Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up L2TP/IPsec VPN on Debian

Set up L2TP/IPsec VPN on Debian

Set up IPsec

Set up networking

cat <<EOF >>/etc/sysctl.conf
net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
EOF

NOTE: On DigitalOcean, also:

cat <<EOF >>/etc/sysctl.conf
net.ipv4.conf.ip_vti0.rp_filter=0
EOF

Reload config:

sysctl -p

Install Libreswan

Install dependencies:

apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools

Build and install Libreswan:

wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install

Set up Libreswan

Set up pre-shared key authentication:

cat <<EOF >/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
        left=%defaultroute
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
EOF
cat <<EOF >>/etc/ipsec.conf
include /etc/ipsec.d/l2tp-psk.conf
EOF
cat <<EOF >/etc/ipsec.secrets
%any: PSK "__PRE_SHARED_KEY__"
EOF
chmod 600 /etc/ipsec.secrets

NOTE: On Ubuntu 14.04, also:

ipsec initnss

Start IPSec

NOTE: On Debian jessie, first:

systemctl enable xl2tpd.service
ipsec setup start
ipsec verify

Set up PPP

Install PPP

apt-get install -y xl2tpd

Set up PPP

cat <<EOF >/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <<EOF >>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF >/etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *
EOF
chmod 600 /etc/ppp/chap-secrets

NOTE: May have to use local DNS servers.

Start PPP

On Ubuntu 14.04:

/etc/init.d/xl2tpd start

On Debian jessie:

systemctl enable xl2tpd.service
systemctl start xl2tpd.service

Set up firewall

For now:

iptables --table nat --append POSTROUTING --jump MASQUERADE

For later:

cat <<EOF >>/etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
EOF

References

@golflima

This comment has been minimized.

Copy link

commented Aug 2, 2015

Libreswan 3.13 released, you can so adapt the Libreswan installation process with :
wget https://download.libreswan.org/libreswan-3.13.tar.gz
tar zxvf libreswan-3.13.tar.gz
cd libreswan-3.13

@royceniu

This comment has been minimized.

Copy link

commented Sep 25, 2016

Also should
"ipsec setup start"
at the boot time.

@CapnIain

This comment has been minimized.

Copy link

commented Jan 23, 2017

For jessie lite (raspian january 2017 version) with libreswan 3.19 I also had to add libsystemd-dev using:
sudo apt-get install libsystemd-dev
This was to address "fatal error: systemd/sd-daemon.h: file or directory not found" while building libreswan

If you get get "function gensub never defined" errors you may also need to add:
sudo apt-get install gawk

If creating the man files (i.e. not using "make base") and there are "xmlto: command not found" errors try:
sudo apt-get --no-install-recommends install xmlto

@SergioMartinezIngelmo

This comment has been minimized.

Copy link

commented May 15, 2017

Hi, I followed all the steps in Debian Jessie and everything seems ok during the installation and configuration process but I can't reach my L2TP/IPSec server so something is not working properly. My mission is to connect my Raspberry Pi 3 Model B as a client to my L2TP/IPSec VPN server.
I can connect from my mobile and from Windows 7 clients without problem but I can't figure out how to do the same with Linux (Debian Jessie or Retropie/Raspbian).

After the configuration is complete, how can I check if everything works fine? ifconfig does not show me the VPN connection and as I said, ping can't reach my server.

Thank you very much in advance.

@Arefu

This comment has been minimized.

Copy link

commented Jul 27, 2017

@Sergio3 if you can't ping your server it implies there is either a firewall or a physical limitation restricting access. Make sure the firewall on both sides (Sender and receiver) both allow outgoing and incoming ICMP packets respectively.

@sberniz

This comment has been minimized.

Copy link

commented Nov 4, 2017

Hi , i'm very confused about this article. is this as a vpn client site to site configuration? if it is. can someone help me configure with a psk?. i have softether server on a windows machine. didn't seem at the moment i'll be using a pi for a project. and i'll like the pi to connect via vpn and be able to access it from my hoome network. thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.