Server IP: 192.168.1.200
GW IP: 192.168.1.1
VPN IP pool: 192.168.0.128/26
Forward UDP port 500 and UDP port 4500
apt-get install strongswan xl2tpd ppp lsof libcharon-extra-plugins libstrongswan-extra-plugins
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.1
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
conn L2TP
dpdaction=clear
#Server IP
left=192.168.1.200
#Server default gateway
leftnexthop=192.168.1.1
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnet=0.0.0.0/0
leftauth=psk
rightauth=psk
leftid=192.168.1.200
ikelifetime=1h
keylife=8h
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
auto=add
keyexchange=ike
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
charon {
load_modular = yes
send_vendor_id = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
%any : PSK "[PRE-SHARED KEY]"
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
[lns default]
ip range = 192.168.0.128/26
local ip = 192.168.1.200
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
#login
novj
noccp
nopcomp
noaccomp
asyncmap 0
refuse-eap
refuse-pap
# Secrets for authentication using CHAP
# client server secret IP addresses
test * "test" 192.168.0.96/27
boss * "test" 192.168.0.94
# update-rc.d -f ipsec remove
# update-rc.d ipsec defaults
tail -f /var/log/auth.log
tail -f /var/log/syslog
ipsec status
ipsec statusall
ipsec listall