[Ipsec-tools-commits] [ ipsec-tools-Support Requests-3556611 ] FreeBSD 9 L2TPD ipsec (racoon) and m

Support Requests item #3556611, was opened at 2012-08-12 02:35
Message generated for change (Tracker Item Submitted) made by dkorzhevin
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3556611&group_id=74601

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Configuration
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: dkorzhevin (dkorzhevin)
Assigned to: Nobody/Anonymous (nobody)
Summary: FreeBSD 9 L2TPD ipsec (racoon) and mpd5

Initial Comment:
Hello, i configured FreeBSD 9.0 release using
http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD tutorial. I am able
to connect to server from mac os x, but i have 2 problems:

1. Internet is not working
2. I am not able to make more than 1 connection from one IP, even with
separate usernames.

Here is my information:

dkorzhevin# cat /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about
processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
net.key.prefered_oldsa=0
net.key.blockacq_count=0
dkorzhevin#


kernel compiled with options:

options         IPSEC
options         IPSEC_NAT_T
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS
options         IPDIVERT

patch /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff
applied to ipsec-tools

dkorzhevin# cat /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT
translated, this is the INSIDE IP)
        isakmp           MYIP [500];
        isakmp_natt      MYIP [4500];
# NOTE, you can specify multiple IPs to listen on
#       isakmp           p.q.r.s [500];
#       isakmp_natt      p.q.r.s [4500];
#       strict_address;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
dkorzhevin#


dkorzhevin# cat setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
dkorzhevin#

dkorzhevin# cat psk.txt
* stidia
MYIP MYPASS
dkorzhevin#

dkorzhevin# ls -la
total 20
drwxr-xr-x  2 root  wheel   512 Aug 10 15:02 .
drwxr-xr-x  8 root  wheel   512 Aug 10 09:16 ..
-rw-------  1 root  wheel    30 Aug 10 11:34 psk.txt
-rw-r--r--  1 root  wheel  1308 Aug 10 14:42 racoon.conf
-rw-r--r--  1 root  wheel   171 Aug 10 14:18 setkey.conf
dkorzhevin#

dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf
startup:
        # configure mpd users
        set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
        set l2tp self MYIP
        set l2tp enable length
# Allow to accept calls
        set link enable incoming
dkorzhevin#

dkorzhevin# cat /etc/rc.conf
hostname="dkorzhevin.mirohost.net"
ifconfig_nfe0=" inet MYIP netmask 255.255.254.0"
defaultrouter="GATEWAYIP"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/firewall"
gateway_enable="YES"

natd_enable="YES"
natd_interface="nfe0"
natd_flags=""
dkorzhevin#


Please help

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3556611&group_id=74601