10.0-RELEASE IPSEC/L2TP VPN working however no internet via VPN
Remy van Elst
relst at relst.nl
Sun Mar 30 15:39:08 UTC 2014
Hello
I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to
use it when I'm on untrusted networks to send all my traffic over.
I have it set up so that a Mac OS X 10.9 client can connect to the vpn
using PSK and username+password. However, it cannot access the internet,
the traffic wont leave the VPN. When the VPN is disabled, "internet" is
accessible again.
I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon
and mpd5. I've compiled a new kernel based on GENERIC with the following
extra options:
# VPN
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
# Firewall & NAT for VPN
options IPSEC_FILTERTUNNEL
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options LIBALIAS
options IPDIVERT
I've installed ipsec-tools and mpd5 from ports and applied the following
patch to racoon for wildcard support:
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
+++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0 ||
+ (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
Here's my /usr/local/etc/racoon/racoon.conf:
listen
{
isakmp external_vps_ip [500];
isakmp_natt external_vps_ip [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
/usr/local/etc/racoon/setkey.conf:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec
esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec
esp/transport//require;
/usr/local/etc/mpd5/mpd.conf:
startup:
set user super pwSuper admin
set console self 127.0.0.1 5005
set console open
set web self 127.0.0.1 5006
set web user admin pwSuper
set web open
default:
load l2tp_server
l2tp_server:
set ippool add pool_l2tp 192.168.99.30 192.168.99.100
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set iface route default
set ipcp yes vjcomp
set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
set ipcp dns 8.8.8.8
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
set link mtu 1280
set l2tp self external_vps_ip
set l2tp enable length
set link enable incoming
/etc/sysctl.conf:
net.pfil.forward=1
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
/etc/rc.conf:
hostname="vps.domain.ext"
ifconfig_re0="DHCP"
ifconfig_xn0="DHCP"
ifconfig_xn0_ipv6="inet6 accept_rtadv"
ifconfig_re0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
nginx_enable="YES"
linux_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="NO"
firewall_logging="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"
/etc/pf.conf
ext_if = "xn0"
vpn_net = "{192.168.99.0/24}"
nat on $ext_if inet from $vpn_net to any -> $ext_if
pass in on $ext_if inet proto udp from any to (self) port { 1701,
500, 4500 }
pass in on $ext_if inet proto esp
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3722 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140330/33bfd1cd/attachment.bin>
More information about the freebsd-questions
mailing list