(25 May 2016)
In this test a VPN connection was established from an Android phone to Azure virtual network via Openswan VPN gateway. The gateway was running in Ubuntu Linux virtual machine. The authentication was based on certificates and the mobile device was authenticated additionally via L2TP. Certificates were signed by the OpenSSL CA running in the Azure Ubuntu server.
The following configuration settings were used:
Samsung Galaxy J5 (Android 5.1.1, Kernel 3.10.49-965529, in-built VPN client)
Certificate and L2TP authentication
Openswan VPN gateway:
Ubunte 14.04 Linux Openswan U2.6.38/K3.19.0-56-generic (netkey)
xl2tpd version xl2tpd-1.3.6
Virtual network: 10.4.1.0/24
Public ip address: yyy.yyy.yyy.yyy
Internal ip address: 10.4.1.4
Openswan configuration steps:
- In Azure, create a virtual network with address space 10.4.1.0/24.
- Add Ubuntu 14.04 Linux server in the above virtual network.
- In the Azure Endpoints menu of the Ubuntu server enable the endpoints for UDP 500 and UDP 4500 packets:
- UDP 500: Private port 500, public port 500
- UDP 4500: Private port 4500, public port 4500
- In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
- Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same virtual network.
- Install Openswan VPN gateway with command: sudo apt-get install openswan.
- Install xl2tpd support with command: sudo apt-get install xl2tpd.
- Install ppp support with command: sudo apt-get install ppp.
- Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
- Edit xl2tpd and ppp settings in the configuration files: /etc/xl2tpd/xl2tpd.conf, /etc/ppp/options.xl2tpd, /etc/ppp/chap-secrets
- Copy the CA certificate, Openswan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
- CA certificate to /etc/ipsec.d/cacerts
- Openswan VPN gateway certificate to /etc/ipsec.d/certs
- Openswan Private Key file to /etc/ipsec.d/private
- Restart the VPN service: sudo service ipsec restart
- Restart the xl2tpd service: sudo service xl2tpd restart
In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway.
SAMPLE “IPSEC.CONF” IN OPENSWAN
- “L2TPCert.pem” is the certificate of the Openswan VPN gateway.
- VPN connections are accepted from remote clients which have a certificate signed by the same trusted CA as the VPN gateway certificate (rightca=%same).
: RSA L2TPCertKey1.pem
- “L2TPCertKey1.pem” is the Private key file for the Openswan gateway certificate.
SAMPLE “XL2TPD.CONF” AND “OPTIONS.XL2TPD” IN OPENSWAN
require chap = yes
refuse pap = yes
ip range = 10.5.1.200-10.5.1.250
local ip = 10.4.1.4
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
- The client gets its local ip address from the “ip range” pool.
SAMPLE “CHAP-SECRETS” FILE
# Secrets for authentication using CHAP
# client server secret IP addresses
user OpenswanL2TP “abcd1234” *
Android mobile phone configuration steps
- Create a client certificate in the same CA where the gateway certificate was signed
- Create a *.p12 certificate package and import it into the mobile phone
- Go to Settings > Connections > More connection settings >VPN and create a VPN profile
- Select Type = L2TP/IPSec RSA
- Server Address = <Openswan VM public ip address>
- L2TP secret = <empty>
- IPSec User Certificate = <select the imported client cert>
- IPSec CA certificate = <select the CA of the client certificate>
- IPSec server certificate = “received from the server”
- User name, password: user, abcd1234