Date: Sun, 30 Mar 2014 17:39:03 +0200 From: Remy van Elst <relst@relst.nl> To: freebsd-questions@freebsd.org Subject: 10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN Message-ID: <53383A97.8040908@relst.nl>
next in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms030000000200000304000708
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Hello
I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to =
use it when I'm on untrusted networks to send all my traffic over.
I have it set up so that a Mac OS X 10.9 client can connect to the vpn=20
using PSK and username+password. However, it cannot access the internet, =
the traffic wont leave the VPN. When the VPN is disabled, "internet" is=20
accessible again.
I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon=20
and mpd5. I've compiled a new kernel based on GENERIC with the following =
extra options:
# VPN
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
# Firewall & NAT for VPN
options IPSEC_FILTERTUNNEL
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=3D5
options LIBALIAS
options IPDIVERT
I've installed ipsec-tools and mpd5 from ports and applied the following =
patch to racoon for wildcard support:
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
+++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p =3D=3D '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) =3D=3D 0 && buf[len] =3D=3D '\0'=
) {
+ if (strcmp(buf, "*") =3D=3D 0 ||
+ (strncmp(buf, str, len) =3D=3D 0 && buf[len] =3D=3D '\0=
')) {
p++;
keylen =3D 0;
for (q =3D p; *q !=3D '\0' && *q !=3D '\n'; q++)
Here's my /usr/local/etc/racoon/racoon.conf:
listen
{
isakmp external_vps_ip [500];
isakmp_natt external_vps_ip [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
/usr/local/etc/racoon/setkey.conf:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec=20
esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec=20
esp/transport//require;
/usr/local/etc/mpd5/mpd.conf:
startup:
set user super pwSuper admin
set console self 127.0.0.1 5005
set console open
set web self 127.0.0.1 5006
set web user admin pwSuper
set web open
default:
load l2tp_server
l2tp_server:
set ippool add pool_l2tp 192.168.99.30 192.168.99.100
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set iface route default
set ipcp yes vjcomp
set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
set ipcp dns 8.8.8.8
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
set link mtu 1280
set l2tp self external_vps_ip
set l2tp enable length
set link enable incoming
/etc/sysctl.conf:
net.pfil.forward=3D1
net.inet.ip.forwarding=3D1
net.inet6.ip6.forwarding=3D1
/etc/rc.conf:
hostname=3D"vps.domain.ext"
ifconfig_re0=3D"DHCP"
ifconfig_xn0=3D"DHCP"
ifconfig_xn0_ipv6=3D"inet6 accept_rtadv"
ifconfig_re0_ipv6=3D"inet6 accept_rtadv"
sshd_enable=3D"YES"
ntpd_enable=3D"YES"
dumpdev=3D"AUTO"
nginx_enable=3D"YES"
linux_enable=3D"YES"
firewall_enable=3D"YES"
firewall_script=3D"/etc/rc.firewall"
firewall_type=3D"OPEN"
firewall_quiet=3D"NO"
firewall_logging=3D"YES"
ipsec_enable=3D"YES"
ipsec_program=3D"/usr/local/sbin/setkey"
ipsec_file=3D"/usr/local/etc/racoon/setkey.conf"
racoon_enable=3D"YES"
racoon_flags=3D"-l /var/log/racoon.log"
mpd_enable=3D"YES"
pf_enable=3D"YES"
pf_rules=3D"/etc/pf.conf"
pflog_enable=3D"YES"
pflog_logfile=3D"/var/log/pflog"
gateway_enable=3D"YES"
/etc/pf.conf
ext_if =3D "xn0"
vpn_net =3D "{192.168.99.0/24}"
nat on $ext_if inet from $vpn_net to any -> $ext_if
pass in on $ext_if inet proto udp from any to (self) port { 1701,=20
500, 4500 }
pass in on $ext_if inet proto esp
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
--------------ms030000000200000304000708
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME-cryptografische ondertekening
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKMzCC
BREwggP5oAMCAQICEEHqw4p2hryPGbRxDfQG0+swDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx
GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTMxMjA2MDAwMDAwWhcNMTYx
MjA1MjM1OTU5WjBEMQswCQYDVQQGEwJOTDEWMBQGA1UEAxMNUmVteSB2YW4gRWxzdDEdMBsG
CSqGSIb3DQEJARYOcmVsc3RAcmVsc3QubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC8C8VaRywEpaXWbf4fvFXKdARuHMNwUA7LSLxgpnSSwMu8JoelWfL1gG4BgWUJiLD1
3kSAlT6rUh0xworqIUlYeYTBvrfK0UFyCdlcoteRZwifYnK/VD47SL/wBw7VBLan+3qrsSWf
iUhXG9cStr+8tDAPklAXiZU42wK71zdTkibH2JhplQgurq1rrNXBtACapFANVFO2TFnLVAt4
RcFWZRC7IrWhM3pi+ttYiBZwbsUpy4CzStuxobCYNKMCYA+HHy9JdX1FoPI9SBksKTsaPk9m
lKffpf2pXo7bVm4oB1Lh/hfGXOztAWA4n0IYSaJWUFQMACr8IyNNxBpSpifFAgMBAAGjggGt
MIIBqTAfBgNVHSMEGDAWgBR6E04AdFvGeGNkJ8Ev4qBbvHnFezAdBgNVHQ4EFgQUcBmD/57E
Z5498N6abnPmgF9l2McwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwQGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMFMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFcGA1UdHwRQME4wTKBK
oEiGRmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1dGhlbnRpY2F0aW9u
YW5kU2VjdXJlRW1haWxDQS5jcmwwgYgGCCsGAQUFBwEBBHwwejBSBggrBgEFBQcwAoZGaHR0
cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1
cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQCIUx5Tn34/tpd2Z0ryJHD8Ty5SusVyUrtLaok2YhSPpiV2q0tZ
ifnvjLt4iHXtM8GTnAdagqsr/TMaDIDspSxVxkMKnVrSsqQLlXnv60Q1O4iE46ihAYCrCxB4
HTLoWflY7a3TbfolrqsiYjkC6AoIIZ7h4HX5prXoKpbV3c9TIDw6COjbBr5xhkaB/MGN9NtK
yPzSJ+e3wUF1273ZfRSTh3yTCmrT6yYk0/W7UakOG4MeSq9LVPcS6ykKziBD0y0GaWGpHkw8
W1ZEkiuPPFC3GJTak6VWTaDCHo0ROAtPQwQasmqr47LgzUg7IR/MhgfsmFnuFZBU6dZ3L5pX
gm1JMIIFGjCCBAKgAwIBAgIQbRnqpxlPajMi5iIyeqpx3jANBgkqhkiG9w0BAQUFADCBrjEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwG
A1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0
cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IGFuZCBFbWFpbDAeFw0xMTA0MjgwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGTMQswCQYDVQQG
EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRow
GAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAkoSEW0tXmNReL4uk4UDIo1NYX2Zl8TJO958yfVXQeExVt0KU4PkncQfFxmmk
uTLE8UAakMwnVmJ/F7Vxaa7lIBvky2NeYMqiQfZq4aP/uN8fSG1lQ4wqLitjOHffsReswtqC
AtbUMmrUZ28gE49cNfrlVICv2HEKHTcKAlBTbJUdqRAUtJmVWRIx/wmi0kzcUtve4kABW0ho
3cVKtODtJB86r3FfB+OsvxQ7sCVxaD30D9YXWEYVgTxoi4uDD216IVfmNLDbMn7jSuGlUnJk
JpFOpZIP/+CxYP0ab2hRmWONGoulzEKbm30iY9OpoPzOnpDfRBn0XFs1uhbzp5v/wQIDAQAB
o4IBSzCCAUcwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0OBBYEFHoT
TgB0W8Z4Y2QnwS/ioFu8ecV7MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEA
MBEGA1UdIAQKMAgwBgYEVR0gADBYBgNVHR8EUTBPME2gS6BJhkdodHRwOi8vY3JsLnVzZXJ0
cnVzdC5jb20vVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNy
bDB0BggrBgEFBQcBAQRoMGYwPQYIKwYBBQUHMAKGMWh0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VVE5BZGRUcnVzdENsaWVudF9DQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBAIXWvnhXVW0zf0RS/kLVBqgBA4CK+w2y
/Uq/9q9BSfUbWsXSrRtzbj7pJnzmTJjBMCjfy/tCPKElPgp11tA9OYZm0aGbtU2bb68obB2v
5ep0WqjascDxdXovnrqTecr+4pEeVnSy+I3T4ENyG+2P/WA5IEf7i686ZUg8mD2lJb+972Dg
SeUWyOs/Q4Pw4O4NwdPNM1+b0L1garM7/vrUyTo8H+2b/5tJM75CKTmD7jNpLoKdRU2oadqA
Gx490hpdfEeZpZsIbRKZhtZdVwcbpzC+S0lEuJB+ytF5OOu0M/qgOl0mWJ5hVRi0IdWZ1eBD
QEIwvuql55TSsP7zdfl/bucxggQZMIIEFQIBATCBqDCBkzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
T0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24g
YW5kIFNlY3VyZSBFbWFpbCBDQQIQQerDinaGvI8ZtHEN9AbT6zAJBgUrDgMCGgUAoIICRTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDAzMzAxNTM5MDNa
MCMGCSqGSIb3DQEJBDEWBBTltIi70cMwqPROP1D6o8DJmcDSezBsBgkqhkiG9w0BCQ8xXzBd
MAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG5BgkrBgEEAYI3EAQx
gaswgagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBD
T01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEEHqw4p2
hryPGbRxDfQG0+swgbsGCyqGSIb3DQEJEAILMYGroIGoMIGTMQswCQYDVQQGEwJHQjEbMBkG
A1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFD
T01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlv
biBhbmQgU2VjdXJlIEVtYWlsIENBAhBB6sOKdoa8jxm0cQ30BtPrMA0GCSqGSIb3DQEBAQUA
BIIBAJpRLnvEX0zBoQcN8gMOXFnrxydDb7Gwi3xoqDShKnBnX4X9QYnC9FdyGbSPqh7PVH5k
u9ZVy1thVOSLiUrdBGHWFR0SiG731VafgDu4r5MLX4R9VQcszrd9N9xFAtVgUp2It/eqDUok
I4nCihGO7qcN3JyIo0MC5iwZgDQgAcPP1XzRF2J6mdJkglEs5pf62dZGl+nkNaZzgeb1+5I1
nA7G3yzroc5CpksvmvRHR9ymPj08MK2JlMU99XzRbmxfqLumHn9lrVF7THk8wy081Q7xwuoX
KAiGT/1PvacNqhon+3nKeJPwyB66EPblo/S7k4fUGjjN583wadZqvUMnF20AAAAAAAA=
--------------ms030000000200000304000708--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53383A97.8040908>