This is how I installed L2TP IPSEC VPN server from a debian squeeze Linux at home, now I can connect the VPN from my iPhone, iPad and Windows 7 laptop
All stuff source is grabbed from here, well documented by Steeve, but just in case it dissapears one day and for my own informations, I add to my blog. For more detailled instruction and explanations, see his blog.
My local network is 192.168.1.0/24 and the VPN server is 192.168.1.7, my local DNS server is 192.168.1.8
What do you need ?
- A debian linux box with
- Openswan
- xl2tp
Install the software
aptitude install openswan xl2tpd
During installation choose to not use certifcate, we will use pre-shared key
edit the file /etc/ipsec.conf, my local network is 192.168.1.0/24 so I changed the line virtual_private as follow :
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
removed the warning when starting service about certificate in the same file
protostack=netkey
Then paste the following code at the end of the file
conn L2TP-PSK authby=secret pfs=no rekey=no keyingtries=3 dpddelay=30 dpdtimeout=60 dpdaction=clear compress=yes left=%defaultroute leftprotoport=udp/1701 right=%any rightprotoport=udp/0 auto=add
Now edit /etc/ipsec.secrets and add a line similar to this :
%any %any: PSK "MyPreSharedKeyStrongPassword"
if your external IP is fixed you can replace the 1st %any by your external IP, mine is not.
then edit /etc/xl2tpd/xl2tpd.conf. I added the following to mine.
[global] access control = no rand source = dev [lns default] ip range = 192.168.1.100-192.168.1.110 local ip = 192.168.1.7 require chap = yes refuse pap = no require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.l2tp length bit = yes
ip range is your LAN reserved IP for the VPN clients, they should be removed from your dhcp range, the local IP is the VPN server IP
now copy the file /etc/ppp/options to /etc/ppp/options.l2tp
cp /etc/ppp/options /etc/ppp/options.l2tp
and edit the new file /etc/ppp/option.l2tp
ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.8 noccp name vpn auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 plugin pppol2tp.so require-mschap-v2
ms-dns is your local DNS server, name is a name that will use in the next file
Finally, add entries to /etc/ppp/chap-secrets to set up individual VPN users
mylogin vpn "mypassword" 192.168.1.7/24 vpn mylogin "mypassword" 192.168.1.7/24
mylogin is the client’s login options-name must match the name parameter from the previous file, options.l2tp. The last parameter is the subnet and mask to match this client. It should be the range of your internal network.
Now if you want to access other computer from your LAN from your VPN client, you need to enable ip forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Of course you need to redirect upd ports from your internet gateway to your linux box if you have one. And also open the ports in your linux box firewall if it is activated. The ports are UDP 500, UDP 1701 and UDP 4500
This prodecure works fine for my iPhone and Windows 7 client.
For windows 7 client to work fine, you need to uncheck the box “unsecure password PAP” into connexion properties security tab and check CHAP and MS-CHAP-V2. And also enter your PSK under advanced parameters from VPN type.
