L2TP+IPSec is another way to setup VPN on a VPS. L2TP consumes 1701 TCP port to maintain connection and 500/4500 UDP to transfer data. It’s very easy to implement L2TP and IPSec on a Ubuntu 14.04 server.
Before setting up L2TP/IPSec environment, you need to enable PPP support for VPS. See details on section “Enable PPP Support of VPS” of my previous post “Setup PPTP Server on a VPS“ to enable PPP support on RamNode VPS.
When I first installed xl2tpd and openswan, it occured to me the following errors and refused my iPhone VPN connection:
May 19 05:48:46 xxx xl2tpd: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
If you get the same error message, just follow step by step with me to setup L2TP+IPSec VPN.
Here I use openswan as my IPSec server. Just use the following commands to install xl2tpd and openswan:
sudo apt-get install openswan ppp xl2tpd
We need to configure two files for xl2tpd:
Here’s an example of
[global] listen-addr = 220.127.116.11 [lns default] ip range = 10.20.0.2-10.20.0.100 local ip = 10.20.0.1 assign ip = yes length bit = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/options.xl2tpd
“ip range” defined IPs distributed to the client side and “local ip” is assigned to the server side. pppoptfile defines the detailed config file for xl2tpd.
Then create file
/etc/ppp/options.xl2tpd and add:
ms-dns 18.104.22.168 ms-dns 22.214.171.124 noccp asyncmap 0 auth crtscts lock hide-password modem mru 1200 nodefaultroute debug mtu 1200 proxyarp lcp-echo-interval 30 lcp-echo-failure 4 ipcp-accept-local ipcp-accept-remote noipx idle 1800 connect-delay 5000
IPSec acts as a role to provide a secure routine for transferring data. OpenSwan is a good choice to set up a simple IPSec. Note that there are many IPSec choices and they should be exclusively installed in your system. And whatever IPSec server you installed, the command to call them is only “ipsec“. Use the following command to identify which IPSec service you’re using now.
The config file for OpenSwan is /etc/ipsec.conf. Actually this file name is identical for all IPSec service, which the content differs anyway. When you installed another IPSec service with apt-get, you need to change the format and contents of this file.
Here’s an example of this file:
version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:126.96.36.199/8,%v6:fd00::/8,%v6:fe80::/10 protostack=netkey force_keepalive=yes keep_alive=60 conn l2tp-psk authby=secret pfs=no auto=add keyingtries=3 type=transport left=188.8.131.52 # change to your own IP leftprotoport=17/1701 right=%any rightprotoport=17/%any
The “virtual_private” line shows which network could use this IPSec routine, leave it as what it is. The only line you need to change is “left”, which should be your VPS IP address.
Then we need to create and edit file
: PSK "sharedpassword"
Note that there’s blank before and after colon!
“sharedpassword” should be used as the “shared secret” when you connect L2TP.
/etc/ppp/chap-secrets, which is the same as PPTP server. Use the format like this:
yourname * yourpassword *
It’s also the same as PPTP server, you just need to edit file
/etc/sysctl.conf and add (or change) a following line:
Then exit to shell and execute:
sudo sysctl -p
To add iptables rules, add the following lines in
iptables -t nat -A POSTROUTING -s 10.20.0.0/24 -o venet0 -j MASQUERADE iptables -A FORWARD -p tcp --syn -s 10.20.0.0/24 -j TCPMSS --set-mss 1356
Note “-s 10.20.0.0/24” should be the net range defined in “ip range” section of
At last, restart xl2tpd and ipsec:
sudo service xl2tpd restart
Enjoy you surfing! ;)