L2TP IPSec server setup for Linux

Tested under: CentOS 5.2, Ubuntu Intrepid Ibex (8.10), Ubuntu Hardy Heron (8.04), both 32-bit and 64-bit flavors. 

Tested working with the following clients: Windows XP, Windows Vista, iPhone, Mac OS X Leopard.

Assumed you are a router / gateway and have a LAN behind it. Once connected, your IPSec client will get your LAN IP.
If you are a standalone server and have only one IP available, use dummy interface (search for dummy.ko) to configure another "virtual LAN" with different IP segment than your server. Configure xl2tpd to give IP from this "virtual LAN" range.

 

Required components:

  • Openswan - I'm using version 2.4.12
  • xl2tpd - I'm using version 1.2.0

I will only show Ubuntu-based commands, for CentOS some slight modifications might be needed.

1. Install required software

Install xl2tpd and Openswan. Under Ubuntu, simply issue the following command:

sudo apt-get install openswan xl2tpd

2. Openswan configuration

Create / edit all the following files. Replace all portion marked with XXX_ToReplace_XXX with the information relevant to your setup.

/etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        leftnexthop=XXX_YourGatewayIP_XXX
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=%defaultroute
        #leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

include /etc/ipsec.d/examples/no_oe.conf

 

/etc/ipsec.secrets
XXX_YourServerIP_XXX  %any: "XXX_YourPreSharedKey_XXX"

 3. Configure xl2tpd

Same as before, replace with your setup where necessary.

/etc/xl2tpd/xl2tpd.conf
[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
[lns default]
exclusive = no
ip range = 192.168.168.2-192.168.168.254 ; Replace with your IP range
local ip = 192.168.168.1 ; One of your interface must be using this IP
require authentication = no
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

 

/etc/xl2tpd/l2tp-secrets
*       *       XXX_YourPreSharedKey_XXX

 

/etc/ppp/options.l2tpd
dump

# Output debugging information to /var/log/debug
debug

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 208.67.222.222
ms-dns 208.67.220.220

mtu 1400
mru 1400

 4. Start the services

That's all! Now restart the services. You should be able to connect from your IPSec client.

sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart