. .

Linux L2TP/IPsec VPN server

Written by at June 5, 2012

Building a L2TP/IPsec VPN server on Linux could be easy but troublesome. This post list out the steps to setup the tunnel.

L2TP/IPsec is another type of VPN tunnerl, beside PPTP, which could be get connected by WinXP, or other Windows platform, out of the box.

L2TP/IPsec means building a L2TP tunner over IPSec. To establish and IPSec session, your client, Windows host, should either present a Pre-Shared-Secret or a valid client cert installed in computer account

Our setup:

  • Accept PSK or client cert
  • Authenticate the user with RADIUS using MSCHAPv2

Software

  • Slackware 13.37
  • xl2tp 1.3
  • strongswan 4.6.2
  • freeradius
  • samba & ldap

xl2tpd

Installation

tar zxvf xl2tpd-1.3.0.tar.gz
cd xl2tpd-1.3.0
#################################
# modify Makefile
PREFIX?=/usr/local/xl2tpd
#################################
make
make install

Configuration

/etc/xl2tpd/xl2tpd.conf

[global]
port = 1701 
[lns default]
;ip range = 172.16.45.51-249
assign ip = no
local ip = 192.168.72.1
require authentication = yes 
pppoptfile = /etc/ppp/options.xl2tpd

/etc/ppp/options.xl2tpd

ms-dns 192.168.1.1
ms-wins 192.168.1.1
#nomppe
require-mppe-128
+mschap-v2
+mschap
debug
plugin radius.so
plugin radattr.so

Strongswan

Installation

./configure --prefix=/usr/local/strongswan --enable-nat-transport --enable-eap-radius --enable-eap-mschapv2 --enable-eap-peap --enable-eap-identity --enable-openssl --enable-md4 --enable-curl --enable-dhcp --enable-farp
make
make install

Configuration

/usr/local/strongswan/etc/ipsec.conf

config setup
    nat_traversal=yes
    # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn ipsec-x509
    left=%defaultroute
    # leftnexthop=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    pfs=no
    auto=add
    keyexchange=ikev1
    # type=tunnel
    # rekey=no
    # authby=psk
    authby=rsasig
    leftcert=/usr/local/strongswan/etc/mycert.pem
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn ipsec-psk
    left=%defaultroute
    # leftnexthop=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    pfs=no
    auto=add
    keyexchange=ikev1
    # type=tunnel
    # rekey=no
    authby=psk

/usr/local/strongswan/etc/ipsec.secrets

The key of your cert & the PSK should be define here

: PSK "yourverysecretpsk"
: RSA /usr/local/strongswan/etc/mykey.pem

CA cert

You should put all of your certificate chain in /usr/local/strongswan/etc/ipsec.d/cacerts, e.g., the CA issue for machine, the CA of your server cert.

Radius Client Setup

We won’t go through the installation of freeradius, you could reference my other posts for the detail.

/etc/radiusclient/servers

Setup the secret with the RADIUS serer

localhost                                       mysecretpwd

/etc/radiusclient/radiusclient.conf

Mainly, you should setup authserver and acctserver

authserver      localhost
acctserver      localhost

/etc/radiusclient/dictionary

Append following:

INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft

FreeRadius

You should configure your freeradius to support MSCHAPv2 and assign IP to the PPP link created by xl2tpd. Ensure the secret is set up correctly in etc/raddb/clients.conf

Windows client issues

Certificate issue

The client certificate should be store under machine account. And the whole server certificate chain should be trusted and installed in Windows.

Convert certificate to pkcs12 format

openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out wincert.pfx -name 'WinXP2-vbox cert' -chain -CAfile ../allchain.pem