IPSEC over L2TP access from Arch Linux (With Strongswan and xl2tpd)

The setup will differ by the destination VPN server’s configuration.
It is much easier if you know the endpoint configuration. If you don’t,
you will have to capture packets on a client that is able to establish an
ipsec connection.
In my opinion, Windows implementation of IPSEC/L2TP client
is pretty thorough and also common, so it should be a good client to test.

In my case, I captured packets on Windows and got the server side’s setting of IKE
parameters of ISAKMP packets.

Here is my configuration.

1.
I had to add “send_vendor_id = yes” to “/etc/strongswan.conf” in order to
initiate Quicki mode( phase 2 ) communication.
Most of the IPSEC/L2TP implementation requires vendor ID to be sent…

charon {
load_modular = yes
send_vendor_id = yes
plugins {
include strongswan.d/charon/*.conf
}
}

2.
Next thing to set up is ipsec.conf.
I had to change ike and esp parameters according to
the packets from server which I got on Windows.
Make your “right” is IP address of VPN server(Global IP)
In my case IKE key exchange failed due to it.
ikelifetime may have to be changed, too.

There may be a way to set strongswan to accept
any encryption and hash methods. But I did not bother.

conn name will be used later, so name it cool.


config setup
charondebug=”ike 4, knl 4, cfg 2″

conn l2tp-psk
authby = secret
auto = add
keyexchange = ikev1
type = transport
left = %any
leftprotoport=17/1701
right = "VPN SERVER's IP ADDRESS. NOT A DOMAIN NAME!"
rightprotoport=17/1701
ike = aes256-sha1-modp2048
ikelifetime = 8h
esp = aes256-sha1-modp2048

3.
Next thing to set up is ipsec.secrets.
%any should be changed according to your needs.

%any %any : PSK "Presharekey-passphrase"

4.
Configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac l2tp-psk]
lns = "Same as "right" in ipsec.conf"
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

/etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "Username"
password "user's password"

5.
Connect to the VPN Server

ipsec start
ipsec up l2tp-psk
systemctl start xl2tpd
echo "c l2tp-psk" > /var/run/xl2tpd/l2tp-control

Add routing and you are done!

IPIP tunnel with Linux (IP in IP)

ip tunnel add tun0 mode ipip local “GLOBAL IP “remote “GLOBAL IP”
ip link set tun0 up
ip addr add “LOCAL IP” dev tun0

xL2TPd on Arch Linux and Ubuntu.

I have rent a VPS for the first time from a provider called MiniVPS and built a L2TP tunnel between my Arch Linux and the Ubuntu VPS.
Unfortunately, available distros were CentOS, Fedora and Ubuntu, and I had to go with Ubuntu since it had the latest kernel among them.
However, I’m not sure whether it is a openvz limitation or not, there were no l2tp kernel modules available which I believe improve l2tp
performance.

So far, my experience with minivps is not too good, but not bad.
Speedtest results on average were like below and bandwidth differs
a lot from time to time.
I measured the speed while on lt2p tunneland also ssh dynamic port forwarding.

Ping response: 250ms
Download: 1Mbps ~ 15Mbps
Upload: 1Mbps

Other than bandwidth, I am very satisfied. OS reinstallation finishes in less than 10 minutes,
and you can change distributions among fedora, ubuntu, and centos anytime.
Serial console is always available in case of some accident.

Here is a note on how to set up l2tp without ipsec.

0. Networking.

# Enable ip forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
# To make it permanent
vim /etc/sysctl.d/40-ip-forward.conf and add
net.ipv4.ip_forward=1# If you need to use internet via VPS, enable NAPT by running…
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

# You also need to open 1701 udp port if you are behind firewall.

1. Install xl2tpd from the repository.


# For Ubuntu
sudo apt-get install xl2pd
## installed version was xl2tpd-1.3.6, it was not compiled with kernel support.
# For Arch
pacman -S xl2tpd
## installed version was xl2tpd-1.3.6-1

2. Server side setting.(Ubuntu)
Edit Main configuration of xL2TPd
vim /etc/xl2tpd/xl2tpd.conf


[global]
access control = yes
auth file = /etc/ppp/chap-secrets
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lns “name of your preference”]
require chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
require pap = no
assign ip = yes
hostname = hostname # Can be any, i just put hostname of the server machine
ip range = 10.0.0.10 – 10.0.0.20 # IP address range for a tunnel
local ip = 10.0.0.1 # IP address for a tunnel interface (ppp0)
challenge = no
lac = 1.2.3.4 # IP address of client (likely to be global address)
require authentication = no

Edit /etc/ppp/chap-secrets and add username and password for chap authentication.
make sure to chmod 600 /etc/ppp/chap-secrets


# client server secret IP addresses
username * password *

Create /etc/ppp/options.l2tpd for a ppp control


ipcp-accept-local
ipcp-accept-remote
mtu 1410
mru 1410
ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name username # username for chap authentication
proxyarp
lcp-echo-interval 10
lcp-echo-failure 100
connect-delay 5000

3. Client Side (Arch Linux)
Main configuration of xl2tp
vim /etc/xl2tpd/xl2tpd.conf

[global]
access control = no
auth file = /etc/ppp/chap-secrets
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac “lns name you specified on the server”]
lns = “lns ip address (likely to be global address)”
redial = yes
redial timeout = 5
require chap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd
require pap = no
autodial = yes
name = “username for chap authentication”

Edit /etc/ppp/chap-secrets and add username and password for chap authentication.
make sure to chmod 600 /etc/ppp/chap-secrets


# client server secret IP addresses
username * password *

Create /etc/ppp/options.l2tpd for a ppp control
vim /etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "username for chap auth"
password "passworf for chap auth"

4. Start the daemon. On both the server and the client, run a command below on both a client and a server, and change routing to your liking

sudo xl2tpd -D
# For split tunneling
ip route add "desired destination ip address" via "ppp peer ip address" dev ppp0
# To route all traffic.
sudo ip route add "Global IP address of your server/32" via 192.168.0.1 dev enp0s25
sudo ip route del default via 192.168.0.1 dev enp0s25
sudo ip route add default via 10.0.0.1 dev ppp0
# Do not forget to re-add your default default gateway after terminating the session.

5. That’s all. This is a pure L2TP VPN tunnel, so there is no encryption involved.
People needing security should consider running ipsec over l2tp, or using openvpn.
If you are paranoid on performance like me, probably this is one of the best solution.