7/23/12

L2TP/IPSec with OpenBSD and npppd

Search

Home : : Add Story : : Archives : : About : : Create Account : : Login :

L2TP/IPSec with OpenBSD and npppd

Contributed by jj on Wed May 9 04:15:41 2012 (GMT) from the its-a-truck-not-a-series-of-tubes dept.

Related Links
more by jj

Maxim Bourmistrov writes in to share his L2TP/IPSEC setup using npppd.

An OpenBSD user since 3.2, I deploy OpenBSD on anything what I want to be secure and stable(yes, even current is STABLE, as long as you know what you are doing). This guide is split into two sections. The first and major one is server-side configuration. The second is about what should be done on client-side. I use npppd both at home and at the office. My office setup is a bit more complicated than the one described here.

Read on for the story of how one man conquered his corner of the internet.

Server
The server needs to run OpenBSD 5.1-current with /usr/src populated according documentation. npppd is in development, so it is good idea to have your sources up to date, else you might miss an important patch. 1. Compile and Install As npppd is not yet linked to the build, you have to compile it yourself:
c /s/r/s.bnnpd& mk dpn & mk & mk isal d urscursi/pp & ae eed & ae & ae ntl

2. Configuration After that it is good practice to take a look at HOWTO in the same directory - HOWTO_PIPEX_NPPPD.txt . There is no manual for npppd yet, so more info can only be gathered by reading the source code.[this should change relatively quickly - ed.] Info provided by Yasuoka in the above mentioned HOWTO covers pretty much all we need for a basic setup; however, I'll write my working Home-configuration here. Let's start with pf.conf:
ps qikpoo{ep a }fo ayt ay as uc rt s, h rm n o n ps i qiko ers poo upfo ayt aypr {0,40,10}ke sae as n uc n ges rt d rm n o n ot 50 50 71 ep tt ps o ec fo ayt ayke sae(fbud as n n0 rm n o n ep tt i-on)

Now the IPSec part; isakmpd should start at boot and load rules from ipsec.conf, thus add following to rc.conf:
iamdfas"K skp_lg=-"

Then the ipsec.conf itself. Make sure to replace IP 1.2.3.4 with your own external IP.
iepsieeptasot\ k asv s rnpr pooupfo 1234t aypr 10 \ rt d rm ... o n ot 71 mi at "mcsa"ec"ds gopmd12 \ an uh ha-h1 n 3e" ru op04 qikat "mcsa"ec"e"\ uc uh ha-h1 n as pk"asod s pswr"

Finally, npppd.conf. At home I use RADIUS for authentication for a few reasons. If you plan to use plain password file, then uncomment lines after "Local file authentication" Again, the HOWTO mentioned above provides info in how to create this file. My internal network is 192.168.78.x . The 192.168.80.0/25 is the range there clients connected through the VPN will get their addresses from. 192.168.80.1 will be their gateway to internal network.
itraels: nefc_it itraetn.pad: nefc.u0i4dr po.yapo: oldn_ol po.ol olpo: #Lclfl atetcto oa ie uhniain #uhlclramls: at.oa.el_it #uhlclramacls: at.oa.el.ctit #el.oa.ocnrt: ramlclcnetae tn u0 12188. 9.6.01 12188./5 9.6.002 12188.2/5 9.6.0182

lcl oa /t/pp/pp-sr.s ecnpdnpduescv tn u0

undeadly.org/cgi?action=article&sid=20120427125048

#AISatetcto /acutn RDU uhniain conig at.aisramls: uhrdu.el_it rdu ais at.aisramsre.drs: uhrdu.el.evrades 12187.:82 9.6.8111 at.aisramsre.ert uhrdu.el.evrsce: rdu_asod aispswr at.aisramac_evrades 12187.:83 uhrdu.el.ctsre.drs: 9.6.8111 at.aisramac_evrsce: rdu_asod uhrdu.el.ctsre.ert aispswr ramrdu.ocnrt: el.aiscnetae tn u0

1/3

7/23/12
ramrdu.ocnrt: el.aiscnetae lpmu c.r: lptmot c.ieu: at.ehd uhmto: ic.n_rmr: ppdspiay ic.n_eodr: ppdsscnay ic.sinfxd ppasg_ie: ic.sinueslc: ppasg_sreet

L2TP/IPSec with OpenBSD and npppd

tn u0 10 40 1 8 mcav shp2 12187.2 9.6.813 12187.2 9.6.813 tu re tu re

ltdeal: 2p.nbe #2p.itnr ltdlsee: ltdi4alw 2p.p_lo: ltdrqieisc 2p.eur_pe: ltdacp_iln 2p.cetdai: ppxeald ie.nbe:

tu re LT 2P 432110 ...:71 00000 .../ tu re tu re tu re

A note about l2tpd.listener: this configuration directive can be used with more advanced setups, for instance when you have a CARP:ed range of IP addresses. 3. Start up Apply the pf.conf first:
pcl- /t/fcn ft f ecp.of

Then start isakmpd and apply IPSec rules

/t/cdiamdsat ecr./skp tr isct - /t/pe.of pecl f ecisccn

Now start npppd

/s/bnnpdursi/pp D

All debugging, in case of misconfiguration or not working VPN, is done with isakmpd/npppd running in foreground and tcpdump listening for relevant packets on relevant interfaces.

Client
Both OSX and Win7 offer to route ALL traffic via VPN-tunnel. Usually no one wants this, thus one have to disable it and set up routing manually.Until then DNS resolves will not work, eg. for instance I'll not be able to reach my internal 192.168.78.123. I use OSX, thus I'll cover how to set up routing upon established VPN. Basically we need a helper-script. OSX will run in automatically, but on Win7 it has to be executed with Administrative permissions.
[otge][ecpp $ct/t/p/pu ro@ry /t/p] a ecppi-p #/i/h !bns PT=bn/bn/s/i:ursi AH/i:si:urbn/s/bn epr PT xot AH HM_W"9.6.01 OEG=12188." HM_E=12187./5 OENT"9.6.802" OFC_W"7.701 FIEG=121.." OFC_E=121../1 FIENT"7.6002" NT" E=" G_RMLT=icni pp|rpie|ak'pit$}` WFO_2P`fofg p0ge nt w {rn 4' i [$WFO_2P= $FIEG ] f G_RMLT = OFC_W te hn NT$FIENT E=OFC_E f i i [$WFO_2P= $OEG ] f G_RMLT = HM_W te hn NT$OENT E=HM_E f i rue-nad$E -nefc pp ot q d NT itrae p0

That's it. I'd like to thank all developers working on OpenBSD, making it polished and good looking!

Special thanks to Yasuoka Masahiko (yasuoka@) for his technical review of this submission. It should be noted, however, that there is a planned change to the npppd() configuration, which will quickly deprecate these instructions. When that time comes, we hope to provide information concerning the migration of your npppd() configurations. << Heads up: New SGI hardware supported! | | Flattened | Expanded | Rthreads Hackathon Part the Second >> Threshold:
Change

Help

Re: L2TP/IPSec with OpenBSD and npppd (mod -2/4) by Anonymous Cowbell (anon) (M8R-2m2huq@mailinator.com) on Fri Apr 27 13:52:05 2012 (GMT)
undeadly.org/cgi?action=article&sid=20120427125048 2/3

7/23/12

L2TP/IPSec with OpenBSD and npppd

"cd /usr/src/usr.sbin/npppd && make depend && make && make install" This should have 'make obj' in it too.
[ Show thread ] [ Mod Up ] [ Mod Down ]

Re: L2TP/IPSec with OpenBSD and npppd (mod 0/6) by sneaker (sneaker) (sneaker@noahpugsley.net) on Fri Apr 27 15:40:27 2012 (GMT) Wow, I was just 2 weeks ago having trouble finding info on exactly this setup. Thanks!
[ Show thread ] [ Mod Up ] [ Mod Down ]

His name (mod 0/6) by Tamotsu (tamo) on Fri Apr 27 21:42:38 2012 (GMT) http://tamo.tdiary.net/ typo: s/Masohiko/Masahiko/ according to his site: http://yasuoka.net/
[ Show thread ] [ Mod Up ] [ Mod Down ]

Re: His name (0/2) by tbert on Mon Apr 30 11:20:00 2012 (GMT)

[ Home | Add Story | Archives | Polls | About ]

Copyright 2004-2009 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with thttpd (plus patches) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]

undeadly.org/cgi?action=article&sid=20120427125048

3/3