Setting up an L2TP/IPSec server on Debian

From wiki
Jump to: navigation, search

You will need

  • A Debian install (I used squeeze, the current Debian testing, but should work the same way on Lenny)
  • xl2tpd and openswan

These instructions currently only cover setting up L2TP with IPv4. This is due to a limitation with the xl2tpd package. I've also used racoon (ipsec-tools) but it doesn't seem to work properly when disconnecting from Windows. I've tested on the client side Windows Vista.

Installing required packages

Run the following commands to install the packages needed:

aptitude install xl2tpd openswan

This should pull in the pppd package and other dependencies as needed.

Configuring openswan

This is a sample configuration file for ipsec.conf which works with pre-shared keys (PSK) rather than X.509 certificates. Paste the following into a file /etc/ipsec.conf:

config setup


conn L2TP-PSK-noNAT
  left=   <-- replace this IP address with the IPv4 address of this machine

conn passthrough-for-non-l2tp
  left=  <-- replace this IPv4 address with the IPv4 address of this machine

In a file /etc/ipsec.secrets, insert the following: %any: "mysecretpresharedkeypassword"   <-- replace the address with the IPv4 address of this machine

The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries. Important: Make this file only readable by root and nothing else


TODO: Put in appropriate ports here

Setting up xl2tpd and pppd

Paste the following into a file /etc/xl2tpd/xl2tpd.conf:

[global]                ; Global parameters:
port = 1701             ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
access control = no         ; * Refuse connections without IP match
rand source = dev                     ; Source for entropy for random

[lns default]             ; Our fallthrough LNS definition
exclusive = no            ; * Only permit one tunnel per host
ip range = -  <-- enter the IP range you wish to give out to your clients here
local ip =      <-- address of the L2TP end of the tunnel (i.e. this machine)
refuse authentication = yes     ; * Refuse authentication altogether
refuse pap = yes            ; * Refuse PAP authentication
refuse chap = yes
ppp debug = no            ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

Paste the following into a file /etc/ppp/options.l2tpd:

# Do not support BSD compression.

# Allow all usernames to connect.
name *
lcp-echo-failure 10
lcp-echo-interval 5

# Do not authenticate incoming connections. This is handled by IPsec.

# Set the DNS servers the PPP clients will use.
ms-dns  <-- change this to the IPv4 address of your DNS server
ms-dns  <-- add extra entries if necessary

mtu 1400
mru 1400

Starting up

Once the above is done, (re)start openswan and xl2tpd:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

Configuring Windows Vista as a L2TP/IPSec client

I have not tested this on Windows XP, but it might work...

  • 1. Go to the Control Panel
  • 2. Double-click on Network and Sharing Center
  • 3. Choose "Set up a connection or network"
  • 4. Choose "Connect to a workplace"
  • 5. Choose "No, create a new connection"
  • 6. Choose "Use my Internet connection (VPN)"I
  • 7. Enter the IPv4 address or host name of your L2TP/IPSec server in the "Internet Address" box
  • 8. In the "Destination Name" box, choose a name for your VPN and enter it there
  • 9. Tick "Don't connect now; just set it up so I can connect later" check box
  • 10. Press Next
  • 11. Press Create (user name, password and domain name not required for L2TP tunnels as it is not the PPP that does the authentication)
  • 12. Push Close
  • 13. Back at the Network and Sharing Center, choose "Manage Network Connections"
  • 14. Right click on the VPN definition you have just created and choose "Properties"
  • 15. Click on the Options tab
  • 16. Untick "Prompt for name and password, certificate, etc."
  • 17. Untick "Include Windows logon domain"
  • 18. Click on Security tab
  • 19. Choose Advanced (Custom Settings) radio button
  • 20. Click on Settings... button that lights up
  • 21. Change the Data encryption drop-down box to "Optional encryption (connect even if no encryption)"
  • 22. Tick all the check boxes under "allow these protocols"
  • 23. Click OK
  • 24. Click on Networking tab
  • 25. Choose "L2TP/IPSec VPN" for Type of VPN drop-down box
  • 26. Click on IPSec Settings... button
  • 27. Click on "Use preshared key for authentication"
  • 28. Enter the pre-shared key you defined in the file above into this box
  • 29. Click OK
  • 30. Click OK again

Now try to connect and see if it works!

See also