AndroidL2TPPSKServer
From LinodeWiki
Contents |
[edit] Android 2.2 IPSEC L2TP-PSK Server using a Debian Linode VPS
Created by Peter Payne on 2010-11-30 after successfully building and installing OpenSwan (IPSEC), xl2tpd (L2TP). No kernel changes were required. He particularly wanted to use his Android 2.2 phones on open networks and was concerned there were few straight-forward guides on how to create support for these clients on Linux hosts. The following instructions were also executed on another provider's virtual hosts as well. Edits are welcome if they add clarity or functionality (e.g. support for more than one client simultaneously, which is unsupported in the first draft of this page). Also note that kernel recompiling is out of bounds for this guide - it was designed to be relatively straight forward to implement.
PSK stands for Pre-Shared Key.
Credit to http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/ for providing the base for this article.
Note that in the example below we have to choose a virtual private network for connected clients. I've chosen 10.152.2.0/24 because it is unlikely to conflict with other VPN addresses that might be assigned to your phone.
[edit] OpenSwan (IPSEC)
I tried using apt-get openswan but was getting the error message "result_code_avp: avp is incorrect size." after successfully connecting to my tunnel but then being dropped a few seconds later. So I decided to compile the latest version of openswan.
Get latest openswan, compile, install manually:
- fetch from http://www.openswan.org/
- to make,
apt-get install libgmp3-dev bison flex -
make programs- you may get the error "
showhostkey.c:276: error: 'keybloblen' may be used uninitialized in this function- easy fix, edit the file, and on line 276 add=0to the declaration ofkeybloblen - you may also get the error "
showhostkey.c:333: error: 'keybloblen' may be used uninitialized in this function- easy fix, edit the file, and on line 333 add=0to the declaration ofkeybloblen
- you may get the error "
-
make install(as root)
Edit /etc/ipsec.conf with:
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=auto
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=1.2.3.4
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
NOTE: change the IP address 1.2.3.4 to whatever your eth0 address is (type ifconfig eth0 if you don't know to find out).
NOTE 2: you must explicitly exclude, as shown above, the virtual network you are assigning to connected clients. Hence the %v4:!10.152.2.0/24 in the above configuration file.
Edit /etc/ipsec.secrets with:
1.2.3.4 %any: PSK "myipsecsecret"
NOTE: change the IP address 1.2.3.4 to whatever your eth0 address is (type ifconfig eth0 if you don't know to find out).
In order for xl2tpd to run successfully you must run the following bit of code (which you may wish to add to the /etc/init.d/xl2tpd start up script):
for i in /proc/sys/net/ipv4/conf/*; do echo $i; echo 0 > $i/accept_redirects; echo 0 > $i/send_redirects; done echo 1 >/proc/sys/net/ipv4/ip_forward
You can start OpenSwan (IPSEC) by running /etc/init.d/ipsec start.
After starting OpenSwan verify things are okay by running ipsec verify. You should see the following:
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.31/K2.6.18.8-linode22 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
If the 'ip' command isn't present install it using apt-get install iproute.
[edit] xl2tpd
Install xl2tpd package using apt-get. Note that while this was found to be successful on a Linode VPS, it wasn't adequate on a difficult hosting provider. You may have to download the source and compile and install (after running apt-get install libpcap-0.8-dev) as the apt-get package version 1.2.0 had problems with pppol2tp driver. Latest is available from xelerance.com
Configure /etc/xl2tpd/xl2tpd.conf:
[global] #ipsec saref = yes ipsec saref = no #debug tunnel = yes #debug avp = yes [lns default] ip range = 10.152.2.2-10.152.2.254 local ip = 10.152.2.1 require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
NOTE: the range of IP addresses to assign to the client should be from the selected virtual private network (in this case, 10.152.2.0/24). BUT you must reserve an IP address for the local host from that range, in this case .1. This is important. And why the IP range starts from .2.
Edit /etc/xl2tpd/l2tp-secrets and add (you may change the secret):
* * myl2tpsecret
Edit /etc/ppp/options.xl2tpd and add:
refuse-mschap-v2 refuse-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth lock hide-password local #debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
Also edit /etc/ppp/chap-secrets:
# client server secret IP-addresses ppp l2tpd password *
To test, run xl2tpd -D which will actually print out PPP error messages (whereas PPP error messages are not printed out when run through /etc/init.d/xl2tpd start).
When finished testing, run /etc/init.d/xl2tpd start. Note that connections may not succeed if iptables is in use, see below.
Note: only permits one connection at a time (cannot connect two devices simultaneously).
[edit] iptables
Add rule to /var/lib/iptables/active:
- to
*nattable:-
[0:0] -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
-
- to
*filtertable:-
[0:0] -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT -
[0:0] -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT -
[0:0] -A INPUT -i eth0 -p 50 -j ACCEPT -
[0:0] -A INPUT -i eth0 -p 51 -j ACCEPT
-
NOTE: the -s 10.152.2.0/24 option is not strictly necessary within the masquerade rule but prevents things going horribly wrong if you pick the wrong interface.
The following two rules don't appear to be used (no packets recorded by iptables when in place):
- The
-p 50rule allows "ESP Encap Security Payload" packets. - The
-p 51rule allows "AH Authentication Header" packets.
Reload using /etc/init.d/iptables restart.
[edit] Android Phone
Press menu → Wireless & networks → VPN settings → Add VPN → Add L2TP/IPSec PSK VPN →
- VPN name → whatever_name_you_like
- Set VPN server → name_or_ip_of_your_linode_host
- Set IPSec pre-shared key → in_above_example_it_was_myipsecsecret
- Enable L2TP secret → enable
- Set L2TP secret → in_above_example_it_was_myl2tpsecret
Press back, then connect using the PPP username/password configured above (e.g. ppp/password).
