OpenWrt Forum Archive

Post #1

FishB8

27 May 2011, 04:07

I'm trying to set up a VPN that is compatible with the stock Android ROMs. This is this first time I've really done anything with an IPSec VPN or L2TP tunneling, so I'm a bit lost.

The only reference I could find for this were from these two sources:

http://web2.mayrhofer.eu.org/l2tp-ipsec … ile-phones
https://forum.openwrt.org/viewtopic.php?id=27942

Has any body else done this, or have anything to add that may have not been addressed in the two links above? I'm building from trunk, and don't have space for the web interface, I'm just accessing the router via ssh terminal.

I think I may have it set up correctly, but getting hung up at the firewall. In /etc/config/firewall I have:

# allow IPsec/ESP, ISAKMP, and NAT-T passthrough for VPN
config rule
        option src              wan
        option dest             lan
        option protocol         esp
        option target           ACCEPT

config rule
        option src              wan
        option dest             lan
        option src_port         500
        option dest_port        500
        option proto            udp
        option target           ACCEPT

config rule
        option src              wan
        option dest             lan
        option src_port         4500
        option dest_port        4500
        option proto            udp
        option target           ACCEPT

and in /etc/firewall.user I have:

iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

But after trying to connect I see no packet counts above 0 by any of the rules that result from these. (And the generated rules are spaghetti, I have a hard time tracing where the packets are getting dropped at)

In the past a simple SSH connection has been sufficient, but is not ideal for doing things like tunneling WOL packets, or connecting to a samba server, etc.

Post #2

FishB8

28 May 2011, 02:04

figured out that it was creating fwd rules. changed it and now it works.

config rule
        option src              wan
        option proto            esp
        option target           ACCEPT

config rule
        option src              wan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

config rule
        option src              wan
        option dest_port        4500
        option proto            udp
        option target           ACCEPT

Post #3

dexter1983

27 Jun 2011, 17:29

Hy to everybody!

I mange to install storongswan as IPSec and xl2tp as for L2TP on openwrt 10.03
I fallow the link from above, but now I'm stuck because

when I put :
iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT
in /etc/firewall.user
Then I do /etc/init.d/firewall restart
I get: iptables v1.4.6: Couldn't load match `policy':File not found

AND

oe=off
protostack=netkey

on /etc/ipsec.conf
When I do:
/etc/init.d/ipsec enable ok
/etc/init.d/ipsec start
I receive :
/etc/ipsec.conf:8: unknown keyword 'protostack' [netkey]
unable to start strongSwan -- fatal errors in config

If i comment these lines ipsec starts.

Post #4

dexter1983

28 Jun 2011, 06:24

I follow seup instrunction from : http://www.mayrhofer.eu.org/l2tp-ipsec- … ile-phones
And now vpn client form my windws station give me error 781: The connection requires a certificate....
I've search over the internet with no results.
So how do generate a certificate on openwrt?

Post #5

dexter1983

28 Jun 2011, 08:28

Mean while I've extend my search, I found out I could use openssl under linux workstation, px5g utility on openwrt or XCA (openssl gui) under windows/linux.

Post #6

mikejuni

28 Jun 2011, 09:54

I've done this for Windows XP, iPhone and MacOS X. All of them I'm using IPSEC preshared key AND xl2tpd with username and password authentication.

Android does not support username and password authentication in L2TP layer but setup should be similar.

I'm using StrongSwan 4.3.7 on OpenWRT 10.03.1-rc4. I tried trunk as well and is even more stable. However, there is some issue preventing me from using Trunk with my Mac (Time Machine got stuck and exhaust all my connection.

My configuration:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "somesecret"

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
plutostart=yes
keep_alive=30
charonstart=no
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!mysubnet

conn IPSEC-L2TP
auth=esp
authby=secret
compress=yes
keyingtries=10
rekey=yes
dpddelay=40
dpdtimeout=130
dpdaction=clear
pfs=no
esp=aes128-sha1,3des-sha1
ike=aes128-sha1-modp1024,3des-sha1-modp1024
keyexchange=ikev1
left=fqdn.of.your.domain
leftallowany=yes
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
type=tunnel
auto=add
rightsubnet=vhost:%no,%priv
rightsubnetwithin=0.0.0.0/0
forceencaps=yes

[global]
port = 1701
;auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
;ipsec saref = yes
;debug network = yes
;debug state = yes
;debug avp = yes
;debug tunnel = yes

<< xl2tpd.conf >>
[lns default]
exclusive = yes
ip range = xxx.xxx.xxx.yyy-xxx.xxx.xxx.yyz
local ip = xxx.xxx.my.ip
hidden bit = yes
length bit = yes
unix authentication = no
name = some-name
pppoptfile = /etc/ppp/options.xl2tpd

<<options.xl2tpd>>
name "IPSEC/L2TP"
lock
auth
ipparam l2tp
require-mschap-v2
refuse-mschap
refuse-chap
refuse-eap
refuse-pap
default-asyncmap
debug
nologfd
ipcp-accept-local
ipcp-accept-remote
nocrtscts
logfile /dev/null
#defaultroute
noipdefault
mtu 1452
mru 1452
ms-dns your.dns.ip.addr
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000
child-timeout 0
noproxyarp
noaccomp
noccp
novj
novjccomp
nopcomp
noaccomp
nobsdcomp
nodeflate
nomppc
nomppe
local

<<chap.secrets>>
#USERNAME PROVIDER PASSWORD IPADDRESS
user * "password" *

After you set all these up, if you want to route all traffic through VPN, you'd also need to forward all traffic to and from ppp+ device to other interfaces.