Setting up a L2TP over IPSec VPN on Debian on 10 steps

This document describes the required steps to make a fully functional L2TP/IPSEC PSK VPN PSK (with pre-shared keys) on debian squeeze.

L2TP/IPSec is an advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. The L2TP payload is encrypted using the standardized IPSec protocol. Regarding speed, L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than PPTP and OpenVPN.

L2TP/IPSEC uses 500/udp for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), 1701/udp for the initial L2TP configuration and 4500/udp for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports.

1. Install required packages

[codesyntax lang="bash"]

apt-get install xl2tpd openswan

[/codesyntax]

Note: Answer NO when asked if an X.509 certificate for this host can be automatically created or imported. This certificate can be created and imported later using:

[codesyntax lang="bash"]

dpkg-reconfigure openswan

[/codesyntax]

2. I always backup the original configuration files (you may skip this step if you want, but I highly not recommend it)

[codesyntax lang="bash"]

mv /etc/ipsec.conf /etc/ipsec.conf.orig
mv /etc/ipsec.secrets /etc/ipsec.secrets.orig
mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.orig
mv /etc/ppp/options.l2tpd /etc/ppp/options.l2tpd.orig

[/codesyntax]

3. Configure the Linux Kernel using command below

[codesyntax lang="bash"]

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

[/codesyntax]

4. Configure /etc/ipsec.conf to work with PSK rather than X.509 certificates.

[codesyntax lang="bash"]

vim /etc/ipsec.conf

[/codesyntax]

config setup
protostack=netkey
nat_traversal=yes
oe=off

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x # <-- replace this IP address with the IPv4 address of this machine
leftprotoport=17/1701
right=%any
rightprotoport=17/1701

conn passthrough-for-non-l2tp
type=passthrough
left=x.x.x.x # <-- replace this IPv4 address with the IPv4 address of this machine
leftnexthop=0.0.0.0
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route

5. Enter your prefer PSK to /etc/ipsec.secrets:

[codesyntax lang="bash"]

vim /etc/ipsec.secrets

[/codesyntax]

x.x.x.x %any: "mysecretpresharedkeypassword"

Note: The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries.

6. Make sure the file /etc/ipsec.secrets is readable only by root and nothing else.

[codesyntax lang="bash"]

chmod 600 /etc/ipsec.secrets

[/codesyntax]

7. Setting up xl2tpd

[codesyntax lang="bash"]

vim /etc/xl2tpd/xl2tpd.conf

[/codesyntax]

[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no
rand source = dev

[lns default]
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = 192.168.1.240 - 192.168.1.243
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = 192.168.1.1
refuse authentication = yes
refuse pap = yes
refuse chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd

8. Add PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file

[codesyntax lang="bash"]

vim /etc/ppp/options.l2tpd

[/codesyntax]

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 8.8.8.8 # <-- change this to the IPv4 address of your DNS server
ms-dns 8.8.4.4 # <-- add extra entries if necessary

mtu 1400
mru 1400

9. IPsec configuration is done and you can verify it and you must get no errors:

[codesyntax lang="bash"]

ipsec verify

[/codesyntax]

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

10. (re)start openswan and xl2tpd

[codesyntax lang="bash"]

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

[/codesyntax]

  1. Why not a per-user PAM/Unix authentication? Why just use IPSec encryption and key?

  2. Thanks for the post.

    In step 2, while backing up, I believe the commands used should be "cp", not: "mv"?

    • mv is correct. he is replacing the content of the files with new configs. this way you start that new config file clean.

  3. Great post and thanks! I did see that your ipsec.conf is missing the indentation which causes ipsec to fail to verify / start. There's a solution posted here (http://www.golinuxhub.com/2012/10/unexpected-keyword-expecting-end-type.html).

  4. How about xl2tpd kernel support? Was it working that time?

Scrie si tu o vorbulita


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.