L2TP/IPSec with Pre-Shared Key (PSK) VPN server


I want to be able to break through into my network from my phone or laptop – PPTP is too insecure and OpenVPN is still too much of a headache plus not generally built into Android.

I followed these two guides: http://pleasefeedthegeek.wordpress.com/2012/04/21/l2tp-ubuntu-server-setup-for-ios-clients/ and http://vitobotta.com/l2tp-ipsec-vpn-server/

Let’s install/modify several files.
We will assume that 192.168.1.0/24 is your local subnet, and your server is 192.168.1.2 in that subnet. The VPN will be on the 10.10.0.0/24 subnet.

sudo apt-get install openswan ppp xl2tpd

Edit /etc/ipsec.conf to contain the following:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.10.0.0/24
    protostack=netkey
	
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    type=transport
    left=192.168.1.2
    leftnexthop=192.168.1.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear

Edit /etc/xl2tpd/xl2tpd.conf to contain the following:

[global]
ipsec saref = yes
[lns default]
ip range = 10.10.0.2-10.10.0.10
local ip = 10.10.0.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Edit /etc/ppp/options.xl2tpd to contain the following:

require-mschap-v2
ms-dns 192.168.1.1
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Edit /etc/ppp/chap-secrets to contain the following (changing the client names and the client passwords):

Client1 l2tpd Client1Password 10.10.0.2
Client2 l2tpd Client2Password 10.10.0.3

Edit /etc/ipsec.secrets to contain the following (changing IP’s and the PSK):

192.168.1.2 %any: PSK "YourPreSharedKey"

Restart the daemons:

sudo /etc/init.d/pppd-dns restart
sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

You must forward ports 500, 4500, and 1701 (UDP only) to your server on your router, and then also add the following to your /etc/rc.local above the “exit 0” line:

echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*
do
  echo 0 > $each/accept_redirects
  echo 0 > $each/send_redirects
done

iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE

Run your /etc/rc.local:

sudo /etc/rc.local

Then set up your client:

Type: L2TP/IPSec PSK
Server address: (your public facing domain or IP, could be dynamic domain)
L2TP secret: (not used)
IPSec identifier: (not used)
IPSec pre-shared key: YourPreSharedKey
Username: Client1
Password: Client1Password

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *