Hi!
I am trying to set up a VPN access to my home network but both my Mac and iOS client cannot connect: they timeout after a while, no logs in /var/log/messages and the racoon MacOS console logs show one "ignore information because the message is too short" and eventually shows "failed to send vpn_control message: Broken pipe".
Here is my configuration (WAN is eth0):
set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username fred password ***** set vpn l2tp remote-access client-ip-pool start 192.168.1.80 set vpn l2tp remote-access client-ip-pool stop 192.168.1.99 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ***** set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn ipsec auto-firewall-nat-exclude enable set vpn l2tp remote-access dhcp-interface eth0
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "Allow IKE for Remote VPN Server"
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description "Allow L2TP for Remote VPN Server"
set firewall name WAN_LOCAL rule 40 destination port 1701
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description "Allow ESP for Remote VPN Server"
set firewall name WAN_LOCAL rule 50 protocol esp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description "Allow Nat-T for Remote VPN Server"
set firewall name WAN_LOCAL rule 60 destination port 4500
set firewall name WAN_LOCAL rule 60 protocol udp
commit save
Second step once I get this working is to move to certificate-based authentication which is another can of worms, authentication configuration for this is:
set vpn l2tp remote-access ipsec-settings authentication mode x509 set vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file /config/auth/ca.crt set vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file /config/auth/panama.crt set vpn l2tp remote-access ipsec-settings authentication x509 server-key-file /config/auth/panama.key set vpn l2tp remote-access ipsec-settings authentication x509 server-key-password *****
And the steps to generate the CA, server and client-side cert / key pairs:
cd /usr/lib/ssl/misc ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/ca.crt cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/ca.key mv /usr/lib/ssl/misc/newcert.pem /config/auth/panama.crt mv /usr/lib/ssl/misc/newkey.pem /config/auth/panama.key ./CA.sh -newreq ./CA.sh -sign mv /usr/lib/ssl/misc/newcert.pem /config/auth/fred.crt mv /usr/lib/ssl/misc/newkey.pem /config/auth/fred.key
I then copy fred.crt and fred.key to my Mac, then run this command to procude a p12 file I can then double-clic on to import into keychain in:
openssl pkcs12 -export -clcerts -inkey fred.pem -in fred.crt -out fred.p12 -name my.dyndns.address.com
I'll also import ca.crt and trust both CA and client certificates in Keychain. After I configure the VPN on MacOS and try to connect, it throws a keychain access error "error -25308 errSecInteractionNotAllowed." in the console and bails out. Probably a local issue somehow. I haven't tried this on iOS yet since logging and exporting keys and certs is trickier there.