Posts Tagged ‘openswan’

Ubuntu IPSEC/L2TP VPN Client
Thursday, May 15th, 2008

I’ve recently been tasked on implementing a linux vpn client for our IPSEC/L2TP based vpn. This task would have been extremely difficult if not for the efforts of Jacco de Leeuw (for his “Using Linux as an L2TP/IPsec VPN client” documentation) and Scott Myron et al. from Indiana University (“Linux L2TP over IPsec VPN Script for IU”).

I’m still waiting on a public revision control system in order to share our current implementation. In the meantime, I just wanted to share a couple issues I faced with the default Ubuntu (7.10/8.04) Openswan package (2.4.6):

Bad route fix

Update – This is not necessary. See the comment added by Alucard below regarding “leftnexthop”.

After bringing up the ipsec connection

~# ipsec setup start
~# ipsec auto --up VPN

I still cannot reach the vpn server (there is no route). After further investigation the route added by this version of openswan is incorrect. So I get something like the following

~# ip route show
...
xxx.xxx.xxx.xxx dev eth0 scope link
...
default via yyy.yyy.yyy.yyy dev eth0
...
~# ping xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
From zzz.zzz.zzz.zzz icmp_seq=1 Destination Host Unreachable
From zzz.zzz.zzz.zzz icmp_seq=2 Destination Host Unreachable
From zzz.zzz.zzz.zzz icmp_seq=3 Destination Host Unreachable
...

where xxx.xxx.xxx.xxx is the ip of the vpn server, yyy.yyy.yyy.yyy is the gateway ip and zzz.zzz.zzz.zzz is the local ip.
To fix this, I remove the bad route and add a new route through the gateway as follows:

~# ip route del xxx.xxx.xxx.xxx
~# route add -host xxx.xxx.xxx.xxx gw yyy.yyy.yyy.yyy

The result is

~# ip route show
...
xxx.xxx.xxx.xxx via yyy.yyy.yyy.yyy dev eth0
...
default via yyy.yyy.yyy.yyy dev eth0
...
~# ping xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=126 time=9.46 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=126 time=20.3 ms
...

NAT Traversal

The 2.4.6 Openswan version provided in Ubuntu (7.10/8.04) does not support NAT traversal. For more information, read Jacco’s NAT Traversal documentation.

Here are (roughly) the steps I used to build/install a patched version of Openswan 2.4.12 with NAT-T support:

1 – Download the openswan source:

~$ wget http://openswan.org/download/openswan-2.4.12.tar.gz

2 – Unpack the source:

~$ tar xzvf openswan-2.4.12.tar.gz

3 – Move into source directory:

~$ cd openswan-2.4.12/

4 – Get the patch:

~$ wget http://www.jacco2.dds.nl/networking/patches/openswan-allow_MS_bad_proposal.patch

5 – Patch the source:

~$ patch -p0 < openswan-allow_MS_bad_proposal.patch

6 – Install build dependencies:

~$ sudo apt-get -y install build-essential man2html libgmp3c2 libgmp3-dev

7 – Make the programs and install (as root)

~$ make programs
~$ sudo make install

Using the documentation referenced above, along with these workarounds, you should be able to connect an Ubuntu 7.10/8.04 client to an IPSEC/L2TP VPN. Hope that helps!

Tags: , , , , , , , , , ,
Posted in Ed Tech, Linux | No Comments »

Powered by Laughing Squid