VPN iPhone IPSec

Introduction
No long preface. If you are reading this, you already know what the goal is. Let's go!

In this howto I use the following assumptions:
 * external interface eth0
 * external IP 111.222.333.444
 * local domain is example.de
 * hostname myServer.example.de
 * LAN is 192.168.1.0/24
 * local nameserver is 192.168.1.1
 * subnet for VPN is 192.168.77.0/24

Configuring the kernel for ipsec
-

Now compile and install your kernel. In the event that you choose to build IPSec as kernel modules, don't forget to have your modules loaded, for example with:

Without Certificates (Pre-Shared-Key)
For simplification, it may be worthwhile to first test your setup using a pre-shared-key, rather than first take the time to generate certificates, not to mention, risking the introduction of errors due to certificate creation mistakes.

The groupname is an arbitrary name you choose for both the server and client. Associated with each groupname is a secret group password, which also must be given to the client.

The critical line is the one containing the authentication_method, as shown in the above config file snippet. That and the reference to the psk.txt file enable racoon to use pre-shared secret keying to negotiate the IPSec phase 1 connection.

With Certificates
You need certificates for your server and the iPhone. If you don't have a certification authority yet, you have to create one.

Wihout CA
I use easy-rsa from the openvpn package for this purpose, because I have openvpn already installed and it is really easy to use. If you don't have openvpn, use openssl directly or do this:

emerge openvpn

copy easy-rsa package to your home

unmerge openvpn

Change directory to ~/easy-rsa

Use your favorite editor to edit the file vars to meet your needs

vars

create ca, server and client certificate

You can find the generated certificates and keys in ~/easy-rsa/keys/.

With CA
Be sure you have your ca certificate, a server certificate including key and a client certificate.

Certificates and Configuration on iPhone
There are several ways to put the certificates to the iPhone. I recommend to use Apples iPhone configuration utility from here:

http://www.apple.com/support/iphone/enterprise/

Download and install it on Windows (It is also available for Mac, I guess the procedure is similar to Windows). Copy the files ~/easy-rsa/keys/ca.crt and iphone.example.de.p12 to the windows machine. Double click the files and follow the wizard. For iphone.example.de.p12 check the box which marks the private key as exportable. Open iPhone configuration utility and add a new Profile. Go to certificates and add example.ca and iphone.example.de.

Then go to VPN. Add your servers name and a user account. Choose IPSec for the connection type, certificate for identification, iphone.example.de as certificate. Now connect your iPhone and sync the profile. Verify the configuration on your iPhone in the network settings.

Server Configuration
To configure the server side you need ipsec-tools.

Preparation
emerge ipsec-tools

Certificates
create a dir for certificates

copy CA certificate

copy server certificate

copy server certificate keyfile

Configuration
Edit /etc/conf.d/racoon

Create empty file ipsec.conf

Create the main configuration file /etc/racoon/racoon.conf

Let's have a look at this file.

The isakmp and iskmp_natt statements will only work if you have a static ip. If not, you have two options.
 * First: you can omit these statements, isakmp will then listen on all interfaces.
 * Second: generate racoon.conf dynamically on daemon startup. For this copy racoon.conf as racoon.conf.template, replace 111.222.333.444 with the string EXT_IP and put something like this in /etc/init.d/racoon.

/etc/init.d/racoon

The dns4, default_domain and split_dns statements are only useful if you have your own internal nameserver. If not, simply ommit these lines. The disadvantage is, that you can access the internal computers only by ip, not by name.

The split_network include directive specifies that ONLY traffic leaving the VPN client with the destination address matching this network will be forwarded via the VPN. All other traffic will take the normal default route. If you wish to have all VPN client traffic use the VPN, simply comment out this directive.

The save_passwd statement is important for security. It determines, whether you can store the users password on the iPhone or not. You can switch this to on, but if you loose your iPhone sometime, everyone can log in into your network. For testing it is a good idea.

For further information about the statements consult the manpage for racoon.conf. Do not change the proposal except for you know what you are doing. Of course, iPhone vpn client supports other hash- and encryption algorithm but not any and not any combination.

Finally create the files /etc/racoon/phase1-up.sh and /etc/racoon/phase1-down.sh.

create /etc/racoon/phase1-up.sh

make it executable

create /etc/racoon/phase1-down.sh

make it executable

Firewall settings
You must allow udp connections from internet to the firewall port 500 and 4500. Allow traffic from zone vpn (192.168.77.0/24) to firewall and lan.

Shorewall
If you use shorewall, you can take the rules from below.

IPTables
In the event that you use IPTables, you will need at least the following rules. Please note that these rules are generally overpermissive, and you should restrict them to be more sensible based on your own needs. This also assumes your chain policies are: INPUT (Drop), FORWARD (Drop), OUTPUT (Accept), all other tables' chains (Accept).

In the filter table:

in the nat table:

Have fun
On your iPhone go to the network settings and enable vpn. You can now access your LAN computers with ssh, rdp or vnc. I use iTapRDP, iTeleport and TouchTerm Pro and it works like a charm.

IPSec
IPSec is not really an userfriendly thing, so troubleshooting is not so easy.

First check if the daemon is started. A netstat should show listening on port 500 and 4500. Your log should show something like this.

Second check the logs while connecting from iPhone. A successful connect looks like this.

Look out for errors. If any, they probably give you a hint, which option could be the reason. Check your config files twice.

If there are no errors, check the security policys: command Output

There must be a policy for incoming, outgoing and forwarding and they must exactly match the iPhones ip an your local net. If not, check phase1-up.sh.

Don't try to set up any routing. This is not necessary, routing is done by policy.

Check your firewall configuration and the firewall logs for dropped/rejected packages.

Start vpn on iPhone, then try to connect using ssh. While doing this, use tcpdump on eth0:

First you should see udp packages from and to port 500, later from and to port 4500 udp-encap esp You should also see incoming packages from 192.168.77.1. Don't wonder, there are no outgoing packages to 192.168.77.1 because they are encrypted.

Every time your iPhone reconnects to the provider it gets a new ip and the vpn goes down. Because of this make sure you have a stable Edge or 3G connection and disable the auto-lock function while testing.

racoon won't start
See this bug: http://bugs.gentoo.org/87920

no /var/log/racoon.log
Edit /etc/conf.d/racoon and set RACOON_OPTS properly

I'm behind a router
No problem. Forward port 500 udp and port 4500 udp to your "server", which makes the vpn connection.