L2TP/IPSec Linux Server Behind NAT

In this blog we will learn how to install an L2TP/IPSec Linux Server behind NAT.

IP Assignments

  • L2TP/IPSec Server IP: 192.168.42.190 / 24
  • L2TP/IPSec Client IPs: 192.168.42.191-199

Kernel Parameter Tuning

Add the following to /etc/sysctl.conf

# ---------------- L2TP/IPSec (OpenSwan) ---------------
net.ipv4.ip_forward = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# ---------------- L2TP/IPSec (OpenSwan) ---------------

Apply the changes

# sysctl -p

IPSec Configuration

# yum install openswan
  • /etc/ipsec.secrets
# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

Create /etc/ipsec.d/l2ptipsec.secrets

192.168.42.190 %any : PSK "top-secret-pre-shared-key"

Configure /etc/ipsec.conf

version 2.0

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

conn l2tp-psk
        left=192.168.42.190
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        pfs=no
        rekey=no
        type=transport
        authby=secret
        auto=add

Start IPSec, verify IPSec meets all kernel settings, initiate an L2TP/IPSec connection. It will fail, but the IPSec tunnel should come up (look for "SA established" in /var/log/secure)

# /etc/init.d/ipsec start
# ipsec verify

XL2TPD and PPPD Configuration

# yum install yum-conf-epel.noarch
# yum install xl2tpd

Configure /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 192.168.42.190
debug tunnel= yes

[lns default]
ip range = 192.168.42.191-192.168.42.199
local ip = 192.168.42.190
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Configure /etc/ppp/options.xl2tpd

require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.42.214
ms-dns  192.168.42.215
ms-wins 192.168.42.2
ms-wins 192.168.42.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
logfd 2
logfile /var/log/l2tpd.log

Configure /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
oskar           *       "oskarspassword"        *

Put it all together and reboot the server

# chkconfig ipsec on
# chkconfig xl2tpd on
# reboot

social