#53 FreeBSD 9 L2TPD ipsec (racoon) and mpd5

open
nobody
5
2014-08-17
2012-08-12
dkorzhevin
No

Hello, i configured FreeBSD 9.0 release using
http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD tutorial. I am able
to connect to server from mac os x, but i have 2 problems:

1. Internet is not working
2. I am not able to make more than 1 connection from one IP, even with
separate usernames.

Here is my information:

dkorzhevin# cat /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about
processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
net.key.prefered_oldsa=0
net.key.blockacq_count=0
dkorzhevin#

kernel compiled with options:

options IPSEC
options IPSEC_NAT_T
device crypto
options IPSEC_FILTERTUNNEL
device enc
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options LIBALIAS
options IPDIVERT

patch /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff
applied to ipsec-tools

dkorzhevin# cat /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT
translated, this is the INSIDE IP)
isakmp MYIP [500];
isakmp_natt MYIP [4500];
# NOTE, you can specify multiple IPs to listen on
# isakmp p.q.r.s [500];
# isakmp_natt p.q.r.s [4500];
# strict_address;
}

remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;

proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}

proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
dkorzhevin#

dkorzhevin# cat setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
dkorzhevin#

dkorzhevin# cat psk.txt
* stidia
MYIP MYPASS
dkorzhevin#

dkorzhevin# ls -la
total 20
drwxr-xr-x 2 root wheel 512 Aug 10 15:02 .
drwxr-xr-x 8 root wheel 512 Aug 10 09:16 ..
-rw------- 1 root wheel 30 Aug 10 11:34 psk.txt
-rw-r--r-- 1 root wheel 1308 Aug 10 14:42 racoon.conf
-rw-r--r-- 1 root wheel 171 Aug 10 14:18 setkey.conf
dkorzhevin#

dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf
startup:
# configure mpd users
set user super pwSuper admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open

default:
load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
# Set bundle template to use
set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
set link mtu 1280
# Configure L2TP
set l2tp self MYIP
set l2tp enable length
# Allow to accept calls
set link enable incoming
dkorzhevin#

dkorzhevin# cat /etc/rc.conf
hostname="dkorzhevin.mirohost.net"
ifconfig_nfe0=" inet MYIP netmask 255.255.254.0"
defaultrouter="GATEWAYIP"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/firewall"
gateway_enable="YES"

natd_enable="YES"
natd_interface="nfe0"
natd_flags=""
dkorzhevin#

Please help

Discussion