Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 30 Mar 2014 17:39:03 +0200
From:      Remy van Elst <relst@relst.nl>
To:        freebsd-questions@freebsd.org
Subject:   10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN
Message-ID:  <53383A97.8040908@relst.nl>

index | next in thread | raw e-mail

[-- Attachment #1 --]
Hello

I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to 
use it when I'm on untrusted networks to send all my traffic over.

I have it set up so that a Mac OS X 10.9 client can connect to the vpn 
using PSK and username+password. However, it cannot access the internet, 
the traffic wont leave the VPN. When the VPN is disabled, "internet" is 
accessible again.

I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon 
and mpd5. I've compiled a new kernel based on GENERIC with the following 
extra options:

     # VPN
     options         IPSEC
     options         IPSEC_NAT_T
     device          crypto
     device          enc

     # Firewall & NAT for VPN
     options         IPSEC_FILTERTUNNEL
     options         IPFIREWALL
     options         IPFIREWALL_NAT
     options         IPFIREWALL_VERBOSE
     options         IPFIREWALL_VERBOSE_LIMIT=5
     options         LIBALIAS
     options         IPDIVERT

I've installed ipsec-tools and mpd5 from ports and applied the following 
patch to racoon for wildcard support:

     diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
     --- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
     +++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
     @@ -207,7 +207,8 @@ getpsk(str, len)
              if (*p == '\0')
                  continue;    /* no 2nd parameter */
              p--;
     -        if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
     +        if (strcmp(buf, "*") == 0 ||
     +            (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                  p++;
                  keylen = 0;
                  for (q = p; *q != '\0' && *q != '\n'; q++)

Here's my /usr/local/etc/racoon/racoon.conf:

     listen
     {
             isakmp           external_vps_ip [500];
             isakmp_natt      external_vps_ip [4500];
             strict_address;
     }
     remote anonymous
     {
             exchange_mode    main;
             passive          on;
             proposal_check   obey;
             support_proxy    on;
             nat_traversal    on;
             ike_frag         on;
             dpd_delay        20;
             proposal
             {
                     encryption_algorithm  aes;
                     hash_algorithm        sha1;
                     authentication_method pre_shared_key;
                     dh_group              modp1024;
             }
             proposal
             {
                     encryption_algorithm  3des;
                     hash_algorithm        sha1;
                     authentication_method pre_shared_key;
                     dh_group              modp1024;
             }
     }
     sainfo anonymous
     {
             encryption_algorithm     aes,3des;
             authentication_algorithm hmac_sha1;
             compression_algorithm    deflate;
             pfs_group                modp1024;
     }

/usr/local/etc/racoon/setkey.conf:

     flush;
     spdflush;
     spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec 
esp/transport//require;
     spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec 
esp/transport//require;

/usr/local/etc/mpd5/mpd.conf:

     startup:
             set user super pwSuper admin
             set console self 127.0.0.1 5005
             set console open
             set web self 127.0.0.1 5006
         set web user admin pwSuper
             set web open
     default:
             load l2tp_server
     l2tp_server:
             set ippool add pool_l2tp 192.168.99.30 192.168.99.100
             create bundle template B_l2tp
             set iface enable proxy-arp
             set iface enable tcpmssfix
             set iface route default
             set ipcp yes vjcomp
             set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
             set ipcp dns 8.8.8.8
             create link template L_l2tp l2tp
             set link action bundle B_l2tp
             set link enable multilink
             set link no pap chap eap
             set link enable chap
             set link keep-alive 0 0
             set link mtu 1280
             set l2tp self external_vps_ip
             set l2tp enable length
             set link enable incoming

/etc/sysctl.conf:

     net.pfil.forward=1
     net.inet.ip.forwarding=1
     net.inet6.ip6.forwarding=1

/etc/rc.conf:

     hostname="vps.domain.ext"
     ifconfig_re0="DHCP"
     ifconfig_xn0="DHCP"
     ifconfig_xn0_ipv6="inet6 accept_rtadv"
     ifconfig_re0_ipv6="inet6 accept_rtadv"
     sshd_enable="YES"
     ntpd_enable="YES"
     dumpdev="AUTO"
     nginx_enable="YES"
     linux_enable="YES"
     firewall_enable="YES"
     firewall_script="/etc/rc.firewall"
     firewall_type="OPEN"
     firewall_quiet="NO"
     firewall_logging="YES"
     ipsec_enable="YES"
     ipsec_program="/usr/local/sbin/setkey"
     ipsec_file="/usr/local/etc/racoon/setkey.conf"
     racoon_enable="YES"
     racoon_flags="-l /var/log/racoon.log"
     mpd_enable="YES"
     pf_enable="YES"
     pf_rules="/etc/pf.conf"
     pflog_enable="YES"
     pflog_logfile="/var/log/pflog"
     gateway_enable="YES"


/etc/pf.conf

     ext_if = "xn0"
     vpn_net = "{192.168.99.0/24}"
     nat on $ext_if inet from $vpn_net to any -> $ext_if
     pass in on $ext_if inet proto udp from any to (self) port { 1701, 
500, 4500 }
     pass in on $ext_if inet proto esp
     pass quick on ng0 all
     pass quick on ng1 all
     pass quick on ng2 all
     pass quick on ng3 all


[-- Attachment #2 --]
0	*H
010	+0	*H

300AÊvq
0
	*H
010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
131206000000Z
161205235959Z0D10	UNL10U
Remy van Elst10	*H
	relst@relst.nl0"0
	*H
0
ZG,mUtnpPH`t˼&Yne	D>R1Š!IXyAr	\בgbrT>;Hz%HW0P87S&ؘi.kP
TSLYTxEVe"3zbXpn)ˀJ۱4`/Iu}E=H,);>Ofߥ^Vn(R\`8BIVPT*##MR'00U#0zNt[xcd'/[y{0Upg=ޚns_e0U0U00U%0++0FU ?0=0;+10+0)+https://secure.comodo.net/CPS0WUP0N0LJHFhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0+|0z0R+0Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0
	*H
SS~?vgJ$pO.RrRKj6b%vKYxu3Z+3,UC
ZҲyD5;㨡x2YXm%"b9
!u*S <:qFJ'Au۽}|
j&$QJKT)
 C-iaL<[VD+<PړVM8OCjH;!̆YTw/WmI00mOj3""2zq0
	*H
010	UUS10	UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client Authentication and Email0
110428000000Z
200530104838Z010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0"0
	*H
0
[KW^/@ȣSX_fe2N2}UxLUB'qi2@'Vbqi c^`ʢAjHmeC*.+c8w߱ڂ2jgo \5Tq
7
PSlY1	LR@[HhJ$:q_㬿;%qh=XF<hmz!W42~JRrd&N`ohQcB}"cөΞD\[5K0G0U#0g}ĝ&pKPH|=n}0UzNt[xcd'/[y{0U0U00U 
00U 0XUQ0O0MKIGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+h0f0=+01http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0http://ocsp.usertrust.com0
	*H
־xWUm3DRB
JAIZҭsn>&|L0(B<%>
u=9fѡMo(ltZڱuz/yVtCr`9 G:eH<=%`I?C
3_н`j;:<I3B)93i.EMiڀ=]|Gm]W0KID~y83:]&XaU!ՙC@B0Ұun100010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0	+E0	*H
	1	*H
0	*H
	1
140330153903Z0#	*H
	1崈0N?Pə{0l	*H
	1_0]0	`He*0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+710010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0*H
	1010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0
	*H
Q.{_L
\Y'Co|h4*pg_AWrT~dU[aT䋉JanV;_}U,η}7E`R
J$#Š
ܜC,4 |bzdQ,F5s5,BK/GGܦ>=<0=|nl_eQ{Ly<-<(OO
'yx8ijC'm
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53383A97.8040908>