In this post I will explain howto configure an L2TP, with IPSEC encryption, VPN tunnel on such a way so that you can connect with your Android device to it.
The configuration exists of Linux (CentOS 6.2), xl2tpd and Openswan.
I wanted my Android device to be able to connect to my fileserver at home. Out of the box Android devices only supports PPTP and L2TP tunnels. I use L2TP in this guide and for extra security I use it in combination with ipsec.
My Android device will first create a IPSEC tunnel, and in that tunnel it will create a L2TP VPN (so basically you have a tunnel in a tunnel).
I have the following devices:
As L2TP server it is required to install xl2tpd
[root@adria ~]# yum install xl2tpd
The configuration of xl2tpd is done in /etc/xl2tpd/xl2tpd.conf, mine is looking as follow:
[global] listen-addr = $MY_EXTERNAL_IP_ADDRESS auth file = /etc/ppp/chap-secrets port = 1701 debug tunnel = yes debug avp = yes debug packet = yes debug network = yes debug state = yes [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = adria ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
Additional configuration is done in /etc/ppp/options.xl2tpd. Create this file as follow:
ipcp-accept-local ipcp-accept-remote ms-dns 172.24.4.1 noccp auth idle 1800 mtu 1410 mru 1410 nodefaultroute #debug lock proxyarp connect-delay 5000
As you can see I have configured that my router is a DNS server as well, remove this line if you don’t want this.
L2TP authentication works on preshared keys, the file is configured in the /etc/xl2tpd/xl2tpd.conf, with the parameter auth file. The syntax of this file is pretty simple, to create a user with the name richard and secret mypassword make the file as follow:
# Secrets for authentication using CHAP # client server secret IP addresses richard * mypassword *
If you want to give this user a fixed ip address, change the last column to an IP. Also note you need to type this password everytime you connect to your VPN.
Now you can start xl2tpd
[root@adria ~]# /etc/init.d/xl2tpd start Starting xl2tpd: [ OK ]
It would be possible to connect from your Android device now, but it would be without ipsec and everything would be plain text.
Configuration of IPSec is done in /etc/ipsec.conf. Edit it as follow:
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 plutostderrlog=/var/log/pluto.log conn L2TP authby=secret auto=add pfs=no type=transport rekey=no compress=yes left=$MY_EXTERNAL_IP_ADDRESS leftnexthop=$MY_EXTERNAL_GATEWAY leftprotoport=17/1701 right=%any rightsubnet=vhost:%no,%priv rightprotoport=17/%any forceencaps=yes dpddelay=40 dpdtimeout=130 dpdaction=clear #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf
This will configure IPsec to encrypt packages on protocol 17 (UDP) and port 1701, and authorization is based upon preshared keys. Preshared keys is the only one supported by (vanilla) Android.
Preshared keys are configured in /etc/ipsec.secrets, I added the following entry:
#include /etc/ipsec.d/*.secrets %any %any : PSK "Th1s 1s my str0ng p4ssw0rd w31th w31rd ch4r4ct3rs #!@%^$%&"
Make it a strong password, you only need to type it once one your Android.
After that you can start ipsec
[root@adria ~]# service ipsec start ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-220.7.1.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Now you can configure your android device.
Goto Settings –> Wireless & networks –> VPN settings.
Click here on Add VPN.
Select Add L2TP/IPSec PSK VPN
Fill it in as following:
|VPN name||Fill in whatever you want|
|Set VPN server||$MY_EXTERNAL_IP_ADDRESS|
|Set IPsec preshared key||Th1s 1s my str0ng p4ssw0rd w31th w31rd ch4r4ct3rs #!@%^$%&|
|Enable L2TP secret||Deselected|
Now you should be able to connect the VPN, and browse the internal network (if firewalls allow it).