Linux IPSec VPN for Ipad

After about a week of googling and like a ton of hours spent on doing trial and error, I finally got a working VPN to my server. I am now able to connect successfully so I can call it rather a success. I may have to do a little more tweaking to further fine tune it though.

There is a lot of information on the web but finding the right recipe is a bit tricky.

First off, I found out that VPN per se is a PITA to setup in linux. There are a lot of stuff we can use for our server. One can use OpenSwan,FreeSwan,StrongSwan and OpenVPN . I tried OpenVPN before and I use it for a while. OpenVPN is purely in userspace so there is no kernel modules needed but most OS do not have a client builtin so one has to install their client.

Now,IPSEC is the linux kernel VPN implementation so there is a lot of benefit that I can only imagine for that. The *Swan’s are mostly right now the userland stuff that controls the kernel modules that one uses. There is a lot of misleading info out there. And most of them tells you to install one of the *Swan’s . I never tried it. I went with a much simpler approach,using just raccoon and xl2tpd.

I tried several times figuring out the proper mix of settings for raccoon and xl2tpd but I could never get it right. I was always stuck with xl2tpd closing the connection.

Reading a bit more in the web,I read that I could ditch xl2tpd all together and just do pure IPSEC. So I did a bit more tweaking and voila! A much simpler setting with only raccoon to contend with.

My raccoon config:

log debug;
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";

remote anonymous {
exchange_mode aggressive,main;
my_identifier user_fqdn "redacted";
peers_identifier fqdn "debian";
dpd_delay 20;
ike_frag on;
nat_traversal on;
passive on;
initial_contact off;
generate_policy on;
lifetime time 24 hour;
mode_cfg on;
verify_cert off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

mode_cfg {
network4 10.99.99.0;
pool_size 255;
netmask4 255.255.255.0;
auth_source system;
}

6 Replies to “Linux IPSec VPN for Ipad”

  1. Hi deb!

    I’m trying out your racoon configuration file but keep gettin stuck at:
    pk_recv: retry[0] recv()

    2012-07-18 14:52:15: DEBUG2:
    02120200 02000000 00000000 407b0000
    2012-07-18 14:52:15: DEBUG: pfkey X_SPDDUMP failed: No such file or directory

    and stops there. Racoon doesn’t actually exit, it just hangs there. Thoughts?

    Thanks in advance,

    Raphael

  2. Actually I need to edit my post coz I was able to authenticate but I couldn’t really access anything,not the internet or the local network.

    I just changed my network configuration. I replaced my OpenWrt Wrt54G router with a PFSense PC. PFsense is so much easier.

    Regarding your error,check your permissions. How did you install racoon ,btw?

  3. I tried on a CentOS machine, (I copied your configuration) but without success.

    I must to start anything ? (a daemon?)

    Thank You

  4. i don’t know about centos coz I don’t use it. I have debian. racoon is a daemon so you should start it and watch the logs.

  5. Ok, I started the daemon with
    /usr/sbin/racoon -F

    What must I write on my iPad in account ?, and password ? and secret ?

    Thank You

  6. Just use the username and secret on the psk.txt file.

    If you have an old computer, I suggest you install PFsense on it. It saved me a lot of time and heartache.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.