To get secure access to internal networks, one usually employs one of the many variants of a VPN. When connecting from a normal computer, you can install basically whatever variant you wish. When using devices such as smartphones however, the number of supported VPN technologies is usually limited. Especially on non-open platforms such as the iDevices by Apple, you can not add VPN software yourself, contrary to the Android platform.

In this post, I’ll explain how to set up an IPsec (without L2TP) tunnel endpoint on an Ubuntu server, capable of handling an iPhone/iPad/iPod/iWhatever. The users will be authenticated against an LDAP directory.

Packages

IPsec usually consists of two parts: the IPsec layer itself and the IKE layer on top. IPsec itself is usually implemented in the kernel. It handles all encryption, decryption and authentication of the packets, based on the set of security policies (SP) and security associations (SA). Since you usually don’t want to setup these SA’s and SD’s yourself, Internet Key Exchange (IKE) comes into play. IKE is usually implemented in user space. In this post, I’ll be describing racoon.

The standard Ubuntu racoon package does not have LDAP support compiled in. So I pulled in the source, changed the ./configure line to include –with-libldap and rebuild the package. Since I have no experience whatsoever with packaging, I will have made more mistakes that you can dream off.

Racoon configuration

The racoon.conf file has different sections, each with their own purpose. The listen group specifies the IP’s to bind on. By default racoon listens on any IP. The path directives tell racoon where to find its other configuration files.

listen {
 isakmp 192.0.2.1 [500];
 isakmp_natt 192.0.2.1 [4500];
}
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

Next up is a remote section, specifying the phase 1 settings. Normal IPsec tunnels are point-to-point. You can configure the tunnel statically on both ends. Here we are setting up a roaming tunnel: we don’t know where the client is. This has some implications:

  • the server can never initiate the connection (since the IP of the client(s) are unknown)
  • The client’s tunnel-IP needs to be assigned from the server. This minimizes client-side configuration
  • The client must authenticate itself using a username/password combo.
remote anonymous { # Do not filter on source IP, anyone can connect to this tunnel
 passive on; # Don't initiate, only listen
 exchange_mode main,aggressive; # Accept both modes
 my_identifier fqdn "vpn.example.net"; # Identify ourselves with this name
 mode_cfg on; # configure the client's IP address using mode configuration
 verify_cert off; # Don't check client certificate
 ike_frag on; # Announce IKE-fragmentation support
 generate_policy on; # automatically install SPD's
 nat_traversal on; # Support NAT traversal
 dpd_delay 20; # Disconnect dead clients after 20 seconds
 proposal { # Phase 1 parameters
  encryption_algorithm aes;
  hash_algorithm sha1;
  authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication
  dh_group 2;
 }
}

Next section is the mode configuration. This is sometimes called phase 1.5, because it happens between phase 1 and phase 2. In this step, the client is authenticated.

mode_cfg {
 auth_source ldap; # Authenticate against LDAP
 save_passwd on; # Allow users to save passwords

 group_source ldap; # Verify group membership in LDAP
 auth_groups "ipsec vpn";  # Require users to be member of this group in order to connect

 network4 10.0.0.0;  # Give clients addresses starting from this address
 pool_size 255;  # up to 255 addresses higher

 split_network include 10.1.0.0/16; # split tunneling, only tunnel traffic to these subnets
}

ldapcfg {
 host "ldap.example.net";
 base "dc=example,dc=net";
 subtree on;
 bind_dn ""; # Anonymous simple bind
 bind_pw "";
 attr_user "uid";  # Searches for (=)
 attr_group "cn";  # Searches for (&(=)(=))
 attr_member "member";
}

The sainfo section specifies the parameters to use for phase 2, the actual data-encryption:

sainfo anonymous {
 encryption_algorithm aes;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate;
}

Next, you need to add the group-name and the group password to the psk.txt file:

iOStunnel     $ecr3tPassW0rd

iPhone configuration

The iPhone is set up fairly easily: Under Settings -> General -> Network -> VPN, you need to Add VPN Configuration:

  • Select a (Cisco) IPsec tunnel
  • The Description can be whatever you want
  • Server should be the FQDN of your server, this is checked against the my_identifier in the server config
  • Account and Password are the credentials of the user in the LDAP database
  • Group Name and Secret are the group credentials as specified in the psk.txt file

25 Comments

  1. Michele Rossi says:

    Hi,
    thanks a lot for taking the time to write this page.

    I tried following your steps and stumbled on the installation of the LDAP server.
    It turns out that sldap (or openLdap, I am confused even on the name) on the latest Ubuntu has been significantly overhauled and all the docs you find on the internet are somewhat out of date.

    If you follow them you end up with an ldap server for which you don’t know the admin password.
    I couldn’t find a way to set it.

    So I am wondering whether racoon can be configured to run without LDAP.
    I wouldn’t mind even if the user list was hardcoded or driven of a text file somehow.

    thanks!
    Michele

  2. Niobos says:

    Michele,

    Sure it can! You just need to configure the appropriate auth_source-directive (see the man-page for details). The easiest setup is to use system (or pam), which just uses system accounts.

    Niobos

  3. Michele Rossi says:

    hi,
    I am almost there it seems – but not quite yet 🙂
    So now my iPhone connects and shows a “vpn” logo but then it tells me that I am not connected to the internet if I try to open a web page.
    In the racoon logs I found these:

    2011-04-27 21:03:34: ERROR: pfkey.c:2276:pk_recvspdupdate(): such policy does not already exist: “0.0.0.0/0[0] 20.0.0.0/32[0] proto=any dir=out”

    and once the following (and in that case the negotiation phase failed)

    2011-04-27 21:03:09: WARNING: isakmp_cfg.c:201:isakmp_cfg_r(): Short payload

    Thanks again for your support!
    Michele

  4. Niobos says:

    Michele,
    If the phone shows a VPN logo, that probably means that the tunnel setup was successful. In the setup I described above, it is the intended behavior that Internet-traffic does not travel through the tunnel (but it still should work). To troubleshoot this, you need to give more information, especially the racoon-config you are using, and preferably also the network setup you are trying to accomplish.

    Also, from the single log line that you did post, I assume that you are using the IP address(es) 20.0.0.0 for the VPN clients? I would strongly advise against this, since these IPs are assigned on the internet and not free to use. Please use RFC 1918 addresses.

    Niobos

  5. Michele Rossi says:

    Hi,
    my main aim is to route my iPhone internet traffic to a server I rent so that I can bypass geographical restriction on certain web sites.

    What would I need to change to achieve that?

    I chose that IP without thinking much, mainly to avoid clashing with IPs generated by an OpenVPN server that I also run on the same box.

    Find my configuration file at the end of this message.
    Thanks again for your support, hope this is useful for lots of people out there.

    Michele

    path pre_shared_key “/etc/racoon/psk.txt”;
    path certificate “/etc/racoon/certs”;

    remote anonymous { # Do not filter on source IP, anyone can connect to this tunnel
    passive on; # Don’t initiate, only listen
    exchange_mode main,aggressive; # Accept both modes
    my_identifier address “XXX.XXX.XX4.167”; # Identify ourselves with this name
    mode_cfg on; # configure the client’s IP address using mode configuration
    verify_cert off; # Don’t check client certificate
    ike_frag on; # Announce IKE-fragmentation support
    generate_policy on; # automatically install SPD’s
    nat_traversal on; # Support NAT traversal
    dpd_delay 20; # Disconnect dead clients after 20 seconds

    proposal { # Phase 1 parameters
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication
    dh_group 2;
    }
    }

    mode_cfg {
    auth_source system; # Authenticate against system
    save_passwd on; # Allow users to save passwords

    group_source system; # Verify group membership in LDAP
    auth_groups “vpn”; # Require users to be member of this group in order to connect

    network4 10.1.0.0; # Give clients addresses starting from this address
    pool_size 255; # up to 255 addresses higher

    only tunnel traffic to these subnets
    }

    sainfo anonymous {
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    }

  6. Niobos says:

    Michele

    I tried your configuration (i.e. without the split_network statement) and it seems to work fine on the IP layer. The problem you are probably facing is a DNS issue:
    You are requiring all traffic to go through the tunnel, but don’t override the DNS-server to use. Hence, the iPhone will probably try to reach a local-to-the-iPhone DNS-server, but send that traffic through the tunnel (as configured). From the server-side of the tunnel, it’s not possible to reach that DNS-server.
    So either you add a DNS-server to the ipsec mode configuration (e.g. “dns4 192.0.2.1”), or you allow the DNS-traffic to stay outside of the tunnel.

    Niobos

  7. Michele Rossi says:

    Niobos,
    still no luck I am afraid, I’ve configured the DNS server trying out both my machine’s default DNS and google’s public dns IP.
    Now if I try to access a web page from my iPhone it just hangs for ages before giving up saying that it’s not connected to the internet.

    I still don’t understand the error message below.

    thanks!
    Michele

    2011-04-30 09:42:13: ERROR: pfkey.c:2276:pk_recvspdupdate(): such policy does not already exist: “10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in”
    2011-04-30 09:42:13: ERROR: pfkey.c:2276:pk_recvspdupdate(): such policy does not already exist: “10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd”
    2011-04-30 09:42:13: ERROR: pfkey.c:2276:pk_recvspdupdate(): such policy does not already exist: “0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out”

  8. Niobos says:

    Michele,

    The error messages are actually not really errors, they indicate that racoon expected the policy to exist, but it didn’t. But since you configured the generate_policy option, the policy is automatically generated by racoon.

    To debug your problem, I would advise you to install Net Utility on your device. Next run these tests:
    * ping the internal IP address of your VPN gateway
    * ping the IP address of google.com
    * ping google.com

    That way, you can determine if it’s a DNS or a VPN issue you’re having.

    Niobos

  9. sunta says:

    when I try the exact configuration (with modified IPs of course and working LDAP-server) i receive

    racoon: ERROR: /etc/racoon/racoon.conf:21: “xa” syntax error

    line21 says: authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication

    any hint?

  10. Niobos says:

    sunta,
    I have not had that error myself, so I’m just doing some educated guesses.
    Racoon complains about a syntax error on the token “xa”. This is strange, since I would expect the lexer to find the whole “xauth_psk_server” token. Can you re-check that line with a different editor? Maybe there’s an invisible control-character somewhere in there?

    Niobos

  11. whit says:

    Using this recipe with a slight adjustment to use system auth rather than ldap is working to make the connection from an iPhone. But it looks like something more is needed to route to the LAN. I don’t have iptables running at all on this box yet. I do have ip_forward set to 1. Racoon gets to where the connection looks to be set up properly, through these lines (which shows that it goes to adjust iptables rules which are not there, but also happens to confirm that the IP assignments are right):

    Jan 18 09:37:49 thisbox racoon: ERROR: such policy does not already exist: “192.168.1.243/32[0] 192.168.1.0/24[0] proto=any dir=in”
    Jan 18 09:37:49 thisbox racoon: ERROR: such policy does not already exist: “192.168.1.243/32[0] 192.168.1.0/24[0] proto=any dir=fwd”
    Jan 18 09:37:49 thisbox racoon: ERROR: such policy does not already exist: “192.168.1.0/24[0] 192.168.1.243/32[0] proto=any dir=out”

    We previously had Openswan/xl2tpd working for iPhones on this same server, until we upgraded some stuff and that broke (seems extremely sensitive to versions of everything if it’s going to work). So we know that iPhone connections to machines on the LAN were working before from this very box. Does racoon require another step somewhere to get the LAN routing right?

  12. whit says:

    Found the problem: The range of addresses to be assigned needs to be a separate block from the LAN. This differs from the Openswan/xl2tpd configuration we were using, where the address range to be assigned need to be from within the LAN block. So a bad assumption on my part that they should be the same. For OpenVPN, which use for devices which support it (that is, not iPhones), it would be a separate block too.

  13. Niobos says:

    with,

    The difference is that in your old setup, you use L2TP, while in the setup described above it’s straight IP. If you prefer to use L2TP, that’s possible as well. I didn’t want the extra overhead of L2TP, and needed routing anyway… Hence this setup

    Niobos

  14. whit says:

    Are other people seeing this work when the iPhone’s on wifi, but fail when it’s on 3G?

  15. whit says:

    Got the Openswan/xl2tp method working again, and also running an instance this way with racoon (separate system). So far the user reports are: Both work fine from wifi. This method is failing from 3g. This setup is simpler, and preferable apart from that. No idea what impediment a 3g connection adds compared to a wifi connection. Anyone know?

  16. Niobos says:

    whit,

    I just checked this on my setup, it works fine over a cellular connection (tried both EDGE and UMTS). Maybe your provider is doing some filtering?
    What steps fail from 3G? The connection setup or the data transfer?

  17. Serge says:

    Hi,

    I’m trying to connect using an iphone running ios 5.0.1
    As a first step, I try the connection on my LAN.
    I always receive the following errors on racoon:
    Jan 27 17:36:55 localhost racoon: INFO: begin Aggressive mode.
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: RFC 3947
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: DPD
    Jan 27 17:36:55 localhost racoon: INFO: Selected NAT-T version: RFC 3947
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = SHA:MD5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = AES-CBC:3DES-CBC
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = SHA:MD5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = AES-CBC:DES-CBC
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = AES-CBC:DES-CBC
    Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth RSASIG server:GSS-API on Kerberos 5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = SHA:MD5
    Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 1536-bit MODP group:1024-bit MODP group
    Jan 27 17:36:55 localhost racoon: ERROR: no suitable proposal found.
    Jan 27 17:36:55 localhost racoon: ERROR: failed to get valid proposal.
    Jan 27 17:36:55 localhost racoon: ERROR: failed to pre-process packet.
    Jan 27 17:36:55 localhost racoon: ERROR: phase1 negotiation failed.

    Has anyone an idea ?
    Many thanks in advance.

  18. Niobos says:

    Can you rerun this test with a higher debugging level enabled? It seems to be a problem negotiating the phase1 settings. Also, can you post your racoon.conf?

  19. analogue says:

    Once you add dns, you need to add an iptable rule to allow the traffic originating from the ios device to be routed to the public internet through your machine running racoon. Example:

    sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

  20. Adrian says:

    Hi folks,
    This set up work grate for me on my macbook pro and on my iphone/ipad, ubuntu was working grate as well, however, i had some serious trouble to get my windows stuff running.
    I try a free vpn ipsec client called shew ( http://www.shrew.net/) but it did not work…..
    so i try cisco vpn client and kaboom nothing……
    The only vpn client that i found working well was a non free one form a German company called NCP (http://www.ncp-e.com/en/downloads/software.html#c3201) this one works like a charm however 140 or s euro are a bit too much to be honest :-/
    Has anyone got shew running whit a pre shared key?? or is there another free alternative for windows ???
    A little hint is seriously appreciated 😉
    Thank you Adrian
    p.s.
    Grate stuff this brain dump!!!

  21. Niobos says:

    Adrian,

    I use OpenVPN for my desktop clients (Mac, Linux and Windows). This IPsec was specially engineered to work with iOS. It also works great under MacOSX, but that is a side effect, and was not the goal.
    I’m sure you can tweak some settings to get it to work under your Windows-client-of-choice, but that might break the iOS compatibility. So I would recommend to set up a separate tunnel for the Windows clients.

    Niobos

  22. Taylor says:

    I know your thread is a bit old, but I was wondering if you could help me get my VPN gateway setup using your instructions. I am able to connect just fine from my iPhone to the VPN gateway/server, but I cannot connect to any of the LAN IP’s.

    What I am trying to accomplish:
    – Client access to the office LAN.
    – All client traffic should be sent over the VPN.
    – LAN is 10.1.10.0/24
    – Firewall is set to forward UDP 500, 4500 and ESP 50 to 10.1.10.232, which is the IP of the Ubuntu server I am trying to configure as a VPN gateway.
    – Clients should receive IP’s starting at 10.1.10.149 up to 10.1.10.199
    – Authentication will be against system, not LDAP
    – Uncommenting netmask4 and/or dns4 result in inability to access VPN server from iPhone

    Below is my racoon.conf

    log notify;
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    
    remote anonymous { # Do not filter on source IP, anyone can connect to this tun$
    passive on; # Don't initiate, only listen
    exchange_mode main,aggressive; # Accept both modes
    my_identifier fqdn "xxx.xxx.xxx.xx (WAN IP ADDRESS)"; # Identify ourselves with this name
    mode_cfg on; # configure the client's IP address using mode configuration
    verify_cert off; # Don't check client certificate
    ike_frag on; # Announce IKE-fragmentation support
    generate_policy on; # automatically install SPD's
    nat_traversal on; # Support NAT traversal
    dpd_delay 20; # Disconnect dead clients after 20 seconds
    proposal { # Phase 1 parameters
     encryption_algorithm aes;
     hash_algorithm sha1;
     authentication_method xauth_psk_server; # Require PreSharedKey group authenti$
     dh_group 2;
    }
    }
    
    mode_cfg {
    auth_source system; # Authenticate against Unix user database
    save_passwd on; # Allow users to save passwords
    
    network4 10.1.10.149;  # Give clients addresses starting from this address
    pool_size 50;  # up to 50 addresses higher
    # netmask4 255.255.255.0
    # dns4 10.1.10.211
    }
    
    
    sainfo anonymous {
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    }
    

    Thank you for your time and help,
    – Taylor

  23. Niobos says:

    Taylor,

    The proposed configuration will probably never work: Your lan in 10.1.10.0/24, and your IPsec clients are in that same subnet as well. You should pick seperate subnets for LAN and IPsec-tunnel. That way, you can configure the LAN to forward all VPN-traffic to the VPN-server. Right now, they think (incorrectly) that all VPN-clients are directly connected to your LAN (since they are in the same subnet).

    Also: If you pick a new, seperate subnet, make sure that the routers know about it. That way, replies from the internet will find their way to your VPN-server, and further on to the VPN clients.

    Niobos

  24. Taylor says:

    Okay I changed the config to this:

    mode_cfg {
    auth_source system; # Authenticate against Unix user database
    save_passwd on; # Allow users to save passwords

    network4 10.1.11.100; # Give clients addresses starting from this address
    pool_size 50; # up to 50 addresses higher
    # netmask4 255.255.255.0
    # dns4 10.1.10.211
    }

    And in our Sonicwall router I set up a route like this: Source:Any Destination:Racoon VPN IP Pool Service:Any Gateway:Racoon VPN Server Interface:X0:V10

    With these two changes, VPN clients can now communicate with Office LAN IP’s.

    I set up the VPN gateway to have VPN clients send all traffic through the VPN gateway.

    What I need to now figure out is how to get the VPN clients using our internal office DNS server so that they can get to the various intranet sites that all run off the same local IP in the office LAN. I assume if the VPN clients can successfully use this DNS server, they will also be able to access the Internet since it forwards unknown requests to google (8.8.8.8)

    Right now the VPN clients cannot access the Internet when they connect, just local LAN IP’s

    Any suggestions on getting this last bit working?

    Thank you

  25. Taylor says:

    Hah!, I solved my problem; I forgot the semi colon after the Netmask and DNS entry lines in the config file. Everything is working beautifully now. Thank you.