L2TPServer
ThisGuide will walk you through the process of installing a L2TP VPNServer on Ubuntu Server 12.4
Thisconfiguration has been successfully tested with Android, Windows, andiOS devices.
Instructions
apt-getinstall xl2tpd openswan ppp
IPSec/ Openswan
Inthe /etc/ipsec.conf file copy:
vi/etc/ipsec.conf
configsetup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
#containsthe networks that are allowed as subnet= for the remote client. Inother words, the address ranges that may live behind a NAT routerthrough which a client connects.
oe=off
protostack=netkey
connL2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
connL2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
#Apple iOS doesn't send delete notify so we need dead peer detection
#to detect vanishing clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
#Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
type=transport
#Replace IP address with your local IP (private, behind NAT IP is okayas well)
left=209.141.56.138
#For updated Windows 2000/XP clients,
#to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
#forceall to be nat'ed. because of iOS
forceencaps=yes
Makesure you follow the setup in the ipsec.conf file, the part "configsetup" and "conn l2tp-psk" should be to the very leftwhile the other text 8 spaces to the right.
Inthe "/etc/ipsec.secrets" file copy:
vi/etc/ipsec.secrets
209.141.56.138 %any: PSK "MyPSK"
Replacex.x.x.x with your Server's Public IP
Startthe IPSEC service with
/etc/init.d/ipsecstart
Pleaseverify the IPSEC service with :
ipsecverify
youmust get no errors.
Checkingyour system to see if IPsec got installed and started correctly:
Versioncheck and ipsec on-path [OK]
LinuxOpenswan U2.6.28/K2.6.32-32-generic-pae (netkey)
Checkingfor IPsec support in kernel [OK]
NETKEYdetected, testing for disabled ICMP send_redirects [OK]
NETKEYdetected, testing for disabled ICMP accept_redirects [OK]
Checkingthat pluto is running [OK]
Plutolistening for IKE on udp 500 [OK]
Plutolistening for NAT-T on udp 4500 [OK]
Checkingfor 'ip' command [OK]
Checkingfor 'iptables' command [OK]
OpportunisticEncryption Support [DISABLED]
Createa file called "ipsec.vpn" in "/etc/init.d/"
vi /etc/init.d/ipsec.vpn
case"$1" in
start)
echo"Starting my Ipsec VPN"
#iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
iptables-t nat -A POSTROUTING -j SNAT --to-source 209.141.56.138
echo1 > /proc/sys/net/ipv4/ip_forward
foreach in /proc/sys/net/ipv4/conf/*
do
echo0 > $each/accept_redirects
echo0 > $each/send_redirects
done
/etc/init.d/ipsecstart
/etc/init.d/xl2tpdstart
;;
stop)
echo"Stopping my Ipsec VPN"
iptables--table nat --flush
echo0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsecstop
/etc/init.d/xl2tpdstop
;;
restart)
echo"Restarting my Ipsec VPN"
#iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
iptables-t nat -A POSTROUTING -j SNAT --to-source 209.141.56.138
echo1 > /proc/sys/net/ipv4/ip_forward
foreach in /proc/sys/net/ipv4/conf/*
do
echo0 > $each/accept_redirects
echo0 > $each/send_redirects
done
/etc/init.d/ipsecrestart
/etc/init.d/xl2tpdrestart
;;
*)
echo"Usage: /etc/init.d/ipsec.vpn {start|stop|restart}"
exit1
;;
esac
Thiswill configure the firewall forwarding. If you use a local IP poolother than 10.152.2, be sure to update it.
Thenset the permission to execute:
chmod755 /etc/init.d/ipsec.vpn
Disablethe ipsec default init script with
update-rc.d-f ipsec remove
Andenable the custom one.
update-rc.dipsec.vpn defaults
L2TP
Inthe file /etc/xl2tpd/xl2tpd.conf
vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsecsaref = no
[lnsdefault]
iprange = 10.152.2.2-10.152.2.254
localip = 10.152.2.1
requirechap = yes
refusepap = yes
requireauthentication = yes
pppdebug = yes
pppoptfile= /etc/ppp/options.xl2tpd
lengthbit = yes
iprange = range of IP’s to give to the connecting clients
localip = IP of VPN server. Value must be outside of "ip range".
refusepap = refure pap authentication
pppdebug = yes when testing, no when in production
Choosea good challenge-response authentication string. The secret should,ideally, be 16 characters long, and should probably be longer toensure sufficient security. There is no minimum length requirement.In the file /etc/xl2tpd/l2tp-secrets:
vi/etc/xl2tpd/l2tp-secrets
** exampleforchallengestring
Inthe file /etc/ppp/options.xl2tpd copy:
vi /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns8.8.8.8
ms-dns8.8.4.4
asyncmap0
auth
crtscts
idle1800
mtu1200
mru1200
lock
hide-password
local
#debug
namel2tpd
proxyarp
lcp-echo-interval30
lcp-echo-failure4
ms-dnsoption
Hereyou set the dns server for your lan, this dns server are pushed tothe road warrior when he connects. If you wan to add several serversjust add several lines.
Ifyou need to push wins settings to the clients there is an separateoption for that.
mtu/ mru
Onopenswan.org they informs that it's important to reduce the mru/mtusize. Because l2tp/ipsec are encapsulated several times it causesoverhead, reducing this makes it possible to transmit all packagesover lines with reduced mtu size.
proxyarp
Addsan entry to this system’s ARP [Address Resolution Protocol] tablewith the IP address of the peer and the Ethernet address of thissystem. This will have the effect of making the peer appear to othersystems to be on the local ethernet.
namel2tpd
Isused in the ppp authentication file.
AddingUsers
Inthe file /etc/ppp/chap-secrets copy:
vi/etc/ppp/chap-secrets
testl2tpd test *
away* ww123456 *
client= username for the user
server= the name we define in the ppp.options file for xl2tpd
secret= password for the user
IPAddress = leave to * for any address or define addresses from were auser can login.
Note:you can add as many user you like.
Forward
in/etc/sysctl.conf
vi/etc/sysctl.conf
net.ipv4.ip_forward=1
Loadthe new settings made in /etc/sysctl.conf
sysctl-p
Startingthe VPN
/etc/init.d/ipsec.vpnrestart
/etc/init.d/xl2tpdrestart
Connectingthe VPN to iOS device
Goto Settings > General > Network > VPN > Add VPNConfiguration > L2TP
VPNDescription > the name you like
SetVPN server > external ip address of the VPN server (x.x.x.x)
Account> PPP username
Setpassword > somegoodpassword
SetL2TP Secret > was exampleforchallengestring
Connectusing the PPP username/password (user1 chooseagoodpassword)
Connectingthe VPN to an Android device
Goto Settings > Wireless & networks > VPN settings > AddVPN > Add L2TP/IPSec PSK VPN >
VPNName / Description > the name you like
SetVPN server > external ip address of the VPN server (x.x.x.x)
SetIPSec pre-shared key / password > somegoodpassword
EnableL2TP secret > enable
SetL2TP Secret > was exampleforchallengestring
Pressback, then connect using the PPP username/password (user1chooseagoodpassword)
Debug
Incase of problems this are a few commands that can help out thedebugging.
tcpdump-i ppp0
tail-f /var/log/auth.log
tail-f /var/log/syslog
Youcan also monitor the results on the Server with
sudotcpdump -i eth0 host aaa.bbb.ccc.ddd and not port ssh
aaa.bbb.ccc.dddare the public IP address of your Clients