L2TPServer

ThisGuide will walk you through the process of installing a L2TP VPNServer on Ubuntu Server 12.4

Thisconfiguration has been successfully tested with Android, Windows, andiOS devices.

Instructions

apt-getinstall xl2tpd openswan ppp

IPSec/ Openswan

Inthe /etc/ipsec.conf file copy:

vi/etc/ipsec.conf

configsetup

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24

#containsthe networks that are allowed as subnet= for the remote client. Inother words, the address ranges that may live behind a NAT routerthrough which a client connects.

oe=off

protostack=netkey

connL2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

connL2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

#Apple iOS doesn't send delete notify so we need dead peer detection

#to detect vanishing clients

dpddelay=30

dpdtimeout=120

dpdaction=clear

#Set ikelifetime and keylife to same defaults windows has

ikelifetime=8h

keylife=1h

type=transport

#Replace IP address with your local IP (private, behind NAT IP is okayas well)

left=209.141.56.138

#For updated Windows 2000/XP clients,

#to support old clients as well, use leftprotoport=17/%any

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

#forceall to be nat'ed. because of iOS

forceencaps=yes

Makesure you follow the setup in the ipsec.conf file, the part "configsetup" and "conn l2tp-psk" should be to the very leftwhile the other text 8 spaces to the right.

Inthe "/etc/ipsec.secrets" file copy:

vi/etc/ipsec.secrets

209.141.56.138 %any: PSK "MyPSK"

Replacex.x.x.x with your Server's Public IP

Startthe IPSEC service with

/etc/init.d/ipsecstart

Pleaseverify the IPSEC service with :

ipsecverify

youmust get no errors.

Checkingyour system to see if IPsec got installed and started correctly:

Versioncheck and ipsec on-path [OK]

LinuxOpenswan U2.6.28/K2.6.32-32-generic-pae (netkey)

Checkingfor IPsec support in kernel [OK]

NETKEYdetected, testing for disabled ICMP send_redirects [OK]

NETKEYdetected, testing for disabled ICMP accept_redirects [OK]

Checkingthat pluto is running [OK]

Plutolistening for IKE on udp 500 [OK]

Plutolistening for NAT-T on udp 4500 [OK]

Checkingfor 'ip' command [OK]

Checkingfor 'iptables' command [OK]

OpportunisticEncryption Support [DISABLED]

Createa file called "ipsec.vpn" in "/etc/init.d/"

vi /etc/init.d/ipsec.vpn

case"$1" in

start)

echo"Starting my Ipsec VPN"

#iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE

iptables-t nat -A POSTROUTING -j SNAT --to-source 209.141.56.138

echo1 > /proc/sys/net/ipv4/ip_forward

foreach in /proc/sys/net/ipv4/conf/*

do

echo0 > $each/accept_redirects

echo0 > $each/send_redirects

done

/etc/init.d/ipsecstart

/etc/init.d/xl2tpdstart

;;

stop)

echo"Stopping my Ipsec VPN"

iptables--table nat --flush

echo0 > /proc/sys/net/ipv4/ip_forward

/etc/init.d/ipsecstop

/etc/init.d/xl2tpdstop

;;

restart)

echo"Restarting my Ipsec VPN"

#iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE

iptables-t nat -A POSTROUTING -j SNAT --to-source 209.141.56.138

echo1 > /proc/sys/net/ipv4/ip_forward

foreach in /proc/sys/net/ipv4/conf/*

do

echo0 > $each/accept_redirects

echo0 > $each/send_redirects

done

/etc/init.d/ipsecrestart

/etc/init.d/xl2tpdrestart

;;

*)

echo"Usage: /etc/init.d/ipsec.vpn {start|stop|restart}"

exit1

;;

esac

Thiswill configure the firewall forwarding. If you use a local IP poolother than 10.152.2, be sure to update it.

Thenset the permission to execute:

chmod755 /etc/init.d/ipsec.vpn

Disablethe ipsec default init script with

update-rc.d-f ipsec remove

Andenable the custom one.

update-rc.dipsec.vpn defaults

L2TP

Inthe file /etc/xl2tpd/xl2tpd.conf

vi /etc/xl2tpd/xl2tpd.conf

[global]

ipsecsaref = no

[lnsdefault]

iprange = 10.152.2.2-10.152.2.254

localip = 10.152.2.1

requirechap = yes

refusepap = yes

requireauthentication = yes

pppdebug = yes

pppoptfile= /etc/ppp/options.xl2tpd

lengthbit = yes

iprange = range of IP’s to give to the connecting clients

localip = IP of VPN server. Value must be outside of "ip range".

refusepap = refure pap authentication

pppdebug = yes when testing, no when in production

Choosea good challenge-response authentication string. The secret should,ideally, be 16 characters long, and should probably be longer toensure sufficient security. There is no minimum length requirement.In the file /etc/xl2tpd/l2tp-secrets:

vi/etc/xl2tpd/l2tp-secrets

** exampleforchallengestring

Inthe file /etc/ppp/options.xl2tpd copy:

vi /etc/ppp/options.xl2tpd

refuse-mschap-v2

refuse-mschap

ms-dns8.8.8.8

ms-dns8.8.4.4

asyncmap0

auth

crtscts

idle1800

mtu1200

mru1200

lock

hide-password

local

#debug

namel2tpd

proxyarp

lcp-echo-interval30

lcp-echo-failure4

ms-dnsoption

Hereyou set the dns server for your lan, this dns server are pushed tothe road warrior when he connects. If you wan to add several serversjust add several lines.

Ifyou need to push wins settings to the clients there is an separateoption for that.

mtu/ mru

Onopenswan.org they informs that it's important to reduce the mru/mtusize. Because l2tp/ipsec are encapsulated several times it causesoverhead, reducing this makes it possible to transmit all packagesover lines with reduced mtu size.

proxyarp

Addsan entry to this system’s ARP [Address Resolution Protocol] tablewith the IP address of the peer and the Ethernet address of thissystem. This will have the effect of making the peer appear to othersystems to be on the local ethernet.

namel2tpd

Isused in the ppp authentication file.

AddingUsers

Inthe file /etc/ppp/chap-secrets copy:

vi/etc/ppp/chap-secrets

testl2tpd test *

away* ww123456 *

client= username for the user

server= the name we define in the ppp.options file for xl2tpd

secret= password for the user

IPAddress = leave to * for any address or define addresses from were auser can login.

Note:you can add as many user you like.

Forward

in/etc/sysctl.conf

vi/etc/sysctl.conf

net.ipv4.ip_forward=1

Loadthe new settings made in /etc/sysctl.conf

sysctl-p

Startingthe VPN

/etc/init.d/ipsec.vpnrestart

/etc/init.d/xl2tpdrestart

Connectingthe VPN to iOS device

Goto Settings > General > Network > VPN > Add VPNConfiguration > L2TP

VPNDescription > the name you like

SetVPN server > external ip address of the VPN server (x.x.x.x)

Account> PPP username

Setpassword > somegoodpassword

SetL2TP Secret > was exampleforchallengestring

Connectusing the PPP username/password (user1 chooseagoodpassword)

Connectingthe VPN to an Android device

Goto Settings > Wireless & networks > VPN settings > AddVPN > Add L2TP/IPSec PSK VPN >

VPNName / Description > the name you like

SetVPN server > external ip address of the VPN server (x.x.x.x)

SetIPSec pre-shared key / password > somegoodpassword

EnableL2TP secret > enable

SetL2TP Secret > was exampleforchallengestring

Pressback, then connect using the PPP username/password (user1chooseagoodpassword)

Debug

Incase of problems this are a few commands that can help out thedebugging.

tcpdump-i ppp0

tail-f /var/log/auth.log

tail-f /var/log/syslog

Youcan also monitor the results on the Server with

sudotcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh

aaa.bbb.ccc.dddare the public IP address of your Clients