This document describes the required steps to make a fully functional L2TP/IPSEC PSK VPN PSK (with pre-shared keys) on debian squeeze.
L2TP/IPSec is an advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. The L2TP payload is encrypted using the standardized IPSec protocol. Regarding speed, L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than PPTP and OpenVPN.
L2TP/IPSEC uses 500/udp for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), 1701/udp for the initial L2TP configuration and 4500/udp for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports.
1. Install required packages
apt-get install xl2tpd openswan
Note: Answer NO when asked if an X.509 certificate for this host can be automatically created or imported. This certificate can be created and imported later using:
2. I always backup the original configuration files (you may skip this step if you want, but I highly not recommend it)
mv /etc/ipsec.conf /etc/ipsec.conf.orig mv /etc/ipsec.secrets /etc/ipsec.secrets.orig mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.orig mv /etc/ppp/options.l2tpd /etc/ppp/options.l2tpd.orig
3. Configure the Linux Kernel using command below
for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done
4. Configure /etc/ipsec.conf to work with PSK rather than X.509 certificates.
left=x.x.x.x # <-- replace this IP address with the IPv4 address of this machine
left=x.x.x.x # <-- replace this IPv4 address with the IPv4 address of this machine
5. Enter your prefer PSK to /etc/ipsec.secrets:
x.x.x.x %any: "mysecretpresharedkeypassword"
Note: The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries.
6. Make sure the file /etc/ipsec.secrets is readable only by root and nothing else.
chmod 600 /etc/ipsec.secrets
7. Setting up xl2tpd
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no
rand source = dev
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = 192.168.1.240 - 192.168.1.243
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = 192.168.1.1
refuse authentication = yes
refuse pap = yes
refuse chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
8. Add PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file
# Do not support BSD compression.
# Allow all usernames to connect.
# Do not authenticate incoming connections. This is handled by IPsec.
# Set the DNS servers the PPP clients will use.
ms-dns 220.127.116.11 # <-- change this to the IPv4 address of your DNS server
ms-dns 18.104.22.168 # <-- add extra entries if necessary
9. IPsec configuration is done and you can verify it and you must get no errors:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
10. (re)start openswan and xl2tpd
/etc/init.d/ipsec restart /etc/init.d/xl2tpd restart