Here's exactly what's required to make OpenBSD 6.1 act as a L2TP over IPSEC server, since I've been asked about a thousand times... or twice, whatever.
Edit /etc/ipsec.conf:
wan_ipv4 = 172.16.172.16
ike passive esp transport \
proto udp from $wan_ipv4 to any port 1701 \
main auth "hmac-sha2-256" enc "aes-256" group modp1024 \
quick auth "hmac-sha2-256" enc "aes-256" group modp1024 \
psk "4de16a6f8fff9b311a18de90868f7808"
That's a pretty nasty PSK to bang out on a mobile, but you get the idea. Set your external IP accordingly.
Assuming you'll be forwarding via pf.conf, edit /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.pipex.enable=1
If you don't plan to reboot to ensure that changes will survive with some persistence, you'll need to manually sysctl the above entries if you haven't done so already.
Add a user to /etc/npppd/npppd-users:
mickeymouse:\
:password=81bc62b1d74cfdd523f89a0e15d7753ef936bd1f:
Edit /etc/npppd/npppd.conf for your network configuration:
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address 172.16.173.2-172.16.173.254
dns-servers 8.8.8.8
}
interface pppx0 address 172.16.173.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0
Edit /etc/rc.conf.local to ensure the respective daemons start at boot:
isakmpd_flags=""
ipsec=YES
ipsec_rules=/etc/ipsec.conf
npppd_flags=""
ipsec=YES
ipsec_rules=/etc/ipsec.conf
npppd_flags=""
Edit /etc/isakmpd/isakmpd.policy to workaround Android 6.0.1 SHA stupidities:
Authorizer: "POLICY"
Comment: This is test
Licensees: "passphrase:4de16a6f8fff9b311a18de90868f7808"
conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";
Be sure the passphrase: matches what's in /etc/ipsec.conf!
Lastly, set permissions and fire up the respective daemons:
# chmod 600 /etc/isakmpd/isakmpd.policy /etc/ipsec.conf /etc/npppd/npppd-users /etc/npppd/npppd.conf
# /sbin/isakmpd
# /sbin/ipsecctl -f /etc/ipsec.conf
# /usr/sbin/npppd
The rest is simply configuring the settings in your Android/IOS phone, OSX or Windows.
Enjoy!
I'm having trouble with the pf portion...what do you have for PF?
ReplyDeleteFirst, turn on logging via pf, i.e.
Deleteblock drop log
then pfctl -f /etc/pf.conf
monitor your dropped packets to figure out what's going on:
tcpdump -nei pflog0
Unless you're willing to post your pf.conf, I unfortunately can't help.
With the Popularity of iOS Devices comes the threat of hacking. FastestVPN is the Best iOS VPN that encodes all your personal and financial data securing it from intruders.
ReplyDelete