In the last few posts , we had install L2TP over IPsec and freeradius. Today we will show you how to use Freeradius to authenticate L2TP login user, let’s go.

Server IP :
VPN IP range : –
VPN Gateway :
Network Interface : enp0s3

Install Radius-Server

apt-get update
apt-get install build-essential libauthen-radius-perl libauthen-simple-radius-perl libgcrypt11-dev openssl
apt-get install freeradius freeradius-mysql

vim /etc/freeradius/sites-enabled/default

comment out the “files” and uncomment “sql” as below.

authorize {
# files
authenticate {
preacct {
#   files
accounting {
session {
post-auth {
 Post-Auth-Type REJECT {
    # log failed authentications in SQL, too.

vim /etc/freeradius/radiusd.conf

uncomment this : $INCLUDE sql.conf

The information for database, we need to create an user and db with these settings.

vim /etc/freeradius/sql.conf

login = "cannon"
password = "cannon123"
radius_db = "radius"

vim /etc/freeradius/clients.conf

remember this secret , we need it later

secret = 123cannon

Install Mysql

apt-get install mysql-server -y

enter and repeat the password of root mysql

After that , create an user and database following the information we do above.

mysql -u root -p
mysql> create database radius;
mysql> CREATE USER 'cannon'@'localhost' IDENTIFIED BY 'cannon123';
mysql> GRANT ALL PRIVILEGES ON * . * TO 'cannon'@'localhost';
mysql> flush privileges;
mysql> exit

Insert these tables into the database we created just now.

mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql;
mysql -u root -p
mysql> use radius;
mysql> show tables;
| Tables_in_radius |
| nas                |
| radacct            |
| radcheck           |
| radgroupcheck      |
| radgroupreply      |
| radpostauth        |
| radreply           |
| radusergroup       |
8 rows in set (0.00 sec)

L2TP Install

apt-get update
apt-get install xl2tpd strongswan

Download the freeradius-client from GitHub.

cd /opt/
mv freeradius-client-master freeradius-client
cd freeradius-client/
./configure --prefix=/
make && make install

Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine.

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Run the following command to apply changes.

sysctl -p

Remember the secret ?

vim /etc/radiusclient/servers

localhost 123cannon

vim /etc/radiusclient/radiusclient.conf

auth_order    radius,local
login_tries    4
login_timeout    60
nologin /etc/nologin
issue    /etc/radiusclient/issue
seqfile /var/run/freeradius/
authserver     localhost
acctserver     localhost
servers        /etc/radiusclient/servers
dictionary     /etc/radiusclient/dictionary
login_radius    /sbin/login.radius
mapfile        /etc/radiusclient/port-id-map
radius_timeout    10
radius_retries    3
bindaddr *
login_local    /bin/login


Following configuration (which is related to IPv6)  in /etc/radiusclient/dictionary file should be commented out to run the radius client

#ATTRIBUTE      NAS-IPv6-Address        95      string
#ATTRIBUTE      Framed-Interface-Id     96      string
#ATTRIBUTE      Framed-IPv6-Prefix      97      ipv6prefix
#ATTRIBUTE      Login-IPv6-Host         98      string
#ATTRIBUTE      Framed-IPv6-Route       99      string
#ATTRIBUTE      Framed-IPv6-Pool        100     string
#ATTRIBUTE      Framed-IPv6-Address     168     ipv6addr
#ATTRIBUTE      DNS-Server-IPv6-Address 169     ipv6addr
#ATTRIBUTE      Route-IPv6-Information  170     ipv6prefix

vim /etc/xl2tpd/xl2tpd.conf

ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range =
local ip =
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

vim /etc/ipsec.secrets %any : PSK "private"

vim /etc/ipsec.conf

conn L2TP-PSK-noNAT

vim /etc/ppp/options.xl2tpd

logfd 2
logfile /var/log/l2tp.log
asyncmap 0
idle 1800
mtu 1200
mru 1200
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
plugin /usr/lib/pppd/2.4.7/
plugin /usr/lib/pppd/2.4.7/

# vim /etc/radiusclient/

# Microsoft’s VSA’s, from RFC 2548
# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
# Integer Translations
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
END-VENDOR Microsoft

# vim /etc/radiusclient/dictionary

INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/

service mysql restart

service freeradius restart

service xl2tpd restart

service pptpd restart

ipsec restart


iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source -o enp0s3

Add User

mysql -u root -p

mysql>use radius;

mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES (‘testing’,’User-Password’,’:=’,’123123′);

Connect from a device, as example I using android phone , go to setting –> wireless options –> VPN –> add a new vpn –> VPN type choose L2TP/IPSEC PSK –> key in your server ip –> and the PSK key –> your account & password –> connect

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *