Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

IPSEC L2TP VPN on Ubuntu 13.04 with OpenSwan, xl2tpd and ppp

Published: 01-12-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a guide on setting up an IPSEC/L2TP vpn server with Ubuntu 13.04 usingOpenswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users/ PAM for authentication. It has a detailed explanation with every step. Wechoose the IPSEC/L2TP protocol stack because of recent vulnerabilities found inpptpd VPNs.

This tutorial is available for the following platforms:

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

IPSec encrypts your IP packets to provide encryption and authentication, so noone can decrypt or forge data between your clients and your server. L2TPprovides a tunnel to send data. It does not provide encryption andauthentication though, that is why we need to use it together with IPSec.

To work trough this tutorial you should have:

If you are not running Ubuntu 13.04 you might have to compile the packagesmanually because openswan and xl2tpd in the older repositories seem to havecritical bugs which make this all fail.

I do all the steps as the root user. You should do to, but only via * -i* or *su -*. Do not allow root to login via SSH!

Install ppp openswan and xl2tpd

First we will install the required packages:

apt-get install openswan xl2tpd ppp 

The openswan installation will ask some questions, this tutorial works with thedefault answers (just enter through it).

If you do not have lsof installed you also need to install that, otherwise theipsec verify will fail:

apt-get install lsof

Firewall and sysctl

We are going to set the firewall and make sure the kernel forwards IP packets:

Execute this command to enable the iptables firewall to allow vpn traffic:

iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%

Replace %SERVERIP% with the external IP of your VPS.

Execute the below commands to enable kernel IP packet forwarding and disable ICPredirects.

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.confecho "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf

Now apply these settings for other network interfaces:

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

And apply them:

sysctl -p
Persistent settings via /etc/rc.local

To make sure this keeps working at boot you might want to add the following to/etc/rc.local:

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; doneiptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%

Add it before the exit 0 line and replace %SERVERIP% with the external IP ofyour VPS.

Configure Openswan (IPSEC)

Use your favorite editor to edit the following file:

/etc/ipsec.conf  

Replace the contents with the following:

(Most lines have a comment below it explaining what it does.)

config setup    dumpdir=/var/run/pluto/    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?    nat_traversal=yes    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.    protostack=netkey    #decide which protocol stack is going to be used.conn L2TP-PSK-noNAT    authby=secret    #shared secret. Use rsasig for certificates.    pfs=no    #Disable pfs    auto=add    #start at boot    keyingtries=3    #Only negotiate a conn. 3 times.    ikelifetime=8h    keylife=1h    type=transport    #because we use l2tp as tunnel protocol    left=%SERVERIP%    #fill in server IP above    leftprotoport=17/1701    right=%any    rightprotoport=17/%any

Replace %SERVERIP% with the external IP of your server.

Do note that the config file has changed with this Ubuntu release. If you haveupgraded Ubuntu or followed an earlier tutorial, make sure you change the configfor ipsec.

The shared secret

The shared secret is defined in the /etc/ipsec.secrets file. Make sure it islong and random:

%SERVERIP%  %any:   PSK "69EA16F2C5DCED8B29E74A7D1B0FE99E69F6BDCD3E44"
Verify IPSEC Settings

Now to make sure IPSEC works, execute the following command:

ipsec verify

My output looks like this:

Checking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path                                 [OK]Linux Openswan U2.6.38/K3.8.0-19-generic (netkey)Checking for IPsec support in kernel                            [OK] SAref kernel support                                           [N/A] NETKEY:  Testing XFRM related proc values                      [OK]    [OK]    [OK]Checking that pluto is running                                  [OK] Pluto listening for IKE on udp 500                             [OK] Pluto listening for NAT-T on udp 4500                          [OK]Checking for 'ip' command                                       [OK]Checking /bin/sh is not /bin/dash                               [WARNING]Checking for 'iptables' command                                 [OK]Opportunistic Encryption Support                                [DISABLED]

The /bin/sh and Opportunistic Encryption warnings can be ignored. The firstone is a openswan bug and the second one causes xl2tpd to trip.

Configure xl2tpd

Use your favorite editor to edit the following file:

/etc/xl2tpd/xl2tpd.conf  

Replace the contents with the following:

[global]ipsec saref = yessaref refinfo = 30[lns default]ip range = 172.16.1.30-172.16.1.100local ip = 172.16.1.1refuse pap = yesrequire authentication = yesppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

Do note that the config file has changed with this Ubuntu release. If you haveupgraded Ubuntu or followed an earlier tutorial, make sure you change the configfor xl2tpd.

Local user (PAM//etc/passwd) authentication

To use local user accounts via pam (or /etc/passwd), and thus not having plaintext user passwords in a text file you have to do a few extra steps. Huge thanksto Sascha Scandella for the hard work and troubleshooting.

In your /etc/xl2tpd/xl2tpd.conf add the following line:

unix authentication = yes

and remove the following line:

refuse pap = yes

In the file /etc/ppp/options.xl2tpd make sure you do not add the followingline (below it states to add it, but not if you want to use UNIXauthentication):

require-mschap-v2

Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:

login

Change /etc/pam.d/ppp to this:

auth    required        pam_nologin.soauth    required        pam_unix.soaccount required        pam_unix.sosession required        pam_unix.so

Add the following to /etc/ppp/pap-secrets:

*       l2tpd           ""              *

(And, skip the chap-secrets file below (adding users).)

Configuring PPP

Use your favorite editor to edit the following file:

/etc/ppp/options.xl2tpd  

Replace the contents with the following:

require-mschap-v2ms-dns 8.8.8.8ms-dns 8.8.4.4authmtu 1200mru 1000crtsctshide-passwordmodemname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 4

Adding users

Every user should be defined in the /etc/ppp/chap-secrets file. Below is anexample file.

# Secrets for authentication using CHAP# client       server  secret                  IP addressesalice          l2tpd   0F92E5FC2414101EA            *bob            l2tpd   DF98F09F74C06A2F             *

Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

/etc/init.d/ipsec restart /etc/init.d/xl2tpd restart

On the client connect to the server IP address (or add a DNS name) with a validuser, password and the shared secret. Test if you have internet access and whichIP you have (via for example http://whatsmyip.org. If it is the VPN servers IPthen it works.

If you experience problems make sure to check the client log files and theubuntu /var/log/syslog and /var/log/auth.log files. If you google the errormessages you most of the time get a good answer.

Tags: debian, ipsec, l2tp, openvpn, pptp, tutorials, ubuntu, vpn