Twitter
Facebook
Flickr
RSSHow To Install Setup L2TP over IPsec VPN in Debian Lenny
Jan 11
In this how to, I am going to share how to install setup L2TP over IPsec VPN in Debian Lenny using openswan and xl2tpd package. I am going to use Pre-Shared Key (PSK) in IPsec and CHAP as an authentication mechanism. This how to has been tested on iPad 2, Mac OS X Lion and Windows 7. However, if you tested this how to with other OSes and smartphones, I would like to hear from you in the comments.
I am using Hostigation KVM (affiliate link) for this how to. Let’s get started and I am using root.
1. Install Openswan using command below in Debian Lenny (answer the default questions asked): -
# aptitude install openswan
2. Add the below configuration to /etc/ipsec.conf file: -
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nhelpers=0
protostack=netkey
# Add connections here
conn L2TP-PSK-CLIENTS
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%priv,%no
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
3. Next, enter your prefer Pre-Shared Key (PSK) to /etc/ipsec.secrets file below: -
YourIPHere %any: PSK "sharedsecrethere"
4. Then, restart IPsec service using command below: -
# /etc/init.d/ipsec restart
5. Then, configure the Linux Kernel using command below: -
# for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done
6. By now, IPsec configuration is done and you can verify it and you must get no errors using command below: -
# ipsec verify
7. Install xl2tpd using the command below in Debian Lenny: -
# aptitude install xl2tpd
8. Add the below xl2tpd configuration to /etc/xl2tpd/xl2tpd.conf file: -
[lns default]
ip range = 10.20.30.2-10.20.30.254
local ip = 10.20.30.1
require chap = yes
require authentication = yes
refuse pap = yes
name = LinuxVPNserver
hostname = YourVPNHostname
ppp debug = yes
length bit = yes
pppoptfile = /etc/xl2tpd/ppp-options.xl2tpd
9. Add the below PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file: -
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns 8.8.4.4
ms-dns 8.8.8.8
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/ppp.log
10. Configure CHAP as the above xl2tpd configuration only require CHAP and not PAP by modify /etc/ppp/chap-secrets file as below: -
username l2tpd password *
11. Next, enable routing in Linux Kernel using command below: -
# echo 1 > /proc/sys/net/ipv4/ip_forward
12. Next, configure the Linux firewall (iptables) to enable masquerading (Internet sharing) using command below: -
# iptables -t nat -A POSTROUTING -o eth0 -s 10.20.30.0/24 -j MASQUERADE
Resources:
Mar 10, 2012 @ 23:49:42
What goes in /etc/ipsec.d/examples/no_oe.conf?
I would test this on Android, but I need a complete config.
Mar 12, 2012 @ 11:38:57
j, Ieave it as default. I tested this how to with my Android, S2 and it works.
Apr 09, 2012 @ 08:29:54
j, if you’re using a more current version of xl2tpd than the one provded in lenny (perhaps you’re runnin squeeze) you don’t want to disable oe by including the file in wingloon’s article.
In newer versions, oe may be disabled by adding “oe=off” to the “config setup” section. The file referred to in the article does no longer exist and is not required.
May 01, 2012 @ 10:53:21
localhost:~# /etc/init.d/ipsec start
ipsec_setup: (/etc/ipsec.conf, line 1) we only support version 2 ipsec.conf files — `start’ aborted
This is the error I get when copying your config verbatim.
Unable to find much documentation on this error.
May 04, 2012 @ 02:32:00
William, are you using Debian 5.0 Lenny? Try not to copy my config verbatim instead modify accordingly. Thank you.