From owner-freebsd-questions@FreeBSD.ORG Sun Mar 30 15:39:08 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DF9661EC for ; Sun, 30 Mar 2014 15:39:08 +0000 (UTC) Received: from mail-ee0-x22a.google.com (mail-ee0-x22a.google.com [IPv6:2a00:1450:4013:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 690ECB66 for ; Sun, 30 Mar 2014 15:39:08 +0000 (UTC) Received: by mail-ee0-f42.google.com with SMTP id d17so5822433eek.1 for ; Sun, 30 Mar 2014 08:39:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=relst.nl; s=google; h=message-id:disposition-notification-to:date:from:user-agent :mime-version:to:subject:content-type; bh=hAepQ/tYUxUdxmgNfl7yY15t2caraUOMs6b1g/x8ImM=; b=y+sQbnvKOHPIF+sPsPLSsT6fYn1M12TzrvfKmzjBv4V4+I3pcY2wdQDnD7cxvp7iWz xyOwnn3ju97IV6cB+Hl726cNMuyLXyN24OpB+fpw06Bm98+7KunVdJIUbNapbml91mRQ 7HS67oi886RXWMiR6te4etF3RT1HpaJAzAdAI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:disposition-notification-to:date:from :user-agent:mime-version:to:subject:content-type; bh=hAepQ/tYUxUdxmgNfl7yY15t2caraUOMs6b1g/x8ImM=; b=W9MmP2RjC5NFgjPUPKXUag8271kHC6I+fqycXe4msIEvBn86+uxJB1sOiRoyqBS2ZY nrU59hnmVWYPvn1agqkY8tz6gRySBpsr9Xj2Id/oW8HMEg0juje83meeLCresNzYs2HD z1SwX7v1EoQQbCefbVgXiCop8V2kdWXn4S2k+IhrIHQzokr4ljlcREBvKmTUqE2NqG8h Fw4NJYQxjwIvw+ETivDOPmRawHVl2jv8Um3s2uBwqKPBgTOpg4Y2Dbh8WsYtp+Sule/9 ukIpXkmEbXYcrFAhf10vstKyoK/+pt5DH/cVDq+Y1YoJm/DBdRIAzTjwxJc6VHLvEg8/ Sbkg== X-Gm-Message-State: ALoCoQmXMDMa51C9X2ASBluQj9f5jiUq+xyHDwSTp2gKlxS/4kVfofVatWp1qeLTIL1cQrG8ZDw+ X-Received: by 10.14.219.137 with SMTP id m9mr185122eep.77.1396193946743; Sun, 30 Mar 2014 08:39:06 -0700 (PDT) Received: from gateway.raymii.nl (77-172-73-184.ip.telfort.nl. [77.172.73.184]) by mx.google.com with ESMTPSA id o7sm26508663eew.25.2014.03.30.08.39.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 30 Mar 2014 08:39:05 -0700 (PDT) Message-ID: <53383A97.8040908@relst.nl> Date: Sun, 30 Mar 2014 17:39:03 +0200 From: Remy van Elst User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: 10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030000000200000304000708" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2014 15:39:08 -0000 This is a cryptographically signed message in MIME format. --------------ms030000000200000304000708 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Hello I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to = use it when I'm on untrusted networks to send all my traffic over. I have it set up so that a Mac OS X 10.9 client can connect to the vpn=20 using PSK and username+password. However, it cannot access the internet, = the traffic wont leave the VPN. When the VPN is disabled, "internet" is=20 accessible again. I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon=20 and mpd5. I've compiled a new kernel based on GENERIC with the following = extra options: # VPN options IPSEC options IPSEC_NAT_T device crypto device enc # Firewall & NAT for VPN options IPSEC_FILTERTUNNEL options IPFIREWALL options IPFIREWALL_NAT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D5 options LIBALIAS options IPDIVERT I've installed ipsec-tools and mpd5 from ports and applied the following = patch to racoon for wildcard support: diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c --- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200 +++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200 @@ -207,7 +207,8 @@ getpsk(str, len) if (*p =3D=3D '\0') continue; /* no 2nd parameter */ p--; - if (strncmp(buf, str, len) =3D=3D 0 && buf[len] =3D=3D '\0'= ) { + if (strcmp(buf, "*") =3D=3D 0 || + (strncmp(buf, str, len) =3D=3D 0 && buf[len] =3D=3D '\0= ')) { p++; keylen =3D 0; for (q =3D p; *q !=3D '\0' && *q !=3D '\n'; q++) Here's my /usr/local/etc/racoon/racoon.conf: listen { isakmp external_vps_ip [500]; isakmp_natt external_vps_ip [4500]; strict_address; } remote anonymous { exchange_mode main; passive on; proposal_check obey; support_proxy on; nat_traversal on; ike_frag on; dpd_delay 20; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { encryption_algorithm aes,3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group modp1024; } /usr/local/etc/racoon/setkey.conf: flush; spdflush; spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec=20 esp/transport//require; spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec=20 esp/transport//require; /usr/local/etc/mpd5/mpd.conf: startup: set user super pwSuper admin set console self 127.0.0.1 5005 set console open set web self 127.0.0.1 5006 set web user admin pwSuper set web open default: load l2tp_server l2tp_server: set ippool add pool_l2tp 192.168.99.30 192.168.99.100 create bundle template B_l2tp set iface enable proxy-arp set iface enable tcpmssfix set iface route default set ipcp yes vjcomp set ipcp ranges 192.168.99.0/24 ippool pool_l2tp set ipcp dns 8.8.8.8 create link template L_l2tp l2tp set link action bundle B_l2tp set link enable multilink set link no pap chap eap set link enable chap set link keep-alive 0 0 set link mtu 1280 set l2tp self external_vps_ip set l2tp enable length set link enable incoming /etc/sysctl.conf: net.pfil.forward=3D1 net.inet.ip.forwarding=3D1 net.inet6.ip6.forwarding=3D1 /etc/rc.conf: hostname=3D"vps.domain.ext" ifconfig_re0=3D"DHCP" ifconfig_xn0=3D"DHCP" ifconfig_xn0_ipv6=3D"inet6 accept_rtadv" ifconfig_re0_ipv6=3D"inet6 accept_rtadv" sshd_enable=3D"YES" ntpd_enable=3D"YES" dumpdev=3D"AUTO" nginx_enable=3D"YES" linux_enable=3D"YES" firewall_enable=3D"YES" firewall_script=3D"/etc/rc.firewall" firewall_type=3D"OPEN" firewall_quiet=3D"NO" firewall_logging=3D"YES" ipsec_enable=3D"YES" ipsec_program=3D"/usr/local/sbin/setkey" ipsec_file=3D"/usr/local/etc/racoon/setkey.conf" racoon_enable=3D"YES" racoon_flags=3D"-l /var/log/racoon.log" mpd_enable=3D"YES" pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pflog_enable=3D"YES" pflog_logfile=3D"/var/log/pflog" gateway_enable=3D"YES" /etc/pf.conf ext_if =3D "xn0" vpn_net =3D "{192.168.99.0/24}" nat on $ext_if inet from $vpn_net to any -> $ext_if pass in on $ext_if inet proto udp from any to (self) port { 1701,=20 500, 4500 } pass in on $ext_if inet proto esp pass quick on ng0 all pass quick on ng1 all pass quick on ng2 all pass quick on ng3 all --------------ms030000000200000304000708 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME-cryptografische ondertekening MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKMzCC BREwggP5oAMCAQICEEHqw4p2hryPGbRxDfQG0+swDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTMxMjA2MDAwMDAwWhcNMTYx MjA1MjM1OTU5WjBEMQswCQYDVQQGEwJOTDEWMBQGA1UEAxMNUmVteSB2YW4gRWxzdDEdMBsG CSqGSIb3DQEJARYOcmVsc3RAcmVsc3QubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC8C8VaRywEpaXWbf4fvFXKdARuHMNwUA7LSLxgpnSSwMu8JoelWfL1gG4BgWUJiLD1 3kSAlT6rUh0xworqIUlYeYTBvrfK0UFyCdlcoteRZwifYnK/VD47SL/wBw7VBLan+3qrsSWf iUhXG9cStr+8tDAPklAXiZU42wK71zdTkibH2JhplQgurq1rrNXBtACapFANVFO2TFnLVAt4 RcFWZRC7IrWhM3pi+ttYiBZwbsUpy4CzStuxobCYNKMCYA+HHy9JdX1FoPI9SBksKTsaPk9m lKffpf2pXo7bVm4oB1Lh/hfGXOztAWA4n0IYSaJWUFQMACr8IyNNxBpSpifFAgMBAAGjggGt MIIBqTAfBgNVHSMEGDAWgBR6E04AdFvGeGNkJ8Ev4qBbvHnFezAdBgNVHQ4EFgQUcBmD/57E Z5498N6abnPmgF9l2McwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwQGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMFMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFcGA1UdHwRQME4wTKBK oEiGRmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1dGhlbnRpY2F0aW9u YW5kU2VjdXJlRW1haWxDQS5jcmwwgYgGCCsGAQUFBwEBBHwwejBSBggrBgEFBQcwAoZGaHR0 cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1 cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0G CSqGSIb3DQEBBQUAA4IBAQCIUx5Tn34/tpd2Z0ryJHD8Ty5SusVyUrtLaok2YhSPpiV2q0tZ ifnvjLt4iHXtM8GTnAdagqsr/TMaDIDspSxVxkMKnVrSsqQLlXnv60Q1O4iE46ihAYCrCxB4 HTLoWflY7a3TbfolrqsiYjkC6AoIIZ7h4HX5prXoKpbV3c9TIDw6COjbBr5xhkaB/MGN9NtK yPzSJ+e3wUF1273ZfRSTh3yTCmrT6yYk0/W7UakOG4MeSq9LVPcS6ykKziBD0y0GaWGpHkw8 W1ZEkiuPPFC3GJTak6VWTaDCHo0ROAtPQwQasmqr47LgzUg7IR/MhgfsmFnuFZBU6dZ3L5pX gm1JMIIFGjCCBAKgAwIBAgIQbRnqpxlPajMi5iIyeqpx3jANBgkqhkiG9w0BAQUFADCBrjEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwG A1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0 cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9u IGFuZCBFbWFpbDAeFw0xMTA0MjgwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGTMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRow GAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAkoSEW0tXmNReL4uk4UDIo1NYX2Zl8TJO958yfVXQeExVt0KU4PkncQfFxmmk uTLE8UAakMwnVmJ/F7Vxaa7lIBvky2NeYMqiQfZq4aP/uN8fSG1lQ4wqLitjOHffsReswtqC AtbUMmrUZ28gE49cNfrlVICv2HEKHTcKAlBTbJUdqRAUtJmVWRIx/wmi0kzcUtve4kABW0ho 3cVKtODtJB86r3FfB+OsvxQ7sCVxaD30D9YXWEYVgTxoi4uDD216IVfmNLDbMn7jSuGlUnJk JpFOpZIP/+CxYP0ab2hRmWONGoulzEKbm30iY9OpoPzOnpDfRBn0XFs1uhbzp5v/wQIDAQAB o4IBSzCCAUcwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0OBBYEFHoT TgB0W8Z4Y2QnwS/ioFu8ecV7MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEA MBEGA1UdIAQKMAgwBgYEVR0gADBYBgNVHR8EUTBPME2gS6BJhkdodHRwOi8vY3JsLnVzZXJ0 cnVzdC5jb20vVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNy bDB0BggrBgEFBQcBAQRoMGYwPQYIKwYBBQUHMAKGMWh0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VVE5BZGRUcnVzdENsaWVudF9DQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBAIXWvnhXVW0zf0RS/kLVBqgBA4CK+w2y /Uq/9q9BSfUbWsXSrRtzbj7pJnzmTJjBMCjfy/tCPKElPgp11tA9OYZm0aGbtU2bb68obB2v 5ep0WqjascDxdXovnrqTecr+4pEeVnSy+I3T4ENyG+2P/WA5IEf7i686ZUg8mD2lJb+972Dg SeUWyOs/Q4Pw4O4NwdPNM1+b0L1garM7/vrUyTo8H+2b/5tJM75CKTmD7jNpLoKdRU2oadqA Gx490hpdfEeZpZsIbRKZhtZdVwcbpzC+S0lEuJB+ytF5OOu0M/qgOl0mWJ5hVRi0IdWZ1eBD QEIwvuql55TSsP7zdfl/bucxggQZMIIEFQIBATCBqDCBkzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N T0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24g YW5kIFNlY3VyZSBFbWFpbCBDQQIQQerDinaGvI8ZtHEN9AbT6zAJBgUrDgMCGgUAoIICRTAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDAzMzAxNTM5MDNa MCMGCSqGSIb3DQEJBDEWBBTltIi70cMwqPROP1D6o8DJmcDSezBsBgkqhkiG9w0BCQ8xXzBd MAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG5BgkrBgEEAYI3EAQx gaswgagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBD T01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEEHqw4p2 hryPGbRxDfQG0+swgbsGCyqGSIb3DQEJEAILMYGroIGoMIGTMQswCQYDVQQGEwJHQjEbMBkG A1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFD T01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlv biBhbmQgU2VjdXJlIEVtYWlsIENBAhBB6sOKdoa8jxm0cQ30BtPrMA0GCSqGSIb3DQEBAQUA BIIBAJpRLnvEX0zBoQcN8gMOXFnrxydDb7Gwi3xoqDShKnBnX4X9QYnC9FdyGbSPqh7PVH5k u9ZVy1thVOSLiUrdBGHWFR0SiG731VafgDu4r5MLX4R9VQcszrd9N9xFAtVgUp2It/eqDUok I4nCihGO7qcN3JyIo0MC5iwZgDQgAcPP1XzRF2J6mdJkglEs5pf62dZGl+nkNaZzgeb1+5I1 nA7G3yzroc5CpksvmvRHR9ymPj08MK2JlMU99XzRbmxfqLumHn9lrVF7THk8wy081Q7xwuoX KAiGT/1PvacNqhon+3nKeJPwyB66EPblo/S7k4fUGjjN583wadZqvUMnF20AAAAAAAA= --------------ms030000000200000304000708--