Cloudstack 4.10 uses the strongswan 5.2 for the vpn service.
The below post is about the strongswan 5.2 remote access vpn configuration and connecting the vpn from the windows L2TP client.
root@r-154-QA:~# ipsec --version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@r-154-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:7c:b8:00:05 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:00:a9:fe:01:e8 brd ff:ff:ff:ff:ff:ff
inet 169.254.1.232/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:8d:00:00:12 brd ff:ff:ff:ff:ff:ff
inet 10.147.46.106/24 brd 10.147.46.255 scope global eth2
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.1.2.1 peer 10.1.2.2/32 scope global ppp0
9: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.1.2.1 peer 10.1.2.3/32 scope global ppp1
root@r-154-QA:~#
Strongswan 5.2 Remote access vpn configuration:
root@r-154-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=psk
pfs=no
rekey=no
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
type=transport
#
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
#
left=10.147.46.106
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=0.0.0.0/0
auto=add
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/ipsec.d/ipsec.any.secrets
: PSK "aHM9g54CbvuBDgRsa6MeyCsm"
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
root@r-154-QA:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
include /etc/ipsec.d/*.conf
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 10.1.2.2-10.1.2.8
local ip = 10.1.2.1
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test * test *
root@r-154-QA:~# cat /etc/ppp/options.xl2tpd
proxyarp
ipcp-accept-local
ipcp-accept-remote
noccp
idle 1800
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000
ms-dns 10.1.2.1
Connection from the windows L2TP client:
1. Ping from the VM to cloudstack guest VM ip
2. Below are the screens showing L2TP settings in the windows.
1. When you get the below Error:809 while connecting remote access vpn from the windows follow the instruction below to add windows registry for AssumeUDPEncapsulationContextOnSendRule
Step 1: Login to the PC as Administrator or an user who is a member of the Administrator Group.
Step 2: Click Start > Run or Start > All Programs > Accessories > Run and type regedit.
Step 3: Locate the entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent.
Step 4: Create a new DWORD (32-bit) value (Edit > New).
Step 5: Add AssumeUDPEncapsulationContextOnSendRule and save.
Step 6: Modify the new entry and change Value Data from 0 to 2.
Value 0 -> Cannot establish security associations with servers that are localted behind NAT devices.
Value 2 -> Can establish security associations with servers that are located behind NAT devices.
Step 7: Reboot the computer and try to setup the connection one more time.
Ref: https://support.sonicwall.com/kb/sw13197
The below post is about the strongswan 5.2 remote access vpn configuration and connecting the vpn from the windows L2TP client.
root@r-154-QA:~# ipsec --version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@r-154-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:7c:b8:00:05 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:00:a9:fe:01:e8 brd ff:ff:ff:ff:ff:ff
inet 169.254.1.232/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:8d:00:00:12 brd ff:ff:ff:ff:ff:ff
inet 10.147.46.106/24 brd 10.147.46.255 scope global eth2
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.1.2.1 peer 10.1.2.2/32 scope global ppp0
9: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 10.1.2.1 peer 10.1.2.3/32 scope global ppp1
root@r-154-QA:~#
Strongswan 5.2 Remote access vpn configuration:
root@r-154-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=psk
pfs=no
rekey=no
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
type=transport
#
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
#
left=10.147.46.106
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=0.0.0.0/0
auto=add
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/ipsec.d/ipsec.any.secrets
: PSK "aHM9g54CbvuBDgRsa6MeyCsm"
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
root@r-154-QA:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
include /etc/ipsec.d/*.conf
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 10.1.2.2-10.1.2.8
local ip = 10.1.2.1
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test * test *
root@r-154-QA:~# cat /etc/ppp/options.xl2tpd
proxyarp
ipcp-accept-local
ipcp-accept-remote
noccp
idle 1800
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000
ms-dns 10.1.2.1
Connection from the windows L2TP client:
1. Ping from the VM to cloudstack guest VM ip
2. Below are the screens showing L2TP settings in the windows.
1. When you get the below Error:809 while connecting remote access vpn from the windows follow the instruction below to add windows registry for AssumeUDPEncapsulationContextOnSendRule
Step 1: Login to the PC as Administrator or an user who is a member of the Administrator Group.
Step 2: Click Start > Run or Start > All Programs > Accessories > Run and type regedit.
Step 3: Locate the entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent.
Step 4: Create a new DWORD (32-bit) value (Edit > New).
Step 5: Add AssumeUDPEncapsulationContextOnSendRule and save.
Step 6: Modify the new entry and change Value Data from 0 to 2.
Value 0 -> Cannot establish security associations with servers that are localted behind NAT devices.
Value 2 -> Can establish security associations with servers that are located behind NAT devices.
Step 7: Reboot the computer and try to setup the connection one more time.
Ref: https://support.sonicwall.com/kb/sw13197
I really thank you for the valuable info on this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good luck to the author! All the best!
ReplyDeletedirect
Thank you a bunch for sharing this with all of us you actually realize what you are talking about! Bookmarked. Please also seek advice from my site =). We could have a hyperlink change contract between us! top android vpn
ReplyDelete