VegarLH/OpenBSD L2TP Roadwarrior

## OpenBSD L2TP Roadwarrior
#man ipsec
  Additional Variables
     A number of sysctl(8) variables are relevant to ipsec.  These are
     generally net.inet.ah.*, net.inet.esp.*, net.inet.ip.forwarding,
     net.inet6.ip6.forwarding, and net.inet.ip.ipsec-*.  Full explanations can
     be found in sysctl(2), and variables can be set using the sysctl(8)


#man npppd
     Normally npppd works with pipex(4) to accelerate IP packet forwarding,
     but pipex(4) is disabled by default.  To enable it, set net.pipex.enable
     to `1' using sysctl(8).

     When npppd uses PPTP, the host system should allow GRE packets, but they
     are disabled by default.  To enable GRE, set net.inet.gre.allow to `1'
     using sysctl(8).

sysctl net.inet.ip.forwarding=1
sysctl net.inet.esp.enable=1
sysctl net.pipex.enable=1

/etc/pf.conf
set skip on lo

block in log all
pass out all

pass in on egress proto icmp all
pass in on egress proto { tcp, udp } from any to egress port 65022  #ssh
pass in on egress proto { esp, ah }   from any to egress # IPSec in
pass in on egress proto udp    from any to egress port { isakmp, ipsec-nat-t }

#enc
pass in on enc0 proto udp from any to egress port l2tp

#allow in from tun0
pass in on tun0 from any to any

match out log on egress from 10.0.0.0/24 to any nat-to egress:0 #nat


ipsec.conf
###############
# L2TP config

host=146.185.144.249
psk_l2tp=notmypass

ike passive esp transport \
        proto udp from $host to any port 1701 \
        main auth hmac-sha1 enc aes group modp2048 \
        quick auth hmac-sha1 enc aes-128 \
        psk $psk_l2tp tag ipsec_l2tp

# L2TP downgraded for Android-support
ike passive esp transport \
        proto udp from $host to any port 1701 \
        main auth hmac-sha1 enc 3des group modp1024 \
        quick auth hmac-sha1 enc 3des \
        psk $psk_l2tp tag ipsec_l2tp


/etc/npppd/npppd-users
epidemic:\
        :password=alsonotmypass:

/etc/npppd/npppd.conf
authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
        listen on 0.0.0.0
}

ipcp IPCP {
        pool-address 10.0.0.2-10.0.0.254
        dns-servers 8.8.8.8
}

# use tun(4) interface.  multiple ppp sessions concentrate one interface.
interface tun0  address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0


#enable services

rcctl enable npppd
rcctl enable isakmpd
rcctl set isakmpd flags "-K"
rcctl enable ipsec
#and start them when needed.
	#man ipsec
	Additional Variables
	A number of sysctl(8) variables are relevant to ipsec. These are
	generally net.inet.ah., net.inet.esp., net.inet.ip.forwarding,
	net.inet6.ip6.forwarding, and net.inet.ip.ipsec-*. Full explanations can
	be found in sysctl(2), and variables can be set using the sysctl(8)


	#man npppd
	Normally npppd works with pipex(4) to accelerate IP packet forwarding,
	but pipex(4) is disabled by default. To enable it, set net.pipex.enable
	to `1' using sysctl(8).

	When npppd uses PPTP, the host system should allow GRE packets, but they
	are disabled by default. To enable GRE, set net.inet.gre.allow to `1'
	using sysctl(8).

	sysctl net.inet.ip.forwarding=1
	sysctl net.inet.esp.enable=1
	sysctl net.pipex.enable=1

	/etc/pf.conf
	set skip on lo

	block in log all
	pass out all

	pass in on egress proto icmp all
	pass in on egress proto { tcp, udp } from any to egress port 65022 #ssh
	pass in on egress proto { esp, ah } from any to egress # IPSec in
	pass in on egress proto udp from any to egress port { isakmp, ipsec-nat-t }

	#enc
	pass in on enc0 proto udp from any to egress port l2tp

	#allow in from tun0
	pass in on tun0 from any to any

	match out log on egress from 10.0.0.0/24 to any nat-to egress:0 #nat



	ipsec.conf
	###############
	# L2TP config

	host=146.185.144.249
	psk_l2tp=notmypass

	ike passive esp transport \
	proto udp from $host to any port 1701 \
	main auth hmac-sha1 enc aes group modp2048 \
	quick auth hmac-sha1 enc aes-128 \
	psk $psk_l2tp tag ipsec_l2tp

	# L2TP downgraded for Android-support
	ike passive esp transport \
	proto udp from $host to any port 1701 \
	main auth hmac-sha1 enc 3des group modp1024 \
	quick auth hmac-sha1 enc 3des \
	psk $psk_l2tp tag ipsec_l2tp


	/etc/npppd/npppd-users
	epidemic:\
	:password=alsonotmypass:

	/etc/npppd/npppd.conf
	authentication LOCAL type local {
	users-file "/etc/npppd/npppd-users"
	}

	tunnel L2TP protocol l2tp {
	listen on 0.0.0.0
	}

	ipcp IPCP {
	pool-address 10.0.0.2-10.0.0.254
	dns-servers 8.8.8.8
	}

	# use tun(4) interface. multiple ppp sessions concentrate one interface.
	interface tun0 address 10.0.0.1 ipcp IPCP
	bind tunnel from L2TP authenticated by LOCAL to tun0



	#enable services

	rcctl enable npppd
	rcctl enable isakmpd
	rcctl set isakmpd flags "-K"
	rcctl enable ipsec
	#and start them when needed.