INTRODUCTION
In this quick guide , we will setting up an IPSEC VPN server on Ubuntu 1604 using StrongSwan as the IPsec server and for authentication.
Network Interface : enp0s3
Server IP : 192.168.0.254
L2TP gateway : 192.168.30.1
L2TP IP range : 192.168.30.2 – 192.168.30.254
Step 1 : Install L2Tp, Strongswan
# apt-get install xl2tpd strongswan ppp
Step 2 : Configure /etc/ipsec.conf
# vim /etc/ipsec.conf
conn L2TP-PSK-noNAT dpdaction=clear authby=secret auto=add keyingtries=3 ikelifetime=8h keylife=1h ike=aes256-sha1,aes128-sha1,3des-sha1 type=transport left=192.168.0.254 leftprotoport=17/1701 right=%any rightprotoport=17/%any
Step 3 : Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Step 4 : Configure Pre-Shared Key , you may need this when login to VPN
# vim /etc/ipsec.secrets 192.168.0.254 %any : PSK "private" *Do NOT delete the " " quote !*
Step 5 : Configure L2TP
# vim /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes saref refinfo = 30 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 192.168.30.2-192.168.30.254 local ip = 192.168.30.1 refuse pap = yes require authentication = yes ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes # vim /etc/ppp/options.xl2tpd logfd 2 logfile /var/log/xl2tpns.log refuse-mschap-v2 refuse-mschap ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 lock hide-password local #debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
Step 6 : Add USER
# vim /etc/ppp/chap-secrets username * password *
Step 7 : Restart service to make sure configuration was loaded.
service xl2tpd start / restart / stop
service strongswan start / restart / stop
IPTABLES RULES
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.254 -o enp0s3