----
I setup a PPTP vpn server on my remote server using pptpd, I can connect to it using my mobile phone MEIZU MX5. but failed using ubuntu's VPN connection, the pptp binary crashed. so I decided to use openswan to connect my vpn server.
firstly, we should remove the pre-installed strongswan.
1 | sudo apt remove strongswan |
then, we download the source code from the office site of openswan, ubuntu doesn't have a package for openswan, we need to build one by myself. we need install some dependency apps, such as libgmp and bison. then we can unstar the source and make and install the openswan. we should also need xl2tpd.
1 2 3 4 5 6 7 8 9 | wget tar xf openswan-latest.tar.gz -C ../srcsudo apt-get install libgmp-devsudo apt-get install bisonsudo apt-get install flexcd ../srcmake programssudo make installsudo apt install xl2tpd |
now, we can setup the configuration. Firstly we setup ipsec, then l2tp. We use Preshared Key (PSK). there are two config files: ipsec.conf and ipsec.secrets. we should config both server and client.
the ipsec.conf of server
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | # /etc/ipsec.confversion 2.0 # conforms to second version of ipsec.conf specificationconfig setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:25.0.0.0/8,%v4:!10.254.253.0/24 protostack=netkey plutodebug=all plutostderrlog=/var/log/openswan.log conn l2tp-psk authby=secret pfs=no auto=add rekey=no type=transport left=172.31.129.70 leftprotoport=17/1701 right=%any rightprotoport=17/%any rightsubnet=vhost:%priv,%no |
here is the ipsec.conf of client
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | version 2.0config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16 protostack=netkeyconn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=yes ikelifetime=8h keylife=1h type=transport left=%defaultroute leftprotoport=17/1701 right=47.90.122.28 rightprotoport=17/1701 rightid=172.31.129.70 |
the ipsec.secrets hold the PSK, the server one is:
1 2 3 4 5 | # This file holds shared secrets or RSA private keys for authentication.# RSA private key for this host, authenticating it to any other host# which knows the public part.172.31.129.70 %any : PSK '123456' |
the client one is:
1 2 3 4 5 | # This file holds shared secrets or RSA private keys for authentication.# RSA private key for this host, authenticating it to any other host# which knows the public part.%any %any : PSK '123456' |
Let me explain ipsec.secrets firstly, the first one is left (local) ip, the second one is right(remote) ip. use %any match all ip. my client use both %any, because my pc get ip by DHCP, the ip may change, so i use %any for convenient. the most important thing must note is the key should be quoted by single quote as above.
now, explain ipsec.conf, that is very comprehensive for a newbie. we must know how to debug, because if we config incorrectly, we can get information what happen. to enable debug output. add
1 2 | plutodebug=allplutostderrlog=/var/log/openswan.log |
to config setup section. then we can use command `tail -f /var/log/openswan.log' to see the detailed negotiation progress.
Actually saying, I only know a little about the options of ipsec.conf. I use the above debug method to find a correct setting. if some error happens, I search the error string, and find a solution from the online site.
I met two problem when I config the ipsec.conf, I list here and hope this help, the other options are common, we can find them in the online site.
the first error is:
003 "L2TP-PSK" #1: we require peer to have ID 'xx.90.122.xx', but peer declares '172.31.129.70'
218 "L2TP-PSK" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
because the server is behind NAT, so the public ip is different from local ip, we should set the `rightid' option, add a line to ipsec.conf of client.
1 | rightid=172.31.129.70 |
because if we don't specify it, the default is same as `right' option.
the second error is INVALID ID in server:
state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION whack_fd: 4294967295
the guess the reson is same as the previous error, my client is also behind NAT, so I try to add
1 | nat_traversal=yes |
to config section of client ipsec.conf, thanks god, thats works.
the connection can be launched by anyone, but often is by client. so we can change the `auto' option to 'setup'. that means when ipsec start auto start negotiate. if it is 'add', ipsec only record this connection, we need use following command to start negotiate.
1 | sudo ipsec auto --up L2TP-PSK |
the l2tp config is very sample. now let me show the xl2tpd client config file. the server config, you can refer my previous article.
there are two config file here, /etc/xl2tpd/xl2tpd.conf for xl2tpd
1 2 3 4 5 6 7 8 9 10 | [global][lac vpn-connection]lns = xx.90.122.xxrequire authentication = yesrequire chap = yesrefuse pap = yesppp debug = yespppoptfile = /etc/ppp/options.l2tpd.clientlength bit = yes |
the lac specify this is a l2tp client. the lns specify the server ip address.
/etc/ppp/options.l2tpd.client for ppp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | ipcp-accept-localipcp-accept-remoterefuse-eaprequire-mschap-v2noccpnoauthidle 1800mtu 1410mru 1410defaultrouteusepeerdnsdebugconnect-delay 5000name xxxpassword xxx |
you can also specify name and password in /etc/ppp/chap-secrets file.
we can also debug the l2tp by directly run `xl2tpd -D', all the log will output to console. this is very helpful when some error happens. now we can dial l2tp by run:
1 | echo 'c vpn-connection' > /var/run/xl2tpd/l2tp-control |
Here, we should note the file access right. ensure the user has the right to write this pipe file. if no, use `sudo chmod` grant a right to the user.
the last one is to set the default route to ppp0. we must firstly route VPN Server to non-vpn connection, or your network will down.
1 2 | ip route add xx.90.122.xx/32 via 192.168.0.1ip route change default via 10.0.0.1 dev ppp0 |
More read