After about a week of googling and like a ton of hours spent on doing trial and error, I finally got a working VPN to my server. I am now able to connect successfully so I can call it rather a success. I may have to do a little more tweaking to further fine tune it though.
There is a lot of information on the web but finding the right recipe is a bit tricky.
First off, I found out that VPN per se is a PITA to setup in linux. There are a lot of stuff we can use for our server. One can use OpenSwan,FreeSwan,StrongSwan and OpenVPN . I tried OpenVPN before and I use it for a while. OpenVPN is purely in userspace so there is no kernel modules needed but most OS do not have a client builtin so one has to install their client.
Now,IPSEC is the linux kernel VPN implementation so there is a lot of benefit that I can only imagine for that. The *Swan’s are mostly right now the userland stuff that controls the kernel modules that one uses. There is a lot of misleading info out there. And most of them tells you to install one of the *Swan’s . I never tried it. I went with a much simpler approach,using just raccoon and xl2tpd.
I tried several times figuring out the proper mix of settings for raccoon and xl2tpd but I could never get it right. I was always stuck with xl2tpd closing the connection.
Reading a bit more in the web,I read that I could ditch xl2tpd all together and just do pure IPSEC. So I did a bit more tweaking and voila! A much simpler setting with only raccoon to contend with.
My raccoon config:
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode aggressive,main;
my_identifier user_fqdn "redacted";
peers_identifier fqdn "debian";
dpd_delay 20;
ike_frag on;
nat_traversal on;
passive on;
initial_contact off;
generate_policy on;
lifetime time 24 hour;
mode_cfg on;
verify_cert off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
mode_cfg {
network4 10.99.99.0;
pool_size 255;
netmask4 255.255.255.0;
auth_source system;
}
