Building a L2TP\/IPsec VPN server on Linux could be easy but troublesome. This post list out the steps to setup the tunnel.<\/p>\n
L2TP\/IPsec is another type of VPN tunnerl, beside PPTP, which could be get connected by WinXP, or other Windows platform, out of the box. Our setup:<\/p>\n The key of your cert & the PSK should be define here<\/p>\n You should put all of your certificate chain in \/usr\/local\/strongswan\/etc\/ipsec.d\/cacerts<\/strong>, e.g., the CA issue for machine, the CA of your server cert.<\/p>\n We won’t go through the installation of freeradius, you could reference my other posts for the detail.<\/p>\n Setup the secret with the RADIUS serer<\/p>\n Mainly, you should setup authserver<\/strong> and acctserver<\/strong><\/p>\n Append following:<\/p>\n You should configure your freeradius to support MSCHAPv2 and assign IP to the PPP link created by xl2tpd. Ensure the secret<\/strong> is set up correctly in etc\/raddb\/clients.conf<\/strong><\/p>\n The client certificate should be store under machine account<\/strong>. And the whole server certificate chain should be trusted and installed in Windows.<\/p>\n
\n
\nL2TP\/IPsec means building a L2TP tunner over IPSec. To establish and IPSec session, your client, Windows host, should either present a Pre-Shared-Secret or a valid client cert installed in computer account<\/strong><\/p>\n\n
Software<\/h1>\n
\n
xl2tpd<\/h1>\n
Installation<\/h2>\n
\r\ntar zxvf xl2tpd-1.3.0.tar.gz\r\ncd xl2tpd-1.3.0\r\n#################################\r\n# modify Makefile\r\nPREFIX?=\/usr\/local\/xl2tpd\r\n#################################\r\nmake\r\nmake install\r\n<\/pre>\n
Configuration<\/h2>\n
\/etc\/xl2tpd\/xl2tpd.conf<\/h3>\n
\r\n[global]\r\nport = 1701 \r\n[lns default]\r\n;ip range = 172.16.45.51-249\r\nassign ip = no\r\nlocal ip = 192.168.72.1\r\nrequire authentication = yes \r\npppoptfile = \/etc\/ppp\/options.xl2tpd\r\n<\/pre>\n
\/etc\/ppp\/options.xl2tpd<\/h3>\n
\r\nms-dns 192.168.1.1\r\nms-wins 192.168.1.1\r\n#nomppe\r\nrequire-mppe-128\r\n+mschap-v2\r\n+mschap\r\ndebug\r\nplugin radius.so\r\nplugin radattr.so\r\n<\/pre>\n
Strongswan<\/h1>\n
Installation<\/h2>\n
\r\n.\/configure --prefix=\/usr\/local\/strongswan --enable-nat-transport --enable-eap-radius --enable-eap-mschapv2 --enable-eap-peap --enable-eap-identity --enable-openssl --enable-md4 --enable-curl --enable-dhcp --enable-farp\r\nmake\r\nmake install\r\n<\/pre>\n
Configuration<\/h2>\n
\/usr\/local\/strongswan\/etc\/ipsec.conf<\/h3>\n
\r\nconfig setup\r\n nat_traversal=yes\r\n # virtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12\r\n\r\nconn ipsec-x509\r\n left=%defaultroute\r\n # leftnexthop=%defaultroute\r\n leftprotoport=17\/1701\r\n right=%any\r\n rightprotoport=17\/%any\r\n pfs=no\r\n auto=add\r\n keyexchange=ikev1\r\n # type=tunnel\r\n # rekey=no\r\n # authby=psk\r\n authby=rsasig\r\n leftcert=\/usr\/local\/strongswan\/etc\/mycert.pem\r\n leftrsasigkey=%cert\r\n rightrsasigkey=%cert\r\n\r\nconn ipsec-psk\r\n left=%defaultroute\r\n # leftnexthop=%defaultroute\r\n leftprotoport=17\/1701\r\n right=%any\r\n rightprotoport=17\/%any\r\n pfs=no\r\n auto=add\r\n keyexchange=ikev1\r\n # type=tunnel\r\n # rekey=no\r\n authby=psk\r\n<\/pre>\n
\/usr\/local\/strongswan\/etc\/ipsec.secrets<\/h3>\n
\r\n: PSK \"yourverysecretpsk\"\r\n: RSA \/usr\/local\/strongswan\/etc\/mykey.pem\r\n<\/pre>\n
CA cert<\/h3>\n
Radius Client Setup<\/h1>\n
\/etc\/radiusclient\/servers<\/h2>\n
\r\nlocalhost mysecretpwd\r\n<\/pre>\n
\/etc\/radiusclient\/radiusclient.conf<\/h2>\n
\r\nauthserver localhost\r\nacctserver localhost\r\n<\/pre>\n
\/etc\/radiusclient\/dictionary<\/h2>\n
\r\nINCLUDE \/etc\/radiusclient\/dictionary.merit\r\nINCLUDE \/etc\/radiusclient\/dictionary.microsoft\r\n<\/pre>\n
FreeRadius<\/h1>\n
Windows client issues<\/h1>\n
Certificate issue<\/h2>\n
Convert certificate to pkcs12 format<\/h2>\n
\r\nopenssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out wincert.pfx -name 'WinXP2-vbox cert' -chain -CAfile ..\/allchain.pem\r\n<\/pre>\n