Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up L2TP/IPsec VPN on Debian

Set up L2TP/IPsec VPN on Debian

Set up IPsec

Set up networking

cat <<EOF >>/etc/sysctl.conf
net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
EOF

NOTE: On DigitalOcean, also:

cat <<EOF >>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF

Reload config:

sysctl -p

Install Libreswan

Install dependencies:

apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools

Build and install Libreswan:

wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install

Set up Libreswan

Set up pre-shared key authentication:

cat <<EOF >/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
        left=%defaultroute
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
EOF
cat <<EOF >>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat <<EOF >/etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets

NOTE: On Ubuntu 14.04, also:

ipsec initnss

Start IPSec

NOTE: On Debian jessie, first:

systemctl enable xl2tpd.service
ipsec setup start
ipsec verify

Set up PPP

Install PPP

apt-get install -y xl2tpd

Set up PPP

cat <<EOF >/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <<EOF >>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF >/etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets

NOTE: May have to use local DNS servers.

Start PPP

On Ubuntu 14.04:

/etc/init.d/xl2tpd start

On Debian jessie:

systemctl enable xl2tpd.service
systemctl start xl2tpd.service

Set up firewall

For now:

iptables --table nat --append POSTROUTING --jump MASQUERADE

For later:

cat <<EOF >>/etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
EOF

References

@golflima
Copy link

golflima commented Aug 2, 2015

Libreswan 3.13 released, you can so adapt the Libreswan installation process with :
wget https://download.libreswan.org/libreswan-3.13.tar.gz
tar zxvf libreswan-3.13.tar.gz
cd libreswan-3.13

@royceniu
Copy link

royceniu commented Sep 25, 2016

Also should
"ipsec setup start"
at the boot time.

@CapnIain
Copy link

CapnIain commented Jan 23, 2017

For jessie lite (raspian january 2017 version) with libreswan 3.19 I also had to add libsystemd-dev using:
sudo apt-get install libsystemd-dev
This was to address "fatal error: systemd/sd-daemon.h: file or directory not found" while building libreswan

If you get get "function gensub never defined" errors you may also need to add:
sudo apt-get install gawk

If creating the man files (i.e. not using "make base") and there are "xmlto: command not found" errors try:
sudo apt-get --no-install-recommends install xmlto

@SergioMartinezIngelmo
Copy link

SergioMartinezIngelmo commented May 15, 2017

Hi, I followed all the steps in Debian Jessie and everything seems ok during the installation and configuration process but I can't reach my L2TP/IPSec server so something is not working properly. My mission is to connect my Raspberry Pi 3 Model B as a client to my L2TP/IPSec VPN server.
I can connect from my mobile and from Windows 7 clients without problem but I can't figure out how to do the same with Linux (Debian Jessie or Retropie/Raspbian).

After the configuration is complete, how can I check if everything works fine? ifconfig does not show me the VPN connection and as I said, ping can't reach my server.

Thank you very much in advance.

@Arefu
Copy link

Arefu commented Jul 27, 2017

@Sergio3 if you can't ping your server it implies there is either a firewall or a physical limitation restricting access. Make sure the firewall on both sides (Sender and receiver) both allow outgoing and incoming ICMP packets respectively.

@sberniz
Copy link

sberniz commented Nov 4, 2017

Hi , i'm very confused about this article. is this as a vpn client site to site configuration? if it is. can someone help me configure with a psk?. i have softether server on a windows machine. didn't seem at the moment i'll be using a pi for a project. and i'll like the pi to connect via vpn and be able to access it from my hoome network. thanks

@rwb196884
Copy link

rwb196884 commented Aug 6, 2022

Can't get this to work with Mac, Windows, or Android clients. All show the same in the syslog:

...
Aug  6 09:08:59 mini31 xl2tpd[12270]: get_call: allocating new tunnel for host 192.168.0.7, port 60075.
Aug  6 09:08:59 mini31 xl2tpd[12270]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Aug  6 09:08:59 mini31 xl2tpd[12270]: protocol_version_avp: peer is using version 1, revision 0.
Aug  6 09:08:59 mini31 xl2tpd[12270]: framing_caps_avp: supported peer frames: async sync
Aug  6 09:08:59 mini31 xl2tpd[12270]: hostname_avp: peer reports hostname 'macbook'
Aug  6 09:08:59 mini31 xl2tpd[12270]: assigned_tunnel_avp: using peer's tunnel 27
Aug  6 09:08:59 mini31 xl2tpd[12270]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
Aug  6 09:08:59 mini31 xl2tpd[12270]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 27, call is 0.
Aug  6 09:08:59 mini31 xl2tpd[12270]: control_finish: Peer requested tunnel 27 twice, ignoring second one.
Aug  6 09:08:59 mini31 xl2tpd[12270]: build_fdset: closing down tunnel 42061
Aug  6 09:08:59 mini31 xl2tpd[12270]: network_thread: select timeout with max retries: 5 for tunnel: 23913
Aug  6 09:09:03 mini31 xl2tpd[12270]: network_thread: recv packet from 192.168.0.7, size = 68, tunnel = 0, call = 0 ref=0 refhim=0
Aug  6 09:09:03 mini31 xl2tpd[12270]: get_call: allocating new tunnel for host 192.168.0.7, port 60075.
Aug  6 09:09:03 mini31 xl2tpd[12270]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Aug  6 09:09:03 mini31 xl2tpd[12270]: protocol_version_avp: peer is using version 1, revision 0.
Aug  6 09:09:03 mini31 xl2tpd[12270]: framing_caps_avp: supported peer frames: async sync
Aug  6 09:09:03 mini31 xl2tpd[12270]: hostname_avp: peer reports hostname 'macbook'
Aug  6 09:09:03 mini31 xl2tpd[12270]: assigned_tunnel_avp: using peer's tunnel 27
Aug  6 09:09:03 mini31 xl2tpd[12270]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
Aug  6 09:09:03 mini31 xl2tpd[12270]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 27, call is 0.
Aug  6 09:09:03 mini31 xl2tpd[12270]: control_finish: Peer requested tunnel 27 twice, ignoring second one.
Aug  6 09:09:03 mini31 xl2tpd[12270]: build_fdset: closing down tunnel 17913
Aug  6 09:09:04 mini31 charon: 12[NET] received packet: from 192.168.0.7[500] to 192.168.0.31[500] (76 bytes)
Aug  6 09:09:04 mini31 charon: 12[ENC] parsed INFORMATIONAL_V1 request 4192958371 [ HASH D ]
Aug  6 09:09:04 mini31 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 0bbf9603
Aug  6 09:09:04 mini31 charon: 12[IKE] closing CHILD_SA wep-ap{2} with SPIs c84bba15_i (532 bytes) 0bbf9603_o (0 bytes) and TS 192.168.0.31/32[udp/l2f] === 192.168.0.7/32[udp/60075]
Aug  6 09:09:04 mini31 charon: 07[NET] received packet: from 192.168.0.7[500] to 192.168.0.31[500] (92 bytes)
Aug  6 09:09:04 mini31 charon: 07[ENC] parsed INFORMATIONAL_V1 request 2200503579 [ HASH D ]
Aug  6 09:09:04 mini31 charon: 07[IKE] received DELETE for IKE_SA wep-ap[2]
Aug  6 09:09:04 mini31 charon: 07[IKE] deleting IKE_SA wep-ap[2] between 192.168.0.31[192.168.0.31]...192.168.0.7[192.168.0.7]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment