Setting up an L2TP/IPSec server on Debian
You will need
- A Debian install (I used squeeze, the current Debian testing, but should work the same way on Lenny)
- xl2tpd and openswan
These instructions currently only cover setting up L2TP with IPv4. This is due to a limitation with the xl2tpd package. I've also used racoon (ipsec-tools) but it doesn't seem to work properly when disconnecting from Windows. I've tested on the client side Windows Vista.
Installing required packages
Run the following commands to install the packages needed:
aptitude install xl2tpd openswan
This should pull in the pppd package and other dependencies as needed.
This is a sample configuration file for ipsec.conf which works with pre-shared keys (PSK) rather than X.509 certificates. Paste the following into a file /etc/ipsec.conf:
config setup protostack=netkey nat_traversal=yes conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=172.16.31.1 <-- replace this IP address with the IPv4 address of this machine leftprotoport=17/1701 right=%any rightprotoport=17/1701 conn passthrough-for-non-l2tp type=passthrough left=172.16.31.1 <-- replace this IPv4 address with the IPv4 address of this machine leftnexthop=0.0.0.0 right=0.0.0.0 rightsubnet=0.0.0.0/0 auto=route
In a file /etc/ipsec.secrets, insert the following:
172.16.31.1 %any: "mysecretpresharedkeypassword" <-- replace the address with the IPv4 address of this machine
The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries. Important: Make this file only readable by root and nothing else
TODO: Put in appropriate ports here
Setting up xl2tpd and pppd
Paste the following into a file /etc/xl2tpd/xl2tpd.conf:
[global] ; Global parameters: port = 1701 ; * Bind to port 1701 auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are access control = no ; * Refuse connections without IP match rand source = dev ; Source for entropy for random [lns default] ; Our fallthrough LNS definition exclusive = no ; * Only permit one tunnel per host ip range = 184.108.40.206 - 220.127.116.11 <-- enter the IP range you wish to give out to your clients here local ip = 18.104.22.168 <-- address of the L2TP end of the tunnel (i.e. this machine) refuse authentication = yes ; * Refuse authentication altogether refuse pap = yes ; * Refuse PAP authentication refuse chap = yes ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
Paste the following into a file /etc/ppp/options.l2tpd:
# Do not support BSD compression. nobsdcomp passive lock # Allow all usernames to connect. name * proxyarp ipcp-accept-local ipcp-accept-remote lcp-echo-failure 10 lcp-echo-interval 5 nodeflate # Do not authenticate incoming connections. This is handled by IPsec. noauth refuse-chap refuse-mschap refuse-mschap-v2 # Set the DNS servers the PPP clients will use. ms-dns 22.214.171.124 <-- change this to the IPv4 address of your DNS server ms-dns 126.96.36.199 <-- add extra entries if necessary mtu 1400 mru 1400
Once the above is done, (re)start openswan and xl2tpd:
/etc/init.d/ipsec restart /etc/init.d/xl2tpd restart
Configuring Windows Vista as a L2TP/IPSec client
I have not tested this on Windows XP, but it might work...
- 1. Go to the Control Panel
- 2. Double-click on Network and Sharing Center
- 3. Choose "Set up a connection or network"
- 4. Choose "Connect to a workplace"
- 5. Choose "No, create a new connection"
- 6. Choose "Use my Internet connection (VPN)"I
- 7. Enter the IPv4 address or host name of your L2TP/IPSec server in the "Internet Address" box
- 8. In the "Destination Name" box, choose a name for your VPN and enter it there
- 9. Tick "Don't connect now; just set it up so I can connect later" check box
- 10. Press Next
- 11. Press Create (user name, password and domain name not required for L2TP tunnels as it is not the PPP that does the authentication)
- 12. Push Close
- 13. Back at the Network and Sharing Center, choose "Manage Network Connections"
- 14. Right click on the VPN definition you have just created and choose "Properties"
- 15. Click on the Options tab
- 16. Untick "Prompt for name and password, certificate, etc."
- 17. Untick "Include Windows logon domain"
- 18. Click on Security tab
- 19. Choose Advanced (Custom Settings) radio button
- 20. Click on Settings... button that lights up
- 21. Change the Data encryption drop-down box to "Optional encryption (connect even if no encryption)"
- 22. Tick all the check boxes under "allow these protocols"
- 23. Click OK
- 24. Click on Networking tab
- 25. Choose "L2TP/IPSec VPN" for Type of VPN drop-down box
- 26. Click on IPSec Settings... button
- 27. Click on "Use preshared key for authentication"
- 28. Enter the pre-shared key you defined in the file above into this box
- 29. Click OK
- 30. Click OK again
Now try to connect and see if it works!