Android phone – Linux Openswan VPN

(25 May 2016)

In this test a VPN connection was established from an Android phone to Azure virtual network via Openswan VPN gateway. The gateway was running in Ubuntu Linux virtual machine. The authentication was based on certificates and the mobile device was authenticated additionally via L2TP. Certificates were signed by the OpenSSL CA running in the Azure Ubuntu server.

The following configuration settings were used:

Android phone:

Samsung Galaxy J5 (Android 5.1.1, Kernel 3.10.49-965529, in-built VPN client)
Certificate and L2TP authentication

Openswan VPN gateway:

Ubunte 14.04 Linux Openswan U2.6.38/K3.19.0-56-generic (netkey)
xl2tpd version xl2tpd-1.3.6
Virtual network: 10.4.1.0/24
Public ip address: yyy.yyy.yyy.yyy
Internal ip address: 10.4.1.4

Android-AzureOpenswan

Openswan configuration steps:

  1. In Azure, create a virtual network with address space 10.4.1.0/24.
  2. Add Ubuntu 14.04 Linux server in the above virtual network.
  3. In the Azure Endpoints menu of the Ubuntu server enable the endpoints for UDP 500 and UDP 4500 packets:
    • UDP 500: Private port 500, public port 500
    • UDP 4500: Private port 4500, public port 4500
  4. In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
  5. Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same virtual network.
  6. Install Openswan VPN gateway with command: sudo apt-get install openswan.
  7. Install xl2tpd support with command: sudo apt-get install xl2tpd.
  8. Install ppp support with command: sudo apt-get install ppp.
  9. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  10. Edit xl2tpd and ppp settings in the configuration files: /etc/xl2tpd/xl2tpd.conf, /etc/ppp/options.xl2tpd, /etc/ppp/chap-secrets
  11. Copy the CA certificate, Openswan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
    • CA certificate to /etc/ipsec.d/cacerts
    • Openswan VPN gateway certificate to /etc/ipsec.d/certs
    • Openswan Private Key file to /etc/ipsec.d/private
  12. Restart the VPN service: sudo service ipsec restart
  13. Restart the xl2tpd service: sudo service xl2tpd restart

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway.

SAMPLE “IPSEC.CONF” IN OPENSWAN

config setup
protostack=netkey
virtual_private=%v4:10.4.1.0/24
oe=off
dumpdir=/var/run/pluto/
nat_traversal=yes

conn certphone
authby=rsasig
type=transport
left=10.4.1.4
leftcert=L2TPCert.pem
leftprotoport=17/1701
leftid=%fromcert
right=%any
rightca=%same
rightprotoport=17/%any
auto=add
pfs=no

NOTES:
  • “L2TPCert.pem” is the certificate of the Openswan VPN gateway.
  • VPN connections are accepted from remote clients which have a certificate signed by the same trusted CA as the VPN gateway certificate (rightca=%same).
SAMPLE “IPSEC.SECRETS” IN OPENSWAN

: RSA L2TPCertKey1.pem

NOTES:
  • “L2TPCertKey1.pem” is the Private key file for the Openswan gateway certificate.

SAMPLE “XL2TPD.CONF” AND “OPTIONS.XL2TPD” IN OPENSWAN

xl2tpd.conf:

[global]
[lns default]
require chap = yes
refuse pap = yes
ip range = 10.5.1.200-10.5.1.250
local ip = 10.4.1.4
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

NOTES:
  • The client gets its local ip address from the “ip range” pool.

options.xl2tpd:

require-mschap-v2
noccp
noauth
nomppe
idle 1800
mtu 1400
mru 1400
defaultroute
usepeerdns
lock
connect-delay 5000
name OpenswanL2TP

SAMPLE “CHAP-SECRETS” FILE

# Secrets for authentication using CHAP
# client server secret IP addresses
user OpenswanL2TP “abcd1234” *

Android mobile phone configuration steps

  1. Create a client certificate in the same CA where the gateway certificate was signed
  2. Create a *.p12 certificate package and import it into the mobile phone
  3. Go to Settings > Connections > More connection settings >VPN and create a VPN profile
  4. Select Type = L2TP/IPSec RSA
  5. Server Address = <Openswan VM public ip address>
  6. L2TP secret = <empty>
  7. IPSec User Certificate = <select the imported client cert>
  8. IPSec CA certificate = <select the CA of the client certificate>
  9. IPSec server certificate = “received from the server”
  10. User name, password: user, abcd1234