How To Install Setup L2TP over IPsec VPN in Debian Lenny

In this how to, I am going to share how to install setup L2TP over IPsec VPN in Debian Lenny using openswan and xl2tpd package. I am going to use Pre-Shared Key (PSK) in IPsec and CHAP as an authentication mechanism. This how to has been tested on iPad 2, Mac OS X Lion and Windows 7. However, if you tested this how to with other OSes and smartphones, I would like to hear from you in the comments.

I am using Hostigation KVM (affiliate link) for this how to. Let’s get started and I am using root.

1. Install Openswan using command below in Debian Lenny (answer the default questions asked): –

# aptitude install openswan

2. Add the below configuration to /etc/ipsec.conf file: –

# basic configuration
config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	nhelpers=0
	protostack=netkey
	
# Add connections here
conn L2TP-PSK-CLIENTS
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	type=transport
	left=%defaultroute
	leftnexthop=%defaultroute
	leftprotoport=17/1701
	right=%any
	rightsubnet=vhost:%priv,%no
	rightprotoport=17/%any
	dpddelay=40
	dpdtimeout=130
	dpdaction=clear

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

3. Next, enter your prefer Pre-Shared Key (PSK) to /etc/ipsec.secrets file below: –

YourIPHere %any: PSK "sharedsecrethere"

4. Then, restart IPsec service using command below: –

# /etc/init.d/ipsec restart

5. Then, configure the Linux Kernel using command below: –

# for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done

6. By now, IPsec configuration is done and you can verify it and you must get no errors using command below: –

# ipsec verify

7. Install xl2tpd using the command below in Debian Lenny: –

# aptitude install xl2tpd

8. Add the below xl2tpd configuration to /etc/xl2tpd/xl2tpd.conf file: –

[lns default]
ip range = 10.20.30.2-10.20.30.254
local ip = 10.20.30.1
require chap = yes
require authentication = yes
refuse pap = yes
name = LinuxVPNserver
hostname = YourVPNHostname
ppp debug = yes
length bit = yes
pppoptfile = /etc/xl2tpd/ppp-options.xl2tpd

9. Add the below PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file: –

crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns 8.8.4.4
ms-dns 8.8.8.8
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/ppp.log

10. Configure CHAP as the above xl2tpd configuration only require CHAP and not PAP by modify /etc/ppp/chap-secrets file as below: –

username l2tpd password *

11. Next, enable routing in Linux Kernel using command below: –

# echo 1 > /proc/sys/net/ipv4/ip_forward

12. Next, configure the Linux firewall (iptables) to enable masquerading (Internet sharing) using command below: –

# iptables -t nat -A POSTROUTING -o eth0 -s 10.20.30.0/24 -j MASQUERADE

Resources:

  • Confounded Technology: Android IPSec PSK VPN – Nexus One with OpenSWAN
  • Electic Security: Secure IPsec/L2TP VPN for on the road android devices