Skip to content

Instantly share code, notes, and snippets.

@miqm

miqm/setup.md

Created May 1, 2018 12:26
Show Gist options
  • Save miqm/aeccf650489c444dbdc7974cddb776c2 to your computer and use it in GitHub Desktop.
Save miqm/aeccf650489c444dbdc7974cddb776c2 to your computer and use it in GitHub Desktop.
Download ZIP
VPN L2TP/IPSec
Raw
setup.md

Network config

Server IP: 192.168.1.200

GW IP: 192.168.1.1

VPN IP pool: 192.168.0.128/26

Forward UDP port 500 and UDP port 4500

setup

install

apt-get install strongswan xl2tpd ppp lsof libcharon-extra-plugins libstrongswan-extra-plugins

/etc/network/interfaces

auto lo eth0
iface lo inet loopback

iface eth0 inet static
    address 192.168.1.200
    netmask 255.255.255.0
    gateway 192.168.1.1

Config Files

/etc/rc.local

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE

/etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

/etc/ipsec.conf

conn L2TP
  dpdaction=clear
  #Server IP
  left=192.168.1.200
  #Server default gateway
  leftnexthop=192.168.1.1
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnet=0.0.0.0/0
  leftauth=psk
  rightauth=psk
  leftid=192.168.1.200
  ikelifetime=1h
  keylife=8h
  ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
  esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
  auto=add
  keyexchange=ike
  type=transport

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

/etc/strongswan.conf

charon {
  load_modular = yes
  send_vendor_id = yes
  plugins {
    include strongswan.d/charon/*.conf
  }
}

include strongswan.d/*.conf

/etc/ipsec.secrets

%any : PSK "[PRE-SHARED KEY]"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no

[lns default]
ip range = 192.168.0.128/26
local ip = 192.168.1.200
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes

/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
#login
novj
noccp
nopcomp
noaccomp
asyncmap 0
refuse-eap
refuse-pap

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret     IP addresses
test            *       "test"     192.168.0.96/27
boss            *       "test"     192.168.0.94

run

# update-rc.d -f ipsec remove
# update-rc.d ipsec defaults

diagnostics

tail -f /var/log/auth.log
tail -f /var/log/syslog
ipsec status
ipsec statusall
ipsec listall
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment