L2TPServer – Community Help Wiki
/
This guide will walk you through the process of installing L2TP VPN Server on Ubuntu Server 12.4
See this guide https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html for one tested with 14.4.
This configuration has been successfully tested with Android, Windows, and iOS devices.
directions
sudo apt-get install xl2tpd openswan ppp
IPSec / Openswan
In the file copy /etc/ipsec.conf:
config setup nat_traversal = yes virtual_private = %v4: 10.0.0.0/8, %v4: 192.168.0.0/16%, %v4: 172.16.0.0/12, %v4:! 10.152.2.2.0/24# Contains the networks allowed as subnet = for the remote client. In other words, the address ranges that may live behind the NAT router through which the client is communicating. oe = off protostack = netkey conn L2TP-PSK-NAT rightsubnet = vhost:% priv also = L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby = secret pfs = no auto = add keyingtries = 3 rekey = no #Apple iOS no send a delete notification, so we need to detect dead peers # to detect vanished clients dpddelay = 30 dpdtimeout = 120 dpdaction = clear # set ikelifetime and keylife to the same defaults, windows have ikelifetime = 8h keylife = 1h type = transport # replace private IP your local IP (private, behind a NAT IP is fine too) left = xxxx # For updated Windows 2000/XP clients, # For support old clients also use leftprotoport = 17 /% any leftprotoport = 17/1701 right =% any rightprotoport = 17/% ie # force it to be nat’ed. Because of iOS Forceencaps = Yes
Make sure to follow the setting in the ipsec.conf file, the “config setup” and “conn l2tp-psk” part should be on the far left while the other text is 8 spaces on the right.
In the “/etc/ipsec.secrets” file copy:
xxxx% ie: PSK “good password”
Replace xxxx with the server’s IP address
Start your IPSEC service with
/etc/init.d/ipsec starts
Please check IPSEC service with:
sudo ipsec check
You should not get errors.
Check your system to see if IPsec is installed and started correctly: Check version and IPSec on path [OK]
Linux Openswan U2.6.28 / K2.6.32-32-generic-pae (netkey) Checking IPsec support in kernel [OK]
NETKEY detected, testing for ICMP send_redirects disabled [OK]
NETKEY detected, testing for ICMP Accept_redirects disabled [OK]
Verify that Pluto is working [OK]
Pluto is listening to IKE on udp 500 [OK]
Pluto listens to NAT-T over UDP 4500 [OK]
ip command verification [OK]
Verify iptables command [OK]
Support opportunistic encryption [DISABLED]
Create a file called “ipsec.vpn” in “/etc/init.d/”
state ‘$1’ at start) echo ‘start my Ipsec VPN’ iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE echo 1> /proc/sys/net/ipv4/ip_forward each /proc/sys/net/ipv4/conf/*do echo 0>$each/Accept_redirects echo 0>$each/send_redirects done /etc/init.d/ipsec start /etc/init.d/xl2tpd start;; stop) echo “Stopping my Ipsec VPN” iptables –table nat –flush echo 0> /proc/sys/net/ipv4/ip_forward /etc/init.d/ipsec stop /etc/init.d/xl2tpd stop;; restart) echo “restart my Ipsec VPN” iptables -t nat -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE echo 1> /proc/sys/net/ipv4/ip_forward per in /proc/ sys/net/ipv4/conf/*do echo 0>$each/Accept_redirects echo 0>$each/send_redirects done /etc/init.d/ipsec/restart /etc/init.d/xl2tpd;; *) echo “Usage: /etc/init.d/ipsec.vpn restart” exit 1;; esac
This will configure firewall redirection. If you are using a local IP pool other than 10.152.2, be sure to update it.
Then set the execute permission:
sudo chmod 755 ipsec.vpn
Disable the default ipsec script for beginners with
# update-rc.d -f remove ipsec
and enable custom.
# update-rc.d default ipsec.vpn
L2TP
In the file /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
[lns default]
ip range = 10.152.2.2-10.152.2.254 local ip = 10.152.2.1 requires decoupling = yes pap denied = yes requires authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd bit length = yes
- IP range = IP range given to connecting clients
- Local IP = IP of the VPN server. The value must be outside the “IP range”.
- refure pap = refure pap
- ppp debugging = yes when testing, no during production
Choose a good challenge and responsive authentication chain. The password should, ideally, be 16 characters long, and should probably be longer to ensure adequate security. There is no minimum length required. In the /etc/xl2tpd/l2tp-secrets file:
* * exampleforchallengestring
In the file /etc/ppp/options.xl2tpd , copy:
Deny-mschap-v2 Deny-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 lock local password hide #patch name l2tpd proxyarp lcp-echo-split 30 lcp-echo- Failure 4
ms-dns option
Here you set a DNS server for your local network, this DNS server is pushed to the road warrior when it connects. If you want to add multiple servers just add multiple lines.
If you need to push win settings to customers, there is a separate option for that.
mtu / mru
On openswan.org they know that it is important to reduce the size of mru/mtu. Since l2tp/ipsec is encapsulated many times, it causes overhead, so reducing this makes it possible to move all packets over lines with low mtu size.
Proxirb
Adds an entry to the ARP of this system [Address Resolution Protocol] A table of the peer’s IP address and the Ethernet address of that system. This will have the effect of making the peer appear to other systems on the LAN.
l2tpd name
It is used in the ppp authentication file.
Add users
In the file /etc/ppp/chap-secrets, copy:
User 1 l2tpd choose a good password * User 2 * Choose a good password *
- Customer = Username of the user
- server = the name we specify in the ppp.options file for xl2tpd
- secret = user password
- IP address = Leave for * for any address or specify which addresses the user can log in to.
Note: You can add as many users as you want.
straight ahead
in /etc/sysctl.conf
net.ipv4.ip_forward = 1
Load the new settings made in /etc/sysctl.conf
sysctl -p
Start VPN
sudo /etc/init.d/ipsec.vpn restart sudo /etc/init.d/xl2tpd
Connect VPN to iOS Device
-
Go to Settings > General > Network > VPN > Add VPN Configuration > L2TP
-
VPN Description > The name you want
-
Set VPN Server > VPN Server External IP Address (xxxx)
-
Account > PPP Username
-
Set password > good password
-
L2TP Secret> is set for example forchallengestring
- Connect with PPP username/password (user choose 1 good password)
Connect VPN to Android Device
-
Go to Settings > Wireless & Networks > VPN Settings > Add VPN > Add L2TP / IPSec PSK VPN >
-
VPN Name / Description > The name you want
-
Set VPN Server > VPN Server External IP Address (xxxx)
-
Set IPSec Pre-Shared Key/Password > Good Password
-
Enable L2TP Secret > Enable
-
L2TP Secret> is set for example forchallengestring
- Hit return, then connect with your PPP username/password (user 1 chooses a good password)
revision
In case of problems, these are some commands that can help in debugging.
sudo tcpdump -i ppp0 sudo tail -f /var/log/auth.log sudo tail -f / var / log / syslog
You can also monitor the results on the server using
sudo tcpdump -i eth0 host aaa.bbb.ccc.ddd not ssh port
aaa.bbb.ccc.ddd is the public IP address of your customers
CategoryVPN CategoryVPN
[ad_1]
Don’t forget to share this post with friends !