Hello
I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to use it when I'm on untrusted networks to send all my traffic over.
I have it set up so that a Mac OS X 10.9 client can connect to the vpn using PSK and username+password. The VPN itself connects without issues. However, it cannot access the internet, the traffic won't leave the VPN. When the VPN is disabled, "internet" is accessible again.
I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon and mpd5. I've compiled a new kernel based on GENERIC with the following extra options:
I've installed ipsec-tools and mpd5 from ports and applied the following patch to racoon for wildcard support:
Here's my /usr/local/etc/racoon/racoon.conf:
/usr/local/etc/racoon/setkey.conf:
/usr/local/etc/mpd5/mpd.conf:
/etc/sysctl.conf:
/etc/rc.conf:
/etc/pf.conf:
I want to set up a freebsd IPSEC/L2TP road-warrior vpn server. I want to use it when I'm on untrusted networks to send all my traffic over.
I have it set up so that a Mac OS X 10.9 client can connect to the vpn using PSK and username+password. The VPN itself connects without issues. However, it cannot access the internet, the traffic won't leave the VPN. When the VPN is disabled, "internet" is accessible again.
I'm running FreeBSD 10.0-RELEASE on a vps (xen-hvm). I'm using racoon and mpd5. I've compiled a new kernel based on GENERIC with the following extra options:
Code:
# VPN
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
# Firewall & NAT for VPN
options IPSEC_FILTERTUNNEL
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options LIBALIAS
options IPDIVERT
I've installed ipsec-tools and mpd5 from ports and applied the following patch to racoon for wildcard support:
Code:
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2014-03-29 11:17:32.000000000 +0200
+++ src/racoon/localconf.c 2014-03-29 11:18:09.000000000 +0200
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0 ||
+ (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
Here's my /usr/local/etc/racoon/racoon.conf:
Code:
listen
{
isakmp external_vps_ip [500];
isakmp_natt external_vps_ip [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
/usr/local/etc/racoon/setkey.conf:
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
/usr/local/etc/mpd5/mpd.conf:
Code:
startup:
set user super pwSuper admin
set console self 127.0.0.1 5005
set console open
set web self 127.0.0.1 5006
set web user admin pwSuper
set web open
default:
load l2tp_server
l2tp_server:
set ippool add pool_l2tp 192.168.99.30 192.168.99.100
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set iface route default
set ipcp yes vjcomp
set ipcp ranges 192.168.99.0/24 ippool pool_l2tp
set ipcp dns 8.8.8.8
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
set link mtu 1280
set l2tp self external_vps_ip
set l2tp enable length
set link enable incoming
/etc/sysctl.conf:
Code:
net.pfil.forward=1
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
/etc/rc.conf:
Code:
hostname="vps.domain.ext"
ifconfig_re0="DHCP"
ifconfig_xn0="DHCP"
ifconfig_xn0_ipv6="inet6 accept_rtadv"
ifconfig_re0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
nginx_enable="YES"
linux_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="NO"
firewall_logging="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"
/etc/pf.conf:
Code:
ext_if = "xn0"
vpn_net = "{192.168.99.0/24}"
nat on $ext_if inet from $vpn_net to any -> $ext_if
pass in on $ext_if inet proto udp from any to (self) port { 1701, 500, 4500 }
pass in on $ext_if inet proto esp
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all