Monday, February 13, 2017

OpenBSD 6.1 L2TP over IPSEC VPN - Android 6.0.1, IOS, OS X Sierra, Windows {x,y.z}



Here's exactly what's required to make OpenBSD 6.1 act as a L2TP over IPSEC server, since I've been asked about a thousand times... or twice, whatever.

Edit /etc/ipsec.conf:

wan_ipv4 = 172.16.172.16
ike passive esp transport \
  proto udp from $wan_ipv4 to any port 1701 \
  main auth "hmac-sha2-256" enc "aes-256" group modp1024 \
  quick auth "hmac-sha2-256" enc "aes-256" group modp1024 \
  psk "4de16a6f8fff9b311a18de90868f7808"


That's a pretty nasty PSK to bang out on a mobile, but you get the idea. Set your external IP accordingly.



Assuming you'll be forwarding via pf.conf, edit /etc/sysctl.conf:

net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.pipex.enable=1


If you don't plan to reboot to ensure that changes will survive with some persistence, you'll need to manually sysctl the above entries if you haven't done so already.



Add a user to /etc/npppd/npppd-users:

mickeymouse:\
:password=81bc62b1d74cfdd523f89a0e15d7753ef936bd1f:




Edit /etc/npppd/npppd.conf for your network configuration:

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}

ipcp IPCP {
pool-address 172.16.173.2-172.16.173.254
dns-servers 8.8.8.8
}

interface pppx0 address 172.16.173.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0




Edit /etc/rc.conf.local to ensure the respective daemons start at boot:

isakmpd_flags=""
ipsec=YES
ipsec_rules=/etc/ipsec.conf
npppd_flags=""



Edit /etc/isakmpd/isakmpd.policy to workaround Android 6.0.1 SHA stupidities:

Authorizer: "POLICY"
Comment: This is test
Licensees: "passphrase:4de16a6f8fff9b311a18de90868f7808"
conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";


Be sure the passphrase: matches what's in /etc/ipsec.conf!



Lastly, set permissions and fire up the respective daemons:

# chmod 600 /etc/isakmpd/isakmpd.policy /etc/ipsec.conf /etc/npppd/npppd-users /etc/npppd/npppd.conf
# /sbin/isakmpd
# /sbin/ipsecctl -f /etc/ipsec.conf
# /usr/sbin/npppd

The rest is simply configuring the settings in your Android/IOS phone, OSX or Windows.


Enjoy!

2 comments:

  1. I'm having trouble with the pf portion...what do you have for PF?

    ReplyDelete
    Replies
    1. First, turn on logging via pf, i.e.
      block drop log

      then pfctl -f /etc/pf.conf

      monitor your dropped packets to figure out what's going on:

      tcpdump -nei pflog0

      Unless you're willing to post your pf.conf, I unfortunately can't help.

      Delete