Hallo,
ich versuche seit einigen Tagen bereits, meinen alten Raspberry Pi B als VPN-Server einzurichten. Wollte dazu Openswan nutzen, um keine zusätzliche Software / App installieren zu müssen.
IP des RaspberryPi 192.168.238.180
IP des Routers 192.168.238.3
TCP-Ports 1701,1723 und UDP-Ports 500,1701,4500 sind offen und auf den Pi weitergeleitet
DHCP-Kreis 192.168.238.100 - 192.168.238.199
VPN-Kreis 192.168.238.200 - 192.168.238.210
Hier mein Vorgehen.
1. Neuinstallation von Raspbian Wheezy 2015-05-05 auf die SD-Karte
2. Firmware Update
Jetzt Linux raspberrypi 4.1.7+ #817 PREEMPT Sat Sep 19 15:25:36 BST 2015 armv6l GNU/Linux
3. Neueinlesen der Pakete und Upgrade
sudo apt-get update && sudo apt-get upgrade
4. Installation der Anwendungen
apt-get install openswan xl2tpd ppp lsof
5. Konfiguration von rc.local
nano /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
6. Konfiguration von OpenSwan (IPSEC)
nano /etc/ipsec.conf
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
type=transport
#because we use l2tp as tunnel protocol
left=192.168.238.180
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
Display More
nano /etc/ipsec.secrets
192.168.238.180 %any: PSK "123456"
7. Konfiguration von xl2tpd
nano /etc/xl2tpd/xl2tpd.options
[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 192.168.238.200-192.168.238.210
local ip = 192.168.238.180
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Display More
8. Konfiguration von PPP
nano /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Display More
nano /etc/ppp/chap-secrets
9. Neustart des Raspberry Pi
sudo reboot
10. Überprüfen der Eingaben
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
SAref kernel support [N/A]
Hardware RNG detected, testing if used properly [FAILED]
Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used!
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Display More
Und jetzt fangen meine Probleme erst richtig an =(
1. Wenn ich versuche rng-tools nach zu installieren kommt am Ende folgende Fehlermeldung
invoke-rc. d: initscript rng-tools, action "start" failed.
und nach einem Neustart steht auch im Ausgabebildschirm "[FAIL] startpar: service(s) returend failure: rng-tools ... failed!"
Wenn ich RNG-Tools per Hand starten will kommt "Starting Hardware RNG entropy gatherer daemon: (failed)."
2. Nachdem ich per /etc/init.d/ipsec restart IPSEC neugestartet habe, sieht die "ipsec verify" etwas besser aus.
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K4.1.7+ (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Hardware RNG detected, testing if used properly [FAILED]
Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used!
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Display More
3. Wenn ich nun mich mit dem Android Handy verbinden möchte, wird als Typ "IPSec Xauth PSK" ausgewählt, die IP des Pi eingegeben und der PSK "123456".
Als Benutzer "user" und das Passwort "123456". Dann steht einige Zeit im Handy-Display "Verbindung wir hergestellt" und dann kommt "Nicht erfolgreich"
Habe ich etwas falsch eingerichtet?
Die o.g. Dateien habe ich mal noch angehängt.
Vielen Dank im Voraus
Mit freundlichen Grüßen
Dommschwenker