Secure IPsec/L2TP VPN for on the road android devices

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Today people are using more frequently public hotspots, many Cafe, Restaurants and Pubs offer wifi connection for free.  Who doesn’t check their Facebook or send a tweet while having an espresso macchiato or enjoying a fresh beer? I guess everyone. The downside of using a public hotspot is that you put your personal data and information at serious risk. Connecting to a public hotspot can expose your data and the system to various attacks, like man in the middle, password sniffing and  credential stealing. If we really want protect our data wen we are on the road, we need to use a VPN connection, a VPN is a particular service that encapsulates our network traffic keeping it private. Fortunately android has a standout built-in  VPN connection tool that allows to use various VPN technologies, such 2TP/IPSec PSK, PPTP VPNS and many other. In this post i’m going to show how to  set up a VPN gateway and connect with your android device safely while  using a public hotspot.

First of all you need to have a linux server, in this case I’m using Ubuntu Linux 10.04. A public ip address is required.

You need to install the xl2tpd openswan ppp from the apt repository and then download the newest version from the Ubuntu 11.04 repository, otherwise the VPN won’t work.

[sourcecode language=”bash”]
apt-get install xl2tpd openswan ppp
wget http://se.archive.ubuntu.com/ubuntu/pool/universe/o/openswan/openswan_2.6.28+dfsg-5_i386.deb
wget http://ubuntu.linux-bg.org/ubuntu//pool/universe/x/xl2tpd/xl2tpd_1.2.7+dfsg-1_i386.deb
dpkg -i openswan_2.6.28+dfsg-5_i386.deb
dpkg -i xl2tpd_1.2.7+dfsg-1_i386.deb
[/sourcecode]

In the /etc/ipsec.conf file copy:

[sourcecode language=”bash”]
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
[/sourcecode]

In the /etc/ipsec.secrets file copy:

[sourcecode language=”bash”]
x.x.x.x %any: PSK "somegoodpassword"
[/sourcecode]

Start the IPSEC service with /etc/init.d/ipsec start

Please verify the IPSEC service with :  ipsec verify
you must get no errors.

[sourcecode language=”bash”]
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-32-generic-pae (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
[/sourcecode]

Create a file  called ipsec.vpn in /etc/init.d/

[sourcecode language=”bash”]
case "$1" in
start)
echo "Starting my Ipsec VPN"
iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec start
/etc/init.d/xl2tpd start
;;
stop)
echo "Stopping my Ipsec VPN"
iptables –table nat –flush
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec stop
/etc/init.d/xl2tpd stop
;;
restart)
echo "Restarting my Ipsec VPN"
iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

;;
*)
echo "Usage: /etc/init.d/ipsec.vpn {start|stop|restart}"
exit 1
;;
esac
[/sourcecode]

Disalble the ipsec default init script with
#update-rc.d -f ipsec remove

And enbable the custom one.
#update-rc.d ipsec.vpn defaults

In the file /etc/xl2tpd/xl2tpd.conf

[sourcecode language=”bash”]
[global]
ipsec saref = no

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[/sourcecode]

In the file /etc/xl2tpd/l2tp-secrets copy:

Choose a good challenge-response authentication string,The secret should, ideally, be 16 characters long, and  should probably  be longer to ensure sufficient security. There is no minimum length requirement, however.

[sourcecode language=”bash”]
* * exampleforchallengestring
[/sourcecode]

In the file  /etc/ppp/options.xl2tpd copy:

[sourcecode language=”bash”]
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
[/sourcecode]

In the file /etc/ppp/chap-secrets copy:

Note: you can add as many user you like.

[sourcecode language=”bash”]
user1 * chooseagoodpassword *
user2 * chooseagoodpassword *
[/sourcecode]

Starting the VPN.

/etc/init.d/ipsec.vpn restart

Connecting to the VPN

On the Android mobile:

Go to Settings  > Wireless & networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN >

VPN name > the name you like
Set VPN server > ip address of the VPN server (x.x.x.x)
Set IPSec pre-shared key > somegoodpassword
Enable L2TP secret > enable
Set L2TP secret > was exampleforchallengestring

Press back, then connect using the PPP username/password (user1 chooseagoodpassword)

Wait for the message VPN connected on the mobile.

Debug.

In case of problems this are a few commands that can help out the debugging.

tcpdump -i ppp0
tail -f /var/log/auth.log
tail -f /var/log/daemon.log

Devices:

So far I’ve tested this configuration on only two devices, the ideos u8150  and the HTC Desire HD.


Comments

  1. Hey Phillip,
    I always wanted to install an IPSec server, but this is the only good tutorial!
    I used the tutorial, copied everything as-it-is just to test if it works.
    I got this error, when I try to connect:

    Jul 27 14:29:24 server pluto[2899]: packet from 79.xx.xx.xx:500: initial Main Mode message received on 78.xx.xx.xx:500 but no connection has been authorized with policy=PSK

    when I restart ipsec, I got this error:

    Jul 27 14:36:55 server pluto[3130]: ERROR “/etc/ipsec.secrets” line 12: index “x.x.x.x” does not look numeric and name lookup failed

    Can you give any advise on this issue? Thx!

  2. Hi Alex,

    what you have at the line nr 20 of ipsec.conf ? The local ip address ?

    try to take a look in the ipsec.secrets file, must be something like this

    192.168.1.1 %any: PSK “blablablabla”

    where 192.168.1.1 is the local ipsec server and blablablabla is the key.

  3. Thx! It was the ipsec.conf I missed. Thank you very much!

  4. Glad that my hint was helpful.

    Phillip

  5. I have VPN connection success with a Google Nexus S running Android 2.3.4 with no special enhancements (not rooted, no one else’s ROMs, just a nice pure Google Gingerbread Android setup for Nexus S), and OpenSwan running on an Ubuntu 9.10 machine as:

    > Linux Openswan U2.6.28/K2.6.31-22-generic (netkey)

    My Ubuntu 9.10 machine is behind a router that is NATed. I’m using a cable modem ISP with dynamic IP (so I use Dynamic DNS). On my router I port forward IKE UDP 500 and NAT-T 4500 to my Ubuntu server. The only difference is that I don’t use L2TP secrets (I have L2TP to defer to PPP with CHAP) … too many secrets and passwords for a person to try and remember (first for pre-shared key with IPSec authentication to establish the tunnel, then another for L2TP, then another with PPP — ugh!). I am very excited about trying this out with by replacing IPSec pre-shared key with certificates (not only is it doable with OpenSwan on the server side but also with Android with its built-in VPN client)!

  6. Phillip – thanks for the great walkthrough!

    I’ve had issues using certs w/ android and openswan, so I thought I’d take a step back and try PSK.

    I setup a 10.04 box just to make sure I’m on the exact same page as you.

    The only difference I have between what you’ve done above and what I did:

    1. This is a 64 bit box so I used the amd64 packages instead of the i386.
    2. xl2tpd 1.2.8 was released, so I opted for it instead of .7.

    And of course my passwords are all different from yours (to keep it simple, I put testpassword in all three spots).

    On my android I keep getting “Challenge Error. Do you want to check your secret setting?”

    I’ve re-entered them and double-checked them when I was entering them several times now.

    I know it’s getting past the ipsec psk, because if I change that password on the phone I see:

    pluto[3993]: “L2TP-PSK-NAT”[1] 192.168.1.151 #7: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
    pluto[3993]: | payload malformed after IV
    pluto[3993]: | 48 c2 62 f4 8e 20 3e 5c ad e3 57 5e 12 55 40 dd
    pluto[3993]: | 4a d1 c9 3f

    and the connection hangs for a bit on the phone before it gives up.

    When I purposely trash the L2TP secret the behavior is just the same as when I enter the correct password, so I suspect it’s failing on that secret, but I’m not seeing anything in the logs to indicate the problem.

    What are my next steps for debugging this?

    Thanks again, you rock!

  7. Hi Phillip,

    My pppd reports “peer refuse to authenticate: terminating link”
    Any hints?

  8. Hi Phillip,

    Thank you for the great tutorial. I have set up a VPN server based on your tutorial and it woks very well on my Android (Huawei Ideos U8150-D) running Android 2.2 (Frodo). Deviating from your how-to I needed to disable the “Enable L2TP secret” on the Android settings (no check, option not active).

    What surprises me is that my girlfriends iPhone 4 can’t establish a reliable VPN through L2TP. By the way, my server is based on the latest Debian Squeeze.

    Does anybody have any ideas what might be the problem of the iPhone? By the way, it sometimes works – but most times doesn’t.

    Thank you

    Sven

  9. Thank you for the great tutorial. I have established my VPN server based on Debian Squeeze and it works great with Android (I have a Android 2.2/Frodo mobile phone).

    What surprises me: It doesn’t work at all with my girlfriends iPhone. Does anybody have any suggestion what I need to change in order to make it work with iOS?

    Thank you

    Sven

  10. Hi Phillip,

    I’ve tried your configuration but from strange reason it can’t work for me.

    I’m using private network : if wlan0 .. my local adress is 192.168.1.2 (router address 192.168.1.1) .. so i changed your configuration regarding my as :

    apt-get install xl2tpd openswan ppp
    wget http://se.archive.ubuntu.com/ubuntu/pool/universe/o/openswan/openswan_2.6.28+dfsg-5_amd64.deb
    wget http://ubuntu.linux-bg.org/ubuntu//pool/universe/x/xl2tpd/xl2tpd_1.2.7+dfsg-1_amd64.deb
    dpkg -i openswan_2.6.28+dfsg-5_amd64.deb
    dpkg -i xl2tpd_1.2.7+dfsg-1_amd64.deb

    In the /etc/ipsec.conf file copy:
    config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
    oe=off
    protostack=netkey

    conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

    conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.1.2
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

    In the /etc/ipsec.secrets file copy:
    192.168.1.2 %any: PSK “somegoodpassword”

    Start the IPSEC service with /etc/init.d/ipsec start

    i see :

    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.28/K2.6.38-12-generic (netkey)
    Checking for IPsec support in kernel [OK]
    NETKEY detected, testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking that pluto is running [OK]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for NAT-T on udp 4500 [OK]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking NAT and MASQUERADEing
    Checking for ‘ip’ command [OK]
    Checking for ‘iptables’ command [OK]
    Opportunistic Encryption Support [DISABLED]

    Create a file called ipsec.vpn in /etc/init.d/
    case “$1” in
    start)
    echo “Starting my Ipsec VPN”
    iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.0/24 -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for each in /proc/sys/net/ipv4/conf/*
    do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
    done
    /etc/init.d/ipsec start
    /etc/init.d/xl2tpd start
    ;;
    stop)
    echo “Stopping my Ipsec VPN”
    iptables –table nat –flush
    echo 0 > /proc/sys/net/ipv4/ip_forward
    /etc/init.d/ipsec stop
    /etc/init.d/xl2tpd stop
    ;;
    restart)
    echo “Restarting my Ipsec VPN”
    iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.0/24 -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for each in /proc/sys/net/ipv4/conf/*
    do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
    done
    /etc/init.d/ipsec restart
    /etc/init.d/xl2tpd restart

    ;;
    *)
    echo “Usage: /etc/init.d/ipsec.vpn {start|stop|restart}”
    exit 1
    ;;
    esac

    Disalble the ipsec default init script with
    #update-rc.d -f ipsec remove

    And enbable the custom one.
    #update-rc.d ipsec.vpn defaults

    In the file /etc/xl2tpd/xl2tpd.conf
    [global]
    ipsec saref = no

    [lns default]
    ip range = 192.168.1.3-192.168.1.254
    local ip = 192.168.1.2
    require chap = yes
    refuse pap = yes
    require authentication = yes
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes

    In the file /etc/xl2tpd/l2tp-secrets copy:

    Choose a good challenge-response authentication string,The secret should, ideally, be 16 characters long, and should probably be longer to ensure sufficient security. There is no minimum length requirement, however.
    * * exampleforchallengestring

    In the file /etc/ppp/options.xl2tpd copy:
    refuse-mschap-v2
    refuse-mschap
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    asyncmap 0
    auth
    lock
    hide-password
    local
    #debug
    name l2tpd
    proxyarp
    lcp-echo-interval 30
    lcp-echo-failure 4

    In the file /etc/ppp/chap-secrets copy:

    Note: you can add as many user you like.
    user1 * chooseagoodpassword *
    user2 * chooseagoodpassword *

    Starting the VPN.

    /etc/init.d/service ipsec.vpn restart

    Everything seems to be ok but i’m unable to connect with my HTC Wildfire S .. Any idea where can be the problem ?

  11. I would love a walk through for making L2TP IPSec for iOS devices.

    http://developer.apple.com/library/ios/#featuredarticles/FA_VPN_Server_Configuration_for_iPhone_OS/Introduction/Introduction.html

    Apparently iOS needs MS-CHAPV2

  12. Hello,

    when starting the Server, I get:
    tail -f /var/log/auth.log
    Feb 3 15:40:59 VDR pluto[5215]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
    Feb 3 15:40:59 VDR pluto[5215]: NAT-Traversal: Trying old style NAT-T
    Feb 3 15:40:59 VDR pluto[5215]: adding interface eth0/eth0 192.168.178.20:500
    Feb 3 15:40:59 VDR pluto[5215]: adding interface eth0/eth0 192.168.178.20:4500
    Feb 3 15:40:59 VDR pluto[5215]: adding interface lo/lo 127.0.0.1:500
    Feb 3 15:40:59 VDR pluto[5215]: adding interface lo/lo 127.0.0.1:4500
    Feb 3 15:40:59 VDR pluto[5215]: adding interface lo/lo ::1:500
    Feb 3 15:40:59 VDR pluto[5215]: loading secrets from “/etc/ipsec.secrets”
    Feb 3 15:40:59 VDR pluto[5215]: ERROR “/etc/ipsec.secrets” line 14: index “x.x.x.x” does not look numeric and name lookup failed
    Feb 3 15:40:59 VDR pluto[5215]: “/etc/ipsec.secrets” line 14: unterminated string

    Any Ideas?

    Greetings,
    Hendrik

  13. Hi, it’s a good tutorial, I copied everything as-it-is just to test if it works.
    I got this error, when I try to connect:

    initial Main Mode message received on 190.xxx.xxx.xx:500 but no connection has been authorized with policy=PSK

    • Hi,

      try to search on Google for “no connection has been authorized with policy=PSK” .

      Phillip

  14. already looking, I have not found something to help me, I have the same configurations.

    received Vendor ID payload [RFC 3947] method set to=109
    received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
    received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
    received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    ignoring Vendor ID payload [FRAGMENTATION 80000000]
    initial Main Mode message received on 190.xxx.xxx.xx:500 but no connection has been authorized with policy=PSK

  15. Hi again, I have this error, do you know what is?

    Jun 13 14:37:45 sid pluto[21390]: ERROR: asynchronous network error report on eth1 (sport=4500) for message to 190.212.80.224 port 41206, complainant 190.212.80.224: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

  16. hey @jimbod ihave the same problme with you
    packet from 10.0.8.1:500: initial Main Mode message received on 192.168.200.194:500 but no connection has been authorized with policy=PSK
    do you have a solutiion?
    i already searched in google and still not found the solution

  17. Free Proxy Servers
    July 10, 2014 - 12:50 pm

    Go with these specific proxies to encrypt your entire internet connection thereby making yourself unknown.

Leave a Reply

Your email address will not be published / Required fields are marked *