10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN

Remy van Elst relst at relst.nl
Sun Mar 30 15:39:08 UTC 2014 

Hello

I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to 
use it when I'm on untrusted networks to send all my traffic over.

I have it set up so that a Mac OS X 10.9 client can connect to the vpn 
using PSK and username+password. However, it cannot access the internet, 
the traffic wont leave the VPN. When the VPN is disabled, "internet" is 
accessible again.

I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon 
and mpd5. I've compiled a new kernel based on GENERIC with the following 
extra options:

     # VPN
     options         IPSEC
     options         IPSEC_NAT_T
     device          crypto
     device          enc

     # Firewall & NAT for VPN
     options         IPSEC_FILTERTUNNEL
     options         IPFIREWALL
     options         IPFIREWALL_NAT
     options         IPFIREWALL_VERBOSE
     options         IPFIREWALL_VERBOSE_LIMIT=5
     options         LIBALIAS
     options         IPDIVERT

I've installed ipsec-tools and mpd5 from ports and applied the following 
patch to racoon for wildcard support:

     diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
     --- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
     +++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
     @@ -207,7 +207,8 @@ getpsk(str, len)
              if (*p == '\0')
                  continue;    /* no 2nd parameter */
              p--;
     -        if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
     +        if (strcmp(buf, "*") == 0 ||
     +            (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                  p++;
                  keylen = 0;
                  for (q = p; *q != '\0' && *q != '\n'; q++)

Here's my /usr/local/etc/racoon/racoon.conf:

     listen
     {
             isakmp           external_vps_ip [500];
             isakmp_natt      external_vps_ip [4500];
             strict_address;
     }
     remote anonymous
     {
             exchange_mode    main;
             passive          on;
             proposal_check   obey;
             support_proxy    on;
             nat_traversal    on;
             ike_frag         on;
             dpd_delay        20;
             proposal
             {
                     encryption_algorithm  aes;
                     hash_algorithm        sha1;
                     authentication_method pre_shared_key;
                     dh_group              modp1024;
             }
             proposal
             {
                     encryption_algorithm  3des;
                     hash_algorithm        sha1;
                     authentication_method pre_shared_key;
                     dh_group              modp1024;
             }
     }
     sainfo anonymous
     {
             encryption_algorithm     aes,3des;
             authentication_algorithm hmac_sha1;
             compression_algorithm    deflate;
             pfs_group                modp1024;
     }

/usr/local/etc/racoon/setkey.conf:

     flush;
     spdflush;
     spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec 
esp/transport//require;
     spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec 
esp/transport//require;

/usr/local/etc/mpd5/mpd.conf:

     startup:
             set user super pwSuper admin
             set console self 127.0.0.1 5005
             set console open
             set web self 127.0.0.1 5006
         set web user admin pwSuper
             set web open
     default:
             load l2tp_server
     l2tp_server:
             set ippool add pool_l2tp 192.168.99.30 192.168.99.100
             create bundle template B_l2tp
             set iface enable proxy-arp
             set iface enable tcpmssfix
             set iface route default
             set ipcp yes vjcomp
             set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
             set ipcp dns 8.8.8.8
             create link template L_l2tp l2tp
             set link action bundle B_l2tp
             set link enable multilink
             set link no pap chap eap
             set link enable chap
             set link keep-alive 0 0
             set link mtu 1280
             set l2tp self external_vps_ip
             set l2tp enable length
             set link enable incoming

/etc/sysctl.conf:

     net.pfil.forward=1
     net.inet.ip.forwarding=1
     net.inet6.ip6.forwarding=1

/etc/rc.conf:

     hostname="vps.domain.ext"
     ifconfig_re0="DHCP"
     ifconfig_xn0="DHCP"
     ifconfig_xn0_ipv6="inet6 accept_rtadv"
     ifconfig_re0_ipv6="inet6 accept_rtadv"
     sshd_enable="YES"
     ntpd_enable="YES"
     dumpdev="AUTO"
     nginx_enable="YES"
     linux_enable="YES"
     firewall_enable="YES"
     firewall_script="/etc/rc.firewall"
     firewall_type="OPEN"
     firewall_quiet="NO"
     firewall_logging="YES"
     ipsec_enable="YES"
     ipsec_program="/usr/local/sbin/setkey"
     ipsec_file="/usr/local/etc/racoon/setkey.conf"
     racoon_enable="YES"
     racoon_flags="-l /var/log/racoon.log"
     mpd_enable="YES"
     pf_enable="YES"
     pf_rules="/etc/pf.conf"
     pflog_enable="YES"
     pflog_logfile="/var/log/pflog"
     gateway_enable="YES"


/etc/pf.conf

     ext_if = "xn0"
     vpn_net = "{192.168.99.0/24}"
     nat on $ext_if inet from $vpn_net to any -> $ext_if
     pass in on $ext_if inet proto udp from any to (self) port { 1701, 
500, 4500 }
     pass in on $ext_if inet proto esp
     pass quick on ng0 all
     pass quick on ng1 all
     pass quick on ng2 all
     pass quick on ng3 all

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3722 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140330/33bfd1cd/attachment.bin>

More information about the freebsd-questions mailing list