A
Anonymous
Guest
1 Objective and Limitations
Utilizing net/mpd5 and security/ipsec-tools, a L2TP/IPsec VPN Dial-In Server shall be setup on FreeBSD 8.2-RELEASE. Mobile clients shall be able to connect from any IP in the world by Pre-Shared Key authentication (Wildcard PSK)
This setup has been proven to work with Mac OS X and iOS Clients. It works well with both, the server and the client, sitting behind NATs. Multiple clients may connect at the same time. However, a bug in IPsec-SA householding prevent more than one client sitting behind the same NAT, i.e. having the same public IP, from establishing connections.
I have no experience with FreeBSD and Linux clients.
Update:
The following statement is no more exactly true:
2 Installation Procedure
Login as user root.
2.1 Build a Kernel with IPsec support
This is basically the way as outlined in Chapter 8.5 of the FreeBSD Handbook. Here I add IPsec support to the GENERIC kernel. My favorite editor is editors/nano. Of course, you may do all the necessary editing with any other editor.
Copy the kernel configuration of your present kernel and add the IPsec related options to it - in the following commands, replace "i386" and "GENERIC" as appropriate for your architecture and your present Kernel:
Then edit the new configuration file, changing the ident parameter (quite at the top of the file) and adding the relevant IPsec options:
I placed the following below the first big options block:
Build and install the new kernel. Be prepared that building the kernel will take some time.
The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now restart your system.
2.2 Installation of security/ipsec-tools
Before building and installing ipsec-tools, two additional patch files shall be put into place. The first one fixes a problem of racoon frequently throwing a warning about an "unrecognized route message with rtm_type: RTM_GET".
Save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff:
The second one patches-in Wildcard-PSK handling into racoon. This issue has been exhaustively discussed elsewhere. The bottom-line is, that we cannot expect this to enter into racoon at any time (soon). Alternatively, mobile clients and the server could be configured using certificates - however this would make up for another Howto. Anyway here comes the patch - save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff:
Now, build and install security/ipsec-tools.
2.3 Installation of net/mpd5
mpd5 works out of the box, without any patching and without changes to the default configure options, so simply do the following:
3 Configuration
3.1 IPsec Configuration
Racoon assumes its configuration file being at /usr/local/etc/racoon/racoon.conf, the file and its configuration directory do not exist on fresh installation, so create the directory and save the following content to the respective configuration file - replace 192.168.0.1 by the local IP of your server:
You might want to review the options on racoon.conf(5)().
Now create the file holding the Pre-Shared Key - of course, you would replace "Ach_wie_gut,_daß_niemand_weiß,_daß_ich_Rumpelstielzchen_heiß." with your super secret PSK pass phrase. The * is the wildcard for any IP address. If you did not patch-in Wildcard PSK handling into racoon, as suggested above, then you need to put a real IP here. In this case you may have several lines with different IPs and secrets.
Then change the access rights to a bare minimum
Finally the file holding the security policies must be created:
3.2 mpd5 Configuration (s. Part II)
Utilizing net/mpd5 and security/ipsec-tools, a L2TP/IPsec VPN Dial-In Server shall be setup on FreeBSD 8.2-RELEASE. Mobile clients shall be able to connect from any IP in the world by Pre-Shared Key authentication (Wildcard PSK)
This setup has been proven to work with Mac OS X and iOS Clients. It works well with both, the server and the client, sitting behind NATs. Multiple clients may connect at the same time. However, a bug in IPsec-SA householding prevent more than one client sitting behind the same NAT, i.e. having the same public IP, from establishing connections.
I have no experience with FreeBSD and Linux clients.
Update:
The following statement is no more exactly true:
As a matter of fact I achieved Windows 7 connectivity by applying some more patches to ipsec-tools and in addition by patching the kernel. The patches are revealed in post #82, and with the complete set of patches applied, Windows 7 clients can connect from behind NAT utilizing its built-in VPN software, so there is no need to switch to a commercial one. These patches resolve also another issue with all sorts of clients, namely, finally many clients may concurrently connect from behind the same NAT to the VPN server.I was not able to establish a connection with a Windows 7 client ...
2 Installation Procedure
Login as user root.
2.1 Build a Kernel with IPsec support
This is basically the way as outlined in Chapter 8.5 of the FreeBSD Handbook. Here I add IPsec support to the GENERIC kernel. My favorite editor is editors/nano. Of course, you may do all the necessary editing with any other editor.
Copy the kernel configuration of your present kernel and add the IPsec related options to it - in the following commands, replace "i386" and "GENERIC" as appropriate for your architecture and your present Kernel:
cd /usr/src/sys/i386/conf
cp GENERIC GENERIC_IPsec
Then edit the new configuration file, changing the ident parameter (quite at the top of the file) and adding the relevant IPsec options:
nano GENERIC_IPsec
Code:
ident GENERIC_IPsec
Code:
# Options for an IPsec enabled kernel
options IPSEC
options IPSEC_NAT_T
device crypto
Build and install the new kernel. Be prepared that building the kernel will take some time.
cd /usr/src
make buildkernel KERNCONF=GENERIC_IPsec
make installkernel KERNCONF=GENERIC_IPsec
The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now restart your system.
shutdown -r now
2.2 Installation of security/ipsec-tools
Before building and installing ipsec-tools, two additional patch files shall be put into place. The first one fixes a problem of racoon frequently throwing a warning about an "unrecognized route message with rtm_type: RTM_GET".
Save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff:
nano /usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff
Code:
diff -rup srca/racoon/grabmyaddr.c srcb/racoon/grabmyaddr.c
--- src/racoon/grabmyaddr.c 2011-03-14 14:18:12.000000000 -0300
+++ src/racoon/grabmyaddr.c 2011-04-25 15:56:41.000000000 -0300
@@ -753,6 +753,7 @@ kernel_handle_message(msg)
case RTM_ADD:
case RTM_DELETE:
case RTM_CHANGE:
+ case RTM_GET:
case RTM_MISS:
case RTM_IFINFO:
#ifdef RTM_OIFINFO
@@ -768,7 +769,7 @@ kernel_handle_message(msg)
break;
default:
plog(LLV_WARNING, LOCATION, NULL,
- "unrecognized route message with rtm_type: %d",
+ "unrecognized route message with rtm_type: %d\n",
rtm->rtm_type);
break;
}
The second one patches-in Wildcard-PSK handling into racoon. This issue has been exhaustively discussed elsewhere. The bottom-line is, that we cannot expect this to enter into racoon at any time (soon). Alternatively, mobile clients and the server could be configured using certificates - however this would make up for another Howto. Anyway here comes the patch - save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff:
nano /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff
Code:
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2008-12-23 12:04:42.000000000 -0200
+++ src/racoon/localconf.c 2011-04-25 15:44:24.000000000 -0300
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0 ||
+ (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
Now, build and install security/ipsec-tools.
cd /usr/ports/security/ipsec-tools
make install clean
2.3 Installation of net/mpd5
mpd5 works out of the box, without any patching and without changes to the default configure options, so simply do the following:
cd /usr/ports/net/mpd5
make install clean
3 Configuration
3.1 IPsec Configuration
Racoon assumes its configuration file being at /usr/local/etc/racoon/racoon.conf, the file and its configuration directory do not exist on fresh installation, so create the directory and save the following content to the respective configuration file - replace 192.168.0.1 by the local IP of your server:
mkdir -p /usr/local/etc/racoon
nano /usr/local/etc/racoon/racoon.conf
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
isakmp 192.168.0.1 [500];
isakmp_natt 192.168.0.1 [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
You might want to review the options on racoon.conf(5)().
Now create the file holding the Pre-Shared Key - of course, you would replace "Ach_wie_gut,_daß_niemand_weiß,_daß_ich_Rumpelstielzchen_heiß." with your super secret PSK pass phrase. The * is the wildcard for any IP address. If you did not patch-in Wildcard PSK handling into racoon, as suggested above, then you need to put a real IP here. In this case you may have several lines with different IPs and secrets.
nano /usr/local/etc/racoon/psk.txt
Code:
* Ach_wie_gut,_daß_niemand_weiß,_daß_ich_Rumpelstielzchen_heiß.
chmod 600 /usr/local/etc/racoon/psk.txt
Finally the file holding the security policies must be created:
nano /usr/local/etc/racoon/setkey.conf
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
3.2 mpd5 Configuration (s. Part II)