L2TP IPSEC VPN

A couple of handy sites for getting that setup:

Your own IPSEC VPN in about 3 minutes using Digital Ocean

And this debian one for support.

https://wiki.debian.org/HowTo/AndroidVPNServer#L2TP.2FIPSec

Couple of notes that the script didn’t cover:

  • Instead of openswan had to use strongswan.
  • Had to add a shared secret to /etc/ipsec.secrets
  • To use a proxy you just point the proxy to listen on 172.16.1.1 and point the computer to that proxy’s port

The script he had is the key so it’s here for posterity:

apt-get install -y openswan xl2tpd ppp
apt-get install -y lsof

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

echo "for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done"  |  tee -a /etc/rc.local
echo "iptables --table nat --append POSTROUTING --jump MASQUERADE"  |  tee -a /etc/rc.local

echo "config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    protostack=netkey
    #decide which protocol stack is going to be used.

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
    pfs=no
    #Disable pfs
    auto=add
    #start at boot
    keyingtries=3
    #Only negotiate a conn. 3 times.
    ikelifetime=8h
    keylife=1h
    type=transport
    #because we use l2tp as tunnel protocol
    left=%SERVERIP%
    #fill in server IP above
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any" > /etc/ipsec.conf



    ipsec verify


    echo "[global]
ipsec saref = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes" > /etc/xl2tpd/xl2tpd.conf

echo "require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4" > /etc/ppp/options.xl2tpd
echo "# username  l2tpd password  *" >> /etc/ppp/chap-secrets
echo ""
echo ""
echo "To Do:"
echo ""
echo "- Add users: /etc/ppp/chap-secrets"
echo "Restart the software: /etc/init.d/ipsec restart;  /etc/init.d/xl2tpd restart"

Leave a Reply

Your email address will not be published. Required fields are marked *