Setting up a L2TP over IPSec VPN on Debian on 10 steps

This document describes the required steps to make a fully functional L2TP/IPSEC PSK VPN PSK (with pre-shared keys) on debian squeeze.

L2TP/IPSec is an advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. The L2TP payload is encrypted using the standardized IPSec protocol. Regarding speed, L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than PPTP and OpenVPN.

L2TP/IPSEC uses 500/udp for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), 1701/udp for the initial L2TP configuration and 4500/udp for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports.

1. Install required packages

apt-get install xl2tpd openswan

Note: Answer NO when asked if an X.509 certificate for this host can be automatically created or imported. This certificate can be created and imported later using:

dpkg-reconfigure openswan

2. I always backup the original configuration files (you may skip this step if you want, but I highly not recommend it)

mv /etc/ipsec.conf /etc/ipsec.conf.orig
mv /etc/ipsec.secrets /etc/ipsec.secrets.orig
mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.orig
mv /etc/ppp/options.l2tpd /etc/ppp/options.l2tpd.orig

3. Configure the Linux Kernel using command below

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

4. Configure /etc/ipsec.conf to work with PSK rather than X.509 certificates.

vim /etc/ipsec.conf

config setup
protostack=netkey
nat_traversal=yes
oe=off

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x # <-- replace this IP address with the IPv4 address of this machine
leftprotoport=17/1701
right=%any
rightprotoport=17/1701

conn passthrough-for-non-l2tp
type=passthrough
left=x.x.x.x # <-- replace this IPv4 address with the IPv4 address of this machine
leftnexthop=0.0.0.0
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route

5. Enter your prefer PSK to /etc/ipsec.secrets:

vim /etc/ipsec.secrets

x.x.x.x %any: "mysecretpresharedkeypassword"

Note: The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries.

6. Make sure the file /etc/ipsec.secrets is readable only by root and nothing else.

chmod 600 /etc/ipsec.secrets

7. Setting up xl2tpd

vim /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no
rand source = dev

[lns default]
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = 192.168.1.240 - 192.168.1.243
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = 192.168.1.1
refuse authentication = yes
refuse pap = yes
refuse chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd

8. Add PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file

vim /etc/ppp/options.l2tpd

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 8.8.8.8 # <-- change this to the IPv4 address of your DNS server
ms-dns 8.8.4.4 # <-- add extra entries if necessary

mtu 1400
mru 1400

9. IPsec configuration is done and you can verify it and you must get no errors:

ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

10. (re)start openswan and xl2tpd

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

4 thoughts on “Setting up a L2TP over IPSec VPN on Debian on 10 steps”

    1. mv is correct. he is replacing the content of the files with new configs. this way you start that new config file clean.

Leave a Reply

Your email address will not be published. Required fields are marked *