After about a week of googling and like a ton of hours spent on doing trial and error, I finally got a working VPN to my server. I am now able to connect successfully so I can call it rather a success. I may have to do a little more tweaking to further fine tune it though.
There is a lot of information on the web but finding the right recipe is a bit tricky.
First off, I found out that VPN per se is a PITA to setup in linux. There are a lot of stuff we can use for our server. One can use OpenSwan,FreeSwan,StrongSwan and OpenVPN . I tried OpenVPN before and I use it for a while. OpenVPN is purely in userspace so there is no kernel modules needed but most OS do not have a client builtin so one has to install their client.
Now,IPSEC is the linux kernel VPN implementation so there is a lot of benefit that I can only imagine for that. The *Swan’s are mostly right now the userland stuff that controls the kernel modules that one uses. There is a lot of misleading info out there. And most of them tells you to install one of the *Swan’s . I never tried it. I went with a much simpler approach,using just raccoon and xl2tpd.
I tried several times figuring out the proper mix of settings for raccoon and xl2tpd but I could never get it right. I was always stuck with xl2tpd closing the connection.
Reading a bit more in the web,I read that I could ditch xl2tpd all together and just do pure IPSEC. So I did a bit more tweaking and voila! A much simpler setting with only raccoon to contend with.
My raccoon config:
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode aggressive,main;
my_identifier user_fqdn "redacted";
peers_identifier fqdn "debian";
dpd_delay 20;
ike_frag on;
nat_traversal on;
passive on;
initial_contact off;
generate_policy on;
lifetime time 24 hour;
mode_cfg on;
verify_cert off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
mode_cfg {
network4 10.99.99.0;
pool_size 255;
netmask4 255.255.255.0;
auth_source system;
}
Hi deb!
I’m trying out your racoon configuration file but keep gettin stuck at:
pk_recv: retry[0] recv()
2012-07-18 14:52:15: DEBUG2:
02120200 02000000 00000000 407b0000
2012-07-18 14:52:15: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
and stops there. Racoon doesn’t actually exit, it just hangs there. Thoughts?
Thanks in advance,
Raphael
Actually I need to edit my post coz I was able to authenticate but I couldn’t really access anything,not the internet or the local network.
I just changed my network configuration. I replaced my OpenWrt Wrt54G router with a PFSense PC. PFsense is so much easier.
Regarding your error,check your permissions. How did you install racoon ,btw?
I tried on a CentOS machine, (I copied your configuration) but without success.
I must to start anything ? (a daemon?)
Thank You
i don’t know about centos coz I don’t use it. I have debian. racoon is a daemon so you should start it and watch the logs.
Ok, I started the daemon with
/usr/sbin/racoon -F
What must I write on my iPad in account ?, and password ? and secret ?
Thank You
Just use the username and secret on the psk.txt file.
If you have an old computer, I suggest you install PFsense on it. It saved me a lot of time and heartache.