/
>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>> man4/pf.4?&manpath=OpenBSD-current&arch=amd64&query=pf
>>
>>
>> - Example pf.conf file, `/etc/pf.conf`:
>> ```
>> pass quick proto { esp, ah } from any to any
>> pass in quick on egress proto udp from any to any port {500, 4500, 1701}
>> keep state
>> pass on enc0 from any to any keep state (if-bound)
>> ```
>>
>> sysctl Changes
>> --------------
>> - NOTE: Not sure if needed.
>>
>> - Make changes to `/etc/sysctl.conf` and reboot
>> ```
>> ...
>> # CHANGED
>> net.inet.ip.forwarding=1
>> ...
>> # CHANGED
>> net.pipex.enable=1
>> ...
>> ```
>> ```
>> sudo reboot
>> ```
>>
>>
>> NAT and Port Forwarding
>> ----------------------
>> - If the VPN end point is behind a NATed firewall the following ports must
>> be forwarded:
>> - UDP 500 - Internet Key Exchange (IKE)
>> - UDP 1701 - L2TP traffic
>> - UDP 4500 - IPSec Network Address Translation (NAT-T)
>>
>>
>> Startup
>> -------
>> - Apply pf.conf rules:
>> ```
>> sudo pfctl -f /etc/pf.conf
>> ```
>>
>> - Start isakmpd:
>> ```
>> sudo /etc/rc.d/isakmpd -f start
>> ```
>>
>> - Apply ipsec rules:
>> ```
>> sudo ipsecctl -v
>> ```
>>
>> ```
>> sudo isakmpd -K -d
>> ```
>> - NOTE: -d starts in foreground
>>
>>
>> - Start npppd:
>> ```
>> sudo /usr/sbin/npppd -d
>> ```
>> - NOTE: -d starts in foreground
>>
>>
>> Monitoring
>> ----------
>> - To monitor npppd vpn sessions use npppctl:
>> ```
>> npppctl session all
>> ```
>>
>> - Reference:
>> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
>> man8/npppctl.8?&manpath=OpenBSD-current&sec=8&query=npppctl
>>
>> - To monitor ipsec use ipsecctl:
>> ```
>> sudo ipsecctl -s all
>> ```
>>
>>
>> Start ipsec and isakmpd at Boot
>> ---------------------
>> - Add following to /etc/rc.conf.local to start isakmpd at boot:
>> ```
>> isakmpd_flags="-K"
>> ipsec=YES
>> ```
