Date: Sun, 30 Mar 2014 17:39:03 +0200 From: Remy van Elst <relst@relst.nl> To: freebsd-questions@freebsd.org Subject: 10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN Message-ID: <53383A97.8040908@relst.nl>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hello
I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to
use it when I'm on untrusted networks to send all my traffic over.
I have it set up so that a Mac OS X 10.9 client can connect to the vpn
using PSK and username+password. However, it cannot access the internet,
the traffic wont leave the VPN. When the VPN is disabled, "internet" is
accessible again.
I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon
and mpd5. I've compiled a new kernel based on GENERIC with the following
extra options:
# VPN
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
# Firewall & NAT for VPN
options IPSEC_FILTERTUNNEL
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options LIBALIAS
options IPDIVERT
I've installed ipsec-tools and mpd5 from ports and applied the following
patch to racoon for wildcard support:
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
+++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0 ||
+ (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
Here's my /usr/local/etc/racoon/racoon.conf:
listen
{
isakmp external_vps_ip [500];
isakmp_natt external_vps_ip [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
/usr/local/etc/racoon/setkey.conf:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec
esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec
esp/transport//require;
/usr/local/etc/mpd5/mpd.conf:
startup:
set user super pwSuper admin
set console self 127.0.0.1 5005
set console open
set web self 127.0.0.1 5006
set web user admin pwSuper
set web open
default:
load l2tp_server
l2tp_server:
set ippool add pool_l2tp 192.168.99.30 192.168.99.100
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set iface route default
set ipcp yes vjcomp
set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
set ipcp dns 8.8.8.8
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
set link mtu 1280
set l2tp self external_vps_ip
set l2tp enable length
set link enable incoming
/etc/sysctl.conf:
net.pfil.forward=1
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
/etc/rc.conf:
hostname="vps.domain.ext"
ifconfig_re0="DHCP"
ifconfig_xn0="DHCP"
ifconfig_xn0_ipv6="inet6 accept_rtadv"
ifconfig_re0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
nginx_enable="YES"
linux_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="NO"
firewall_logging="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"
/etc/pf.conf
ext_if = "xn0"
vpn_net = "{192.168.99.0/24}"
nat on $ext_if inet from $vpn_net to any -> $ext_if
pass in on $ext_if inet proto udp from any to (self) port { 1701,
500, 4500 }
pass in on $ext_if inet proto esp
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��
300AÊvq
0
*H
�01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
131206000000Z
161205235959Z0D1
0 UNL10U
Remy van Elst1
0 *H
relst@relst.nl0"0
*H
��0
�
ZG,m Utn
pPH`t˼&Yne D>R
1!IXyAr \בgbrT>;Hz%HW0P87S&ؘi.k�P
TSLYT
xEVe"3zbXpn)ˀJ۱4` /Iu}E=H,);>Ofߥ^Vn(R\`8BIVPT
�*##MR'�00 U
#0zN�t[xcd'/[y{0
U
pg=ޚns_e0U
0
U
0�0
U
%0++0FU
?0=0;
+10+0)+
https://secure.comodo.net/CPS0WU
P0N0LJHFhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0+|0z0R+0Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0
*H
��S
S~?vgJ$pO.RrRKj6b%vKYxu3Z+3
,UC
ZҲ
yD5;㨡
x
2YXm%"b9
!u*S <:qFJ'Au۽}|
j&$Q
JKT)
C-ia
L<[VD+<PړVM
8
OCjH;! ̆YTw/WmI00mOj3""2zq0
*H
�01
0 UUS1
0 UUT10USalt Lake City1
0
U
The USERTRUST Network1!0 U
http://www.usertrust.com1604U-UTN-USERFirst-Client Authentication and Email0
110428000000Z
200530104838Z01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0"0
*H
��0
�[KW^/@ȣSX_fe2N2}UxLUB'qi2@'Vbqi c^`ʢAj HmeC*.+c8w߱ڂ2jgo \5Tq
7
PSl
Y1 LR@[HhJ$ :q_㬿;%qh=XF<hmz!W42~JRrd&N`ohQcB}"cөΞD\[5�K0G0 U
#0g}ĝ&p�KPH|=n}0
U
zN�t[xcd'/[y{0U
0U
0�0U
00U
�0XU
Q0O0MKIGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+h0f0=+01http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0http://ocsp.usertrust.com0
*H
��־xWUm3DRB
JAIZҭsn>&|L0(B<%>
u=9fѡMo(l
tZڱuz/y
VtCr`9 G:eH<=%`I?C
3_н`j;:< I3B)93i.EMiڀ
=]|Gm]W0KID~y83:]&XaU!ՙC@B0Ұun10001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0 +�E0 *H
1
*H
0
*H
1
140330153903Z0# *H
1崈0N?Pə{0l *H
1_0]0
`He*0
`He0
*H
0*H
�0
*H
@0+0
*H
(0 +71001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0
*H
101
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAAÊvq
0
*H
��Q.{_L
\Y'Co|h4*pg_AWr
T~dU[aT䋉Ja
nV;
_}U,η}7E`R
J$#
ܜC,4 |bzdQ,F5s5,BK/GGܦ>=<0=|nl_
eQ{Ly<-<(OO
'yx
8ijC'm������
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53383A97.8040908>