1. Installing OpenSWAN
There is a couple of IPSEC protocol in Linux: FreeSWAN, OpenSWAN, StrongSWAN. Here we are going to deal with
OpenSWAN.
The current version of OpenSWAN in Ubuntu Lucid is
2.6.23. Unfortunately it is coming with a bug in this version, make it doesn't work well with L2TP server, we have at least upgrade it to version
2.6.24.
1.1. Add this 3rd party apt source of OpenSWAN:
sudo apt-get install python-software-properties
sudo add-apt-repository ppa:openswan/ppa
sudo apt-get update
1.2. Here we check the version, should be at least 2.6.24
# apt-cache policy openswan
openswan:
Installed: (none)
Candidate: 1:2.6.28-1xelerance3
Version table:
1:2.6.28-1xelerance3 0
500 http://ppa.launchpad.net/openswan/ppa/ubuntu/ lucid/main Packages
1.3. Install
sudo apt-get install openswan
If you are asked for "Use an X.509 certificate for this host", just say NO.
2. Configuring OpenSWAN
2.0. Set bash variables
You may have to set your own variables, I'm here just going to use random values as examples:
L2TP Server IP: 192.168.1.1, VPN subnet prefix: 10.1.1.0/24, username: user, password: 1234.
export SERVER=192.168.1.1
export NET=10.1.1
export USER1=user
export PASS1=1234
2.1. Setup sysctl
sudo mv /etc/sysctl.conf /etc/sysctl.conf.bak
sudo bash -c "cat > /etc/sysctl.conf <
2.2. Refresh sysctl
sudo sysctl -p
sudo bash -c 'for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
'
2.3. Setup up iptables
sudo mv /etc/rc.local /etc/rc.local.bak
sudo bash -c "cat > /etc/rc.local <$NET.0/24 -o eth0 -j MASQUERADE
exit 0
EOF
"
sudo chmod +x
/etc
/rc.local
2.4. Refresh iptables
2.5. Setup ipsec.secrets
sudo mv /etc/ipsec.secrets /etc/ipsec.secrets.bak
sudo bash -c "cat > /etc/ipsec.secrets <$SERVER %any: PSK \"$PASS1\"
EOF
"
2.6. Setup ipsec.conf
sudo mv /etc/ipsec.conf /etc/ipsec.conf.bak
sudo bash -c "cat > /etc/ipsec.conf <$SERVER
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
EOF
"
2.7. Make ipsec service started by default
运行下面的命令, 让ipsec服务可以开机自动启动:
sudo update-rc.d ipsec defaults
3. Installing xl2tpd
We all know how to do this:
sudo apt-get install xl2tpd
4. Configuring xl2tpd
4.1. Setup xl2tpd.conf
sudo mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak
sudo bash -c "cat > /etc/xl2tpd/xl2tpd.conf <$NET.2-$NET.255
local ip = $NET.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
"
4.2. Setup options.xl2tpd
sudo mv /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak
sudo bash -c "cat > /etc/ppp/options.xl2tpd <
4.3. Setup chap-secrets
sudo mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak
sudo bash -c "cat > /etc/ppp/chap-secrets <$USER1 l2tpd $PASS1 *
EOF
"
5. Start L2TP server
Till here, we have done configuring L2TP/IPsec server. We will could use it after the server is stared:
sudo invoke-rc.d xl2tpd restart
sudo invoke-rc.d ipsec restart
Check the IPsec server status by this command: "ipsec verify", and it should be like this:
# sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
6. Testing L2TP server
Just grab a device that support connecting to a L2TP server, Android/iPhone could done this well. If you are doing it with all the variables just like mine, the server IP address should be 192.168.1.1, username is user, and L2TP password and the IPsec pre-shared key are both 1234.
