INTRODUCTION

In this quick guide , we will setting up an IPSEC VPN server on Ubuntu 1604 using StrongSwan as the IPsec server and for authentication.

Network Interface : enp0s3
Server IP           : 192.168.0.254
L2TP gateway  : 192.168.30.1
L2TP IP range : 192.168.30.2 – 192.168.30.254

Step 1 : Install L2Tp, Strongswan

# apt-get install xl2tpd strongswan ppp

Step 2 : Configure /etc/ipsec.conf

# vim /etc/ipsec.conf
conn L2TP-PSK-noNAT
dpdaction=clear
authby=secret
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
type=transport
left=192.168.0.254  
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

Step 3 : Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.

echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

Step 4 : Configure Pre-Shared Key , you may need this when login to VPN

# vim /etc/ipsec.secrets

192.168.0.254 %any : PSK "private"
*Do NOT delete the " " quote !*

Step 5 : Configure L2TP

# vim /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 192.168.30.2-192.168.30.254 
local ip = 192.168.30.1 
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

# vim /etc/ppp/options.xl2tpd

logfd 2
logfile /var/log/xl2tpns.log
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Step 6 : Add USER

# vim /etc/ppp/chap-secrets

username * password *

Step 7 : Restart service to make sure configuration was loaded.

service xl2tpd start / restart / stop
service strongswan start / restart / stop

IPTABLES  RULES

iptables -I INPUT -p udp --dport 500 -j ACCEPT 
iptables -I INPUT -p udp --dport 4500 -j ACCEPT 
iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.254 -o enp0s3