TARGET
======
Connect your iPhone/iPad/Mac by VPN to an Ubuntu Server using L2TP over IPsec
and secure L2TP using iptables.


DESCRIPTION
===========
The iPhone/iPad does actualy support IPsec, but only using L2TP. This means
there the following approach is the one you will want. OpenVPN will not work
and this is not too bad a solution since L2TP is effectively tunneled through
IPsec. There is a major issue getting L2TP secured behind netfilter (you do
not want to expose xl2tpd to the public internet), but following the enclosed
examples you should be able to get this going in no time.


FIREWALL CONFIGURATION
======================
You can use FWBuilder (1) to create a basic firewall ruleset, but will have
to manually adapt it, the way described in the FWBuilder template. Please
compare both compiled scripts using diff in order to see what I did there.

As far as I can tell FWBuilder up to version 4.0 does not support policy
matching (that's what it is all about), so you will definitely want to make
these modifications manually as soon as you re-compiled the ruleset.

I am not familiar enough with Shorewall (2) in order to give any statements
on whether or not it does support policy matching.


LIMITATIONS
===========
iPhone/iPad in contrast to real Mac OS X only supports preshared keys and no
certificates.

To get things running a kernel >= 2.6.16 and iptables >= 1.3.5 are required
for policy matching support. In all other cases I do recommend you to stay
put with kernel version 2.4, using a KLIPS setup using ipsecX interfaces.


REQUIREMENTS
============
In order to make these examples work the following packages must be installed:
- strongswan, re-built package(s) with NAT-T support (6)
- xl2tpd

The openswan configuration differs a little between versions, but I don't
expect any major changes in xl2tpd configuration.


FURTHER READING
===============
Thanks to Jacco de Leeuw for his articles (3)(4). If you want to understand
a little more about the proposed VPN configuration, please read these and
obviously the manual pages for ipsec.conf, ipsec.secrets and xl2tpd.conf!

Some information about iptables policy matching is provided in an article
written by Ralf Spenneberg (5). Thanks!


REFERENCES
==========
(1) http://www.fwbuilder.org/
(2) http://www.shorewall.net/
(3) http://www.jacco2.dds.nl/networking/openswan-l2tp.html
(4) http://www.jacco2.dds.nl/networking/openswan-macosx.html#iPhone
(5) http://www.linux-magazin.de/Heft-Abo/Ausgaben/2006/08/Doppelnase
(6) http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
