From Wikichris
Jump to: navigation, search

This guide is still under construction


  • My computers and servers will exchange IPSec encrypted data only
  • My devices (Mac, iOS, Win) will connect to VPN L2TP/IPSec with their built-in clients

Installation Server


  • Linux Debian 6 - Squeeze
  • Kernel already includes NETKey, we'll use ipsec-tools on the user part.
  • IKE Daemon is Racoon
  • Openswan will be prefered to strongswan, since more documented by other users.
  • xl2tpd or l2tpns are delivered by Debian. The first is the easiest, but doesn't support IPv6


apt-get install openswan ipsec-tools

We won't use Certificates for now, and keep the follow command for later

dpkg-reconfigure openswan

Add at the end of /etc/ipsec.conf

conn L2TP-PSK
       #Perfect Forward Secrecy is not available by default on Win and Mac
       #But this option is still available if the client request it
       # ----------------------------------------------------------
       # The VPN server.
       # Allow incoming connections on the external network interface.
       # If you want to use a different interface or if there is no
       # defaultroute, you can use:   left=your.ip.addr.ess
       # If you insist on supporting non-updated Windows clients,
       # you can use:    leftprotoport=17/%any
       # ----------------------------------------------------------
       # The remote user(s).
       # Allow incoming connections only from this IP address.
       # If you want to allow multiple connections from any IP address,
       # you can use:    right=%any
       # ----------------------------------------------------------
       # Change 'ignore' to 'add' to enable this configuration.

Still in /etc/ipsec.conf change this line


Add your keys in /etc/ipsec.secrets

# Preshared Keys for two clients with fixed IP addresses:
# PSK "keyforoneclient"
# PSK "keyforanotherclient"

# Preshared Key for clients connecting from any IP address: %any: PSK "keysharedbyallclients"
2001:db8:1:5fb2::1 %any: PSK "keysharedbyallclients"

Restart the daemon

/etc/init.d/ipsec restart


I'm testing XL2TPD or l2tpns to make a choice. This part is still under construction

Choice 1: XL2TPD

for a serious deployment with a considerable number of clients, you will probably want to use l2tpns (support or external auth like Radius)

But for a start, Xl2tpd is simpler to setup and doesn't need an additional DHCP

If you don't want any IPv6 support :

apt-get install xl2tpd

If you want IPv6 support, it's a patch developed for previous version, I installed it but Windows and Mac OS X doesn't accept any IPv6 serveur anyway : http://www.indarkness.net/blog/2010/04/23/vpnl2tp-over-ipv6-in-linux/

apt-get install libpcap0.8-dev build-essential fakeroot dpkg-dev devscripts ipsec-tools ppp
mkdir ~/xl2tpd
cd ~/xl2tpd
apt-get source xl2tpd
cd xl2tpd-1.2.7+dfsg/
wget http://blog.lifetoy.org/wp-content/uploads/2009/09/xl2tpd-ipv6.diff
patch < xl2tpd-ipv6.diff
ls *.rej
[edit each rej to make them by hand]
vi control.c
vi linux/include/linux/if_pppol2tp.h
vi contrib/pppol2tp-linux-2.4.27.patch
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../xl2tpd_1.2.7+dfsg-1_amd64.deb


#debug network = yes
#debug tunnel = yes
[lns default]
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = gonzofamily.com
#ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


login1    *    password1    *
login2    *    password2    *


ms-dns  #ICI le DNS (apt-get install dnsmasq)
idle 1800
mtu 1410
mru 1410
connect-delay 5000

NB: A vous de décider si vous voulez que votre serveur DNS soit le routeur ou indiquer une autre adresse IP pour "ms-dns", dnsmasq peut assurer la redirection des requetes DNS de façon transparente

apt-get install dnsmasq

CHAP is enabled and PAP is disabled because otherwise the Microsoft clients will complain that the password is not encrypted (which is of course nonsense because the connection is already encrypted by IPsec). 'length bit' is set to yes, the connection was unstable without this parameter.

The end

/etc/init.d/xl2tpd restart

Choice 2: l2tpns

l2tpns send a Hello message to the client, Mac OS X doesn't like it and stop the connection. To avoid that, we must download the sources dans comment the HELLO part :

apt-get install l2tpns libcli-dev
mkdir ~/l2tpns
cd ~/l2tpns
apt-get source l2tpns
cd l2tpns-2.1.21
vi l2tpns.c
2837                 // Send hello
2838                 /*if (tunnel[t].state == TUNNELOPEN && !tunnel[t].controlc && \
(time_now - tunnel[t].lastrec) > 60)
2839                 {
2840                         controlt *c = controlnew(6); // sending HELLO
2841                         controladd(c, 0, t); // send the message
2842                         LOG(3, 0, t, "Sending HELLO message\n");
2843                         t_actions++;
2844                 } */
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../l2tpns_2.1.21-1.1_amd64.deb

change some lines in the default /etc/l2tpns/startup-config

set l2tp_secret "secret"
set primary_dns
set primary_dns

Change de content of /etc/l2tpns/ip_pool

Change de content of /etc/l2tpns/users

# List username:password combinations here for cli users



Your server must act as a Router from now in /etc/sysctl.conf uncomment


Load the new settings made in /etc/sysctl.conf

sysctl -p


Add to your iptables rules :

# IPSec
## PPTP, only via IPSec
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
## IKG
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
## NAT-T
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT
-A FORWARD -i ppp0 -j ACCEPT
-A FORWARD -o ppp0 -j ACCEPT
-A INPUT -i ppp1 -j ACCEPT
-A FORWARD -i ppp1 -j ACCEPT
-A FORWARD -o ppp1 -j ACCEPT
-A INPUT -i ppp2 -j ACCEPT
-A FORWARD -i ppp2 -j ACCEPT
-A FORWARD -o ppp2 -j ACCEPT

I must find a different way of allowing the Forward, pppX is not convenient


Tested with Windows7, Mac OS X 10.6, iOS4.4 (iPhone, iPad, iPod)

You must add a new VPN of the Following type


The preshared key must be manually entered, it's indicated in


The credentials (login / password) can be found here :


I always choose to redirect all the traffic via VPN on Mac, but on Windows it's by default.


Perfect Forward Secrecy

PFS is disabled because Apple's and Microsoft's L2TP/IPsec clients do not enable it.

Fortunately, even if you set pfs=no in your Openswan configuration, Openswan will still use PFS if the client supports PFS. So with pfs=no you support clients with and without PFS.