hi
I want to setup a ipsec tunnel from my desktop pc to one of my root servers to change my official ip address. I’m using ubuntu 14.04 on server and client.
on the root server you need following:
1) firewall with nat enabled
change tcp mss (might not be neccessary)
2) ip forwarding enabled
3) configure strongswan on your root server
4) configure strongswan on your client (ubuntu and android 4.4)
1) firewall:
#accept ipsec
iptables -A INPUT -p UDP --dport 500 -j ACCEPT
iptables -A INPUT -p UDP --dport 4500 -j ACCEPT
#activate nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE
#change tcp mss to avoid mtu problems with https websites
iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
2) ip forwarding:
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
3) config of my strongswan server:
aptitude install strongswan strongswan-plugin-xauth-generic
vim /etc/ipsec.conf
conn yourconnectionname
keyexchange=ikev1
authby=xauthpsk
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsubnet=192.168.201.0/24
rightsourceip=192.168.201.1/24
rightdns=8.8.8.8
auto=add
vim /etc/ipsec.secrets
ipofyourserver %any : PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"
now enable ip-forwarding and restart strongswan:
echo 1 > /proc/sys/net/ipv4/ip_forward
service strongswan restart
4) config of my desktop pc:
vim /etc/ipsec.conf
conn yourconnectionname
keyexchange=ikev1
left=%defaultroute
leftsourceip=%config
leftfirewall=yes
leftauth=psk
leftauth2=xauth
leftid=yourusername
right=ipofyourserver
rightsubnet=0.0.0.0/0
rightauth=psk
auto=add
vim /etc/ipsec.secrets
: PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"
now restart strongswan on your desktop pc:
service strongswan restart
and start the vpn tunnel manually via:
ipsec up yourconnectionname
You are also able to use your android phone to connect via ipsec-xauth-psk:
Just go to: Settings -> Wireless & Networks -> More -> VPN -> +
Name: yourconnectionname
Type: IPSec Xauth PSK
Serveraddress: yourservername or ip address
IPSec-Key: yourpassword (PSK)
Afterwords you have to open the new VPN connection where you get asked about the user password credentials.
Hint: On CM12 with my Samsung Galaxy S4 mini. The phone reboots with ipsec xauth. Seems to be a bug. L2TP IPSec works perfect with CM12 and Samsung Galaxy S4 mini.
Hint2: On Archlinux suddenly rightsubnet=0.0.0.0/0 stopped to work as client. (No outbound ipsec traffic) I’ve simply added a route to my netctl config. Routes=(‘IpOfVpnGateway via YourDefaultGateway table 220’)
Seems the vpn gateway is getting tunnled also.
Have fun!