Niels' Blog
A Dutch techie in China
Linux L2TP/IPSec with iPhone and Mac OS/X clients
Author: niels23 Apr
After moving to China I ran into a few issues that got me to install a VPN. Namely:
- Latency. I frequently use SSH to access remote servers in US and EU and for some reason the latency here is terrible. Running SSH over a VPN seems to resolve this. A nice bonus is that idle sessions aren’t timed out (which they otherwise would with a little help of China’s Great Firewall.)
- Location aware websites. A number of websites will adjust their content based on your location. This is fine if you’re able to adjust it manually, but many of these websites don’t allow this as they are trying to restrict content to US and/or EU users. (Which just so happens to be the content I’m looking for.)
- Blocked websites. Although most websites that are blocked in China are not of particular interest to me, the GFW will occasionally put a ban on sites that I do like to use.
After using OpenVPN for a while I got mildly annoyed by:
- High CPU usage (99%) on Ubuntu systems after running it for extended periods of time.
- Not being able to use it on OS/X very easily or on my iPhone at all.
This made me switch to IPSec instead. IPSec requires a little more effort to configure but it has proven rock solid and cross-platform in several of my past projects. Having used Freeswan and Openswan before, I now decided to use Strongswan instead as it requires no kernel tweaks on Debian/Ubuntu making the installation a matter of minutes. (This is well documented on www.strongswan.org and I know you’re just here to read about the iPhone, so I won’t go into that now. 
Making IPSec work with iPhone and OS/X’s native clients requires installing an L2TP daemon.
First the fairly standard Strongswan configuration:
/etc/ipsec.conf:
config setup
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
conn L2TP
authby=psk
pfs=no
rekey=no
type=tunnel
esp=aes128-sha1
ike=aes128-sha-modp1024
left=your.ip.goes.here
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
/etc/ipsec.secrets:
your.ip.goes.here %any: PSK "yoursharedkeygoeshere"
As you can see we’re enabling nat-traversal and transport mode at the same time. And that’s really the only ‘hack’ we need to do as it’s disabled by default.
On a Debian or Ubuntu system this should get you a long way:
apt-get install build-essential fakeroot dpkg-dev devscripts apt-get source strongswan apt-get install libcurl4-openssl-dev apt-get build-dep strongswan cd strongswan-4.2.4/ dch -i
Now edit debian/rules and change –disable-md5 –disable-sha1 –disable-sha2 to –disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport and continue:
dpkg-buildpackage -rfakeroot -uc -b dpkg -i ../strongswan_4.2.4-5ubuntu2_i386.deb /etc/init.d/ipsec restart
Alright. IPSec is good to go. Next the L2TP daemon for iPhone and OS/X:
apt-get install xl2tpd
/etc/xl2tpd/xl2tpd.conf:
[global] debug network = yes debug tunnel = yes [lns default] ip range = 10.0.0.200-10.0.0.254 local ip = 10.0.0.1 require chap = yes refuse pap = yes require authentication = yes name = NIELSPEEN.COM ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
10.0.0.0/24 is your local LAN. 10.0.0.200-10.0.0.254 are IP addresses that we can freely assign to the users. 10.0.0.1 is a free IP on your local LAN. (It should not be the IP bound to your LAN interface!)
Note: you don’t need an actual LAN to make this work. In fact, the server I use the above config on is not connected to one.
/etc/xl2tpd/l2tp-secrets:
* * l2tppassworduser1 *
/etc/ppp/options.xl2tpd:
ipcp-accept-local ipcp-accept-remote ms-dns you.dns.ip.here noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
Great! Now to configure your iPhone:
- Open the Settings app and navigate to General->Network->VPN->Add VPN Configuration…
- Make sure the selected VPN type is L2TP. (Not IPSec.)
- Fill in anything you like for Description.
- Server should be the hostname or IP of the machine you just installed Strongswan and xl2tpd on.
- Account is not checked by xl2tpd. You can give your users a random username.
- RSA SecurID is to be switched OFF.
- Password is the password as put in /etc/xl2tpd/l2tp-secrets.
- Secret is the PSK you’ve put into /etc/ipsec.secrets.
- Send All Traffic is typically turned on.
If, like me, you’re not using this to hook your iPhone to your office network, but want to use the connection to access the Internet, you’ll need to add a masquerading rule to iptables:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
That’s it!
27 Responses for "Linux L2TP/IPSec with iPhone and Mac OS/X clients"
Hi! Great write-up you’ve got here! I’m having a few troubles using this to connect my Mac to my home Ubuntu server, and was wondering if you could help me work through it. Instead of compiling strongswan from source to a package, I simply used
apt-get install strongswan
However, when I try to connect my mac, it says that the connection fails. Keep in mind that I’m testing from my internal network here at home (which may be part of the problem, I dunno). I can show you my logs/configs if necessary. Any help would be appreciated. Thanks!
Like or Dislike:
0 
0
If you don’t build from source, you cannot use the NAT-T feature. This means you’ll have to remove the line:
nat_traversal=yesfrom /etc/ipsec.conf.Without this feature you cannot connect when your Mac is in a NAT environment. (Pretty much all public WiFi and most home and SOHO networks use NAT.)
Feel free to post your configs.
Like or Dislike:
0 
0
Here’s what I get on my mac in the log when I try to connect locally:
Fri Jun 5 14:51:16 2009 : L2TP connecting to server ’192.168.20.30′ (192.168.20.30)…
Fri Jun 5 14:51:19 2009 : L2TP sent SCCRQ
Fri Jun 5 14:51:19 2009 : IPSec connection started
Fri Jun 5 14:51:19 2009 : IPSec phase 1 client started
Fri Jun 5 14:51:19 2009 : IPSec phase 1 server replied
Fri Jun 5 14:51:19 2009 : IPSec phase 1 established
Fri Jun 5 14:51:20 2009 : IPSec phase 2 started
Fri Jun 5 14:51:20 2009 : IPSec phase 2 established
Fri Jun 5 14:51:20 2009 : IPSec connection established
Fri Jun 5 14:51:20 2009 : L2TP sent SCCRQ
Fri Jun 5 14:51:22 2009 : L2TP received SCCRP
Fri Jun 5 14:51:22 2009 : L2TP sent SCCCN
Fri Jun 5 14:51:22 2009 : L2TP sent IRCQ
Fri Jun 5 14:51:22 2009 : L2TP received ICRP
Fri Jun 5 14:51:22 2009 : L2TP sent ICCN
Fri Jun 5 14:51:22 2009 : L2TP connection established.
Fri Jun 5 14:51:22 2009 : using link 0
Fri Jun 5 14:51:22 2009 : Using interface ppp0
Fri Jun 5 14:51:22 2009 : Connect: ppp0 socket[34:18]
Fri Jun 5 14:51:22 2009 : sent [LCP ConfReq id=0x1 ]
…. this line is repeated over and over …
Fri Jun 5 14:51:49 2009 : sent [LCP ConfReq id=0x1 ]
Fri Jun 5 14:51:52 2009 : LCP: timeout sending Config-Requests
Fri Jun 5 14:51:52 2009 : Connection terminated.
Fri Jun 5 14:51:52 2009 : L2TP disconnecting…
Fri Jun 5 14:51:52 2009 : L2TP sent CDN
Fri Jun 5 14:51:52 2009 : L2TP sent StopCCN
Fri Jun 5 14:51:52 2009 : L2TP disconnected
I also did just build from source and install that way. By locally, I mean that I’m trying to connect from the same subnet that my server is on, which in this case is 192.168.20.x
Seems like the problem is with my server being able to effectively communicate with my mac. Which ports do I need to forward on my router to my Ubuntu box? I’ve got 1701 and 500 UDP already there.
Like or Dislike:
0 
0
Great, it seems that the IPSEC part (where most headaches usually come from) works fine. Can you post your Ubuntu logs for xl2tpd?
It seems you may not need the NAT-T feature, but if you do you should also open port 4500/UDP. More importantly however IPSEC uses protocol 50 and 51. Most SOHO routers don’t allow you to open these (often only allow ICMP, TCP and UDP.) Setting your Ubuntu box as the DMZ host may work, but then you’d have to double-check its security as you expose it completely.
Like or Dislike:
0 
0
Keep in mind that this is connecting locally. I’ll try it without the NAT-T feature once I get it working. I can’t seem to find the xl2tpd logs, they are not in /var/log/xl2tpd, nor can I find them anywhere else. Am I not looking in the right place?
So what you’re saying is that I need to open up ports 50,51,500,1701, and 4500? I’ve got a router running dd-wrt, so it shouldn’t be a problem, but is there a difference between opening up “protocol” and opening up “TCP and UDP”?
Thanks so much for all of the help, Niels.
Like or Dislike:
0 
0
If you turned on the debugging for xl2tpd as shown in my config above, you should find its messages in /var/log/syslog.
I understand you connect locally, so the filtering information doesn’t apply until you take one of you machines elsewhere. Nevertheless:
When we talk about UDP 500 we are really talking about protocol 17 (UDP) port 500 (ISAKMP.) Also see your /etc/protocols and /etc/services files for more examples of protocols and of ports on top of TCP/UDP.
UDP (and TCP) use ports by design and as such we can be specific about which ports we open and which we keep closed.
Protocols 50 (IPSEC-ESP) and 51 (IPSEC-AH) don’t use a concept of ports. For our purpose we would simply open these protocols completely.
As mentioned, a lot of SOHO routers don’t support opening protocols other than (parts of) TCP, UDP and ICMP. SOHO routers with a ‘VPN pass-through’ feature will open protocol 50/51 transparently for outgoing connections, but typically don’t allow them for incoming connections.
The NAT-T feature was introduced to work around routers that don’t have a ‘VPN pass-through’ feature. Using NAT-T eliminates the need to use protocol 50 or 51. Opening UDP port 4500 on your router should allow incoming NAT-T connections and enable you to run your Ubuntu VPN server at home without having to open protocols 50/51.
Please note that many consider NAT-T a hack with security and performance implications that you should avoid when possible.
Like or Dislike:
0 
0
it doesn’t work
in syslog on ubuntu server there is nothing, i used your configs. on mac os x client i get this error on ppp.log:
IPSec connection Started
IPSec phase 1 client started
IPSec phase 1 server replied
IPSec phase 1 established
IPSec phase 2 started
IPSec connection failed
have you any ideas?
Like or Dislike:
0 
0
Neils,
quick q before i begin to stryggle through your elegantly documented config! Does this work if your iphone is on a 3G (EDGE) data connection or only if its wi-fi connected???
Thanks gain for the useful (hopefully) article
Like or Dislike:
0 
0
iPhone, both the original and the 3G, 3GS support VPN on GPRS, EDGE and 3G.
Of course it’s possible that your operator blocks VPN’s, but I haven’t run into that myself. I use it successfully with both China Mobile and China Unicom.
Like or Dislike:
0 
0
Hey niels,
Great little tutorial you’ve got here. I can’t manage to get it to work properly though.
It looks like this in the syslog:
Sep 6 10:52:27 ubuntu xl2tpd[4466]: start_pppd: I’m running:
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “/usr/sbin/pppd”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “passive”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “-detach”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “10.0.0.1:10.0.0.200″
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “refuse-pap”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “auth”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “require-chap”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “name”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “mydomain.com”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “debug”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “file”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “/etc/ppp/options.xl2tpd”
Sep 6 10:52:27 ubuntu xl2tpd[4466]: “/dev/pts/1″
Sep 6 10:52:27 ubuntu pppd[4493]: The remote system is required to authenticate itself
Sep 6 10:52:27 ubuntu pppd[4493]: but I couldn’t find any suitable secret (password) for it to use to do so.
If I change “auth” to “noauth” in the /etc/ppp/options.xl2tpd file it will work .. that does however mean that it wont require any correct password.
Any tips? Thanks!
Like or Dislike:
0 
0
How to only use L2TP no with IPSEC , does anyone know ow to use
Like or Dislike:
0 
0
Quick question because I’m running into this issue and I’m not sure why. If I’m not running IPTables is the Masquerade still necessary? I’d love to avoid running a firewall on the server I’ve configured to be my VPN endpoint if at all possible, although if it has to be done the following line should take care of that:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
Like or Dislike:
0 
0
If you want the client to access the Internet, then yes, some MASQUERADING or NAT will be necessary. If you have multiple machines you could use normal routing on the VPN endpoint and do the NAT on another machine.
On a plain iptables the default policies are ACCEPT, so you two INPUT/OUTPUT accept rules would be redundant.
Like or Dislike:
0 
0
Simply don’t install IPSec. The L2TP daemon on Linux doesn’t care about IPSec.
(The L2TP clients on OS/X and Windows however require IPSec.)
Like or Dislike:
0 
0
I tried using your settings verbatim and I keep getting the following line in my “auth.log”:
Oct 5 22:21:14 daedalus pluto[7459]: packet from XXX.XXX.XXX.XXX:500: initial Main Mode message received on YYY.YYY.YYY.YYY:500 but no connection has been authorized with policy=PSK
My StrongSwan settings are literally copy-and-pasted from yours (text-encoding is unix
) with the exception of substituting for the appropriate variables. (I also did compile strongswan with nat-t.)
Any thoughts?
Like or Dislike:
0 
0
Thank you very very much for this excellent howto.
Like or Dislike:
0 
0
Hi Niels,
Just wanted to thank you for this excellent post, the instructions got me up and running with my iPhone, I’m really happy!
On Ubuntu 9.10 I had to install the four strongswan-* packages which I built, and also ipsec-tools has been added as a dependency. I also had to use /etc/ppp/chap-secrets as the secret file instead of /etc/xl2tp/l2tp-secrets.
Many thanks once again, this post was really appreciated,
regards,
oliver.
Like or Dislike:
2 
0
Niels,
Thanks for the great write up. I’ve been messing with trying to install a VPN solution on Ubuntu server 9.1 for 4 days now and I stumbled across your write up last night.
The only line I’m not sure about is…
“Now edit debian/rules and change…”
I don’t have much experience compiling my own code so I’ll appologize upfront. I can install and configure packages with the best of them though (-;
Thanks,
Kristofer
Like or Dislike:
0 
0
To add to all the other praise, thanks for the excellent how-to. I like Oliver Gorwits found that secrets needed to be kept in chaps-secrets file too.
On a related note, I found some strange behaviour in the WiFi department as well. It would seem that when confronted with an ‘open’ WiFi connection, the iPhone seems to make a surreptitious connection back to Apple. If this crashes into a firewall, then the WiFi connection is dropped. I’ve written the circumvention up and stuck it up on the ZOIS web-site. If interested URLs can be posted here, but I don’t want to look like link-spam. M.
Like or Dislike:
0 
0
I’m getting the same error: nitial Main Mode message received on 10.212.183.210:500 but no connection has been authorized with policy=PSK
Any ideas?
Like or Dislike:
0 
0
StrongSwan and L2TP/IPsec on Debian…
Mac OS X and other operating systems are using L2TP/IPsec for VPN connections. I’m running StrongSwan as my IPsec stack of choice, so I wanted to setup a VPN between my Debian lenny server and OS X as my roadwarrior. There’s a nice howto on nielspeen…
Like or Dislike:
0 
0
[...] Shared Linux L2TP/IPSec with iPhone and Mac OS/X clients | Niels’ Blog. [...]
Like or Dislike:
0 
0
Hi Niels!
Thanks so much for such a good blog! I’m so glad I finally found that page!
I’m a real noob in Linux and I run into several issues:
First I can’t find the package libcurl4-openssl-dev:
s15364949:~# apt-get install libcurl4-openssl-dev
Reading package lists… Done
Building dependency tree… Done
E: Couldn’t find package libcurl4-openssl-dev
Second, there is no such directory as strongswan-4.2.4/
In my case, there is only strongswan-2.8.0+dfsg, can it work as well?
Finally, I’m not sure what u mean by “edit debian/rules” ?
Thx you so much for your attention!!! I would really appreciate your help!!
Best regards
Like or Dislike:
0 
0
I think you’re using a very old version of Debian. If possible, please upgrade to a more recent version.
Like or Dislike:
1 
0
I can’t get this to work for the life of me, even though it should be! Here’s the log..
Aug 15 12:48:13 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #1: responding to Main Mode from unknown peer 192.168.2.6
Aug 15 12:48:13 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #1: NAT-Traversal: Result using RFC 3947: no NAT detected
Aug 15 12:48:13 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #1: Peer ID is ID_IPV4_ADDR: ’192.168.2.6′
Aug 15 12:48:13 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #1: sent MR3, ISAKMP SA established
Aug 15 12:48:13 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 15 12:48:14 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #2: responding to Quick Mode
Aug 15 12:48:14 obama pluto[23456]: “L2TP”[1] 192.168.2.6 #2: IPsec SA established {ESP=>0×08809321 <0x3e1993d2}
yet iphone says vpn server did not respond.. testing over wifi on local lan with no firewall up for testing purposes
Like or Dislike:
0 
0
xl2tpd wasn’t started. no matter how hard you try, you will always overlook the little things.
Like or Dislike:
0 
0
Thank you for the great howto. Running Ubuntu 8.10 and have everything nearly working. The VPN connection is established and I am able to hit both the eth0 and ppp0 (10.0.0.1) IPs of the server from my phone. I have not however had any luck with masquerading to other public addresses. There are no iptables rules in place and the suggested line above was run. Any thoughts?
Like or Dislike:
0 
0
Leave a reply