UPDATED 12/31/11: Added “dpd” items to ipsec.conf and lines to ip-down to enable the iPhone to quickly reconnect without needing to restart ipsec manually.
I am now able to network my iPhone to my Ubuntu desktop with VPN so I can play mp3s off my home NAS drive.
Here is a brief description of what I loaded in my config files to get this working. I’m posting it online in the hope that it will be useful to some folks.
Here is a breakdown of my hardware: Lucid Lynx Ubuntu desktop (internal IP is 192.168.1.10), iPhone 3GS, iomega NAS drive (internal IP is 192.168.1.80), Linksys E3000 router.
Networking stuff: I disabled the firewall on my ubuntu box while I was trying to get this working, then came back and loaded the firewall rules later. I also ensured that my router is port forwarding TCP/UDP ports 500, 1701 and 4500 to my ubuntu box and VPN Passthrough is enabled.
First up, I installed Openswan 2.6.33 per the instructions in this thread. Apparently, to get openswan and an iPhone to play nice, you need to use a custom compiled version. Here are my config files (with my password and remote IP addresses modified, of course):
config setup nat_traversal=yes #charonstart=yes #plutostart=yes conn PSK authby=secret forceencaps=yes pfs=no auto=add keyingtries=3 dpdtimeout=60 dpdaction=clear rekey=no left=192.168.1.10 leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any rightsubnet=vhost:%priv,%no dpddelay=10 dpdtimeout=10 dpdaction=clear include /etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT # # PreSharedSecret needs to be specified in /etc/ipsec.secrets as # YourIPAddress %any: "sharedsecret" authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # left=192.168.1.10 # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "0" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port, but propose "0" instead of their port. rightprotoport=17/%any dpddelay=10 dpdtimeout=10 dpdaction=clear conn passthrough-for-non-l2tp type=passthrough left=192.168.1.10 leftnexthop=192.168.1.1 right=0.0.0.0 rightsubnet=0.0.0.0/0 auto=route
I am able to restart OpenSwan via /etc/init.d/ipsec restart. Next up are my configs for xl2tpd which I start with xl2tpd -c /etc/xl2tpd/xl2tpd.conf -s /etc/xl2tpd/l2tp-secrets -D
[global] debug network = yes debug tunnel = yes ipsec saref = no listen-addr = 192.168.1.10 [lns default] ip range = 10.42.42.17-10.42.42.31 local ip = 10.42.42.1 require chap = yes refuse chap = no refuse pap = no require authentication = no ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
ipcp-accept-local ipcp-accept-remote #ms-dns 192.168.1.10 noccp auth crtscts idle 1800 mtu 1410 mru 1410 defaultroute debug lock proxyarp connect-delay 5000 ipcp-accept-local
/etc/ppp/ip-downADD THE FOLLOWING 3 LINES TO THE BOTTOM OF THE FILE:dpddelay=10 dpdtimeout=10 dpdaction=clear
And finally the config on my iPhone:
I’m using the L2TP tab. I have my remote IP listed as the server; Account: dan; RSA SecurID: Off; password and secret both entered as my password; Send All Traffic: On; Proxy: Off.
That’s about it. Here’s some other links that proved useful while I was hashing my way through this:
- OpenSwan Users Forum for posting questions/help requests