L2TP mini tutorial

[zoidberg]

Hello all,

I was able to make L2TP VPN work in debian wheezy Raspbian to be able to use with iphones and mac's natively
I'm sorry I don't have comments for the commands, but I extracted this information on several sites and compiled it here.

If you can improve or comment this in anyway, go ahead!

scenario ( change as you need ):
my pi ip address: 192.168.1.112
my gateway address : 192.168.1.254

Lets start:

first Ports 1701 TCP, 4500 UDP and 500 UDP need to be open in the firewall/router and port forwarded!!

Let's start by putting the ip address of the pi static:

ssh pi@192.168.1.112

sudo nano /etc/network/interfaces

Code: Select all

iface eth0 inet static
address 192.168.1.112
netmask 255.255.255.0
gateway 192.168.1.254

sudo nano /etc/resolv.conf

Code: Select all

nameserver 192.168.1.254

Change root password and install packages

Code: Select all

sudo passwd
su
apt-get update
apt-get install openswan xl2tpd ppp lsof

Routing: 1 command per line:

Code: Select all

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

add code to file:
nano /etc/rc.local

Code: Select all

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE

replace contents in file:
nano /etc/ipsec.conf

Code: Select all

version 2.0
config setup

        nat_traversal=yes
        protostack=netkey
        virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.25$
        oe=off

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=192.168.1.112
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
        #force all to be nat'ed. because of ios
        forceencaps=yes
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=192.168.1.112
        leftnexthop=192.168.1.254
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

Add code to file, and replace TESTSECRET with your shared secret:
nano /etc/ipsec.secrets

Code: Select all

192.168.1.112  %any:   PSK "TESTSECRET"

Replace contents of file:
nano /etc/xl2tpd/xl2tpd.conf

Code: Select all

[global]
ipsec saref = yes
listen-addr = 192.168.1.112
[lns default]
ip range = 192.168.1.201-192.168.1.250
local ip = 192.168.1.112
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = linkVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Replace contents of file:
nano /etc/ppp/options.xl2tpd

Code: Select all

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.254
asyncmap 0
auth
crtscts
lock
idle 1800
mtu 1200
mru 1200
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nodefaultroute
connect-delay 5000

replace contents of file, and replace 'user' with your user and 'TESTPASS' with your password:
nano /etc/ppp/chap-secrets################

Code: Select all

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user    *       TESTPASS        *

Let's put it on start:

Code: Select all

update-rc.d -f ipsec remove
update-rc.d ipsec defaults

And restart services:

Code: Select all

/etc/init.d/xl2tpd restart ; /etc/init.d/ipsec restart

DONE! You should now have a working L2TP VPN on RASPBIAN

if you want to install a proxy server that compresses the image files to save bandwith on 3g just install ziproxy!
hint: standard port is 8080.
################ZIPROXY################
apt-get install ziproxy

[mazinger]

Hi,
I tried to create the L2TP vpn server but it didn't work when connecting from my iPhone over the 3G network. I have to try from a hot spot or another network, for now I wasn't able to get one. Debugging my problem I found some differencies between this tutorial and other posts on other forums. The question is: I'm the only one unsuccessfull or it can be that the 3G is more tricky that what I think?
On another SD (full updated to the last weezy) pptp vpn works fine, but I'm not happy about its security related issues, as reported as well on this forum.

Any help or suggestion will be appreciated

Regards
Leo

[zoidberg]

Hello mazinger,

Actually I have to re-install my pi, so I will use the tutorial again tomorrow and let you know if it still works in the current debian/ packages versions.

[Birchman]

I used this tutorial last weekend and got it to work.

You can check your ipsec configuration with the following command:

sudo ipsec verify

You could also check system and auth log. To see if you IPSec tunnel is connected properly.

For more tips http://blog.riobard.com/2010/04/30/l2tp ... ec-ubuntu/

[mazinger]

zoidberg and Birchman,
Thanks for the replies. As soon as possible I will check ipsec as indicated and I will post my logs which contain a part that I cannot understand.

Regards
Leo

[mazinger]

Hi, finally I have some time to work on it..

This is the output of my ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.6.11+ (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

I'm going to check the logs... I will report it on another post
Cheers

[mazinger]

Hello again,
So I tried the connection from the iphone and this is the auth.log results:

packet from 62.140.132.23:30684: received Vendor ID payload [RFC 3947] method set to=109
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: ignoring unknown Vendor ID payload [6d246b6fc7a8a6a428c11de8]
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: ignoring unknown Vendor ID payload [76c4c7737ae22eab8f582]
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: ignoring unknown Vendor ID payload [f3ea9f02ec7285]
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: ignoring unknown Vendor ID payload [80d0bb3def54565]
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: ignoring unknown Vendor ID payload [52fa6b]
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr 13 21:31:54 pi pluto[2905]: packet from 62.140.132.23:30684: received Vendor ID payload [Dead Peer Detection]
Apr 13 21:31:54 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: responding to Main Mode from unknown peer 62.140.132.23
Apr 13 21:31:54 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 13 21:31:54 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 13 21:31:55 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Apr 13 21:31:55 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 13 21:31:55 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 13 21:31:55 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 13 21:31:55 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: Main mode peer ID is ID_IPV4_ADDR: '10.67.97.23'
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[1] 62.140.132.23 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: deleting connection "L2TP-PSK-NAT" instance with peer 62.140.132.23 {isakmp=#0/ipsec=#0}
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: new NAT mapping for #1, was 62.140.132.23:30684, now 62.140.132.23:3348
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: Dead Peer Detection (RFC 3706): enabled
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #1: the peer proposed: xxx.xxx.xxx.xxx/32:17/1701 -> 62.140.132.23/32:17/0
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: responding to Quick Mode proposal {msgid:b905e4cc}
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: us: yy.yy.yy.yy<yy.yy.yy.yy>[+S=C]:17/1701
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: them: 62.140.132.23[10.67.97.23,+S=C]:17/58093
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 13 21:31:56 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 13 21:31:57 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: Dead Peer Detection (RFC 3706): enabled
Apr 13 21:31:57 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 13 21:31:57 pi pluto[2905]: "L2TP-PSK-NAT"[2] 62.140.132.23 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x091c0035 <0x9221391e xfrm=AES_256-HMAC_
SHA1 NATOA=none NATD=62.140.132.23:3348 DPD=enabled}
Apr 13 21:32:29 pi pluto[2905]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 62.140.132.23 port 3348, complainant 62.140.132.23: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Apr 13 21:32:57 pi pluto[2905]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 62.140.132.23 port 3348, complainant 62.140.132.23: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

xxx.xxx.xxx.xxx is my internet IP,
yy.yy.yy.yy is my pi lan IP

Birchman what's wrong in my log?

Thanks in advance for your support

Zoidberg, any news on your new installation?

Cheers


Leo

[wheninromebro]

Hi Guys,

A couple of noob questions.

On the IP I assume the following:

Server: is my home static IP
Account: is the username in /etc/ppp/chap-secrets
Password: is the Password in /etc/ppp/chap-secrets
secret: is in the /etc/ipsec.secrets

Are my assumptions correct?

Cheers Guys!

[Link1992]

Much thanks for your tutorial ! It works pretty well.

I am just having problems with booting... What ever I do, the services aren't launching, and I am not able to connect on the server.

To solve this, I have to type from the pi user (same thing from SU) :

Code: Select all

sudo /etc/init.d/xl2tpd restart
sudo/etc/init.d/ipsec restart

I have tried to add these commands in rc.local, but I worked only once...
Anyone getting a solution on how I can make the command run on boot up ?

Thanks in advance !

[JungeJ]

Many thanks, creating the VPN connection over 3g from my IPhone and IPad now works like a charm.

However, I can't seem to be able to access the internet on the devices when connected. Any ideas how this can be solved? I want to use the VPN to have a television app believe that I am at home, so that I can watch live tv.

Any suggestions are welcome.

Thanks,

Jeroen

[Link1992]

Ports locked by provider... If you are using an iPhone, there is no workaround (don't know if jailbroken).
Try it on private netowork at a friend or so.

[antonedvard]

I am trying to get this to work, i am sure that i have gotten everything right but when i try to restart the ipsec this comes up...

root@PI-VPN:/home/pi# sudo /etc/init.d/ipsec restart

[gstreeter]

Just came across this post. If you follow this then please DO NOT open and forward port 1701 on your firewall/router. You should only do this for ports 500 and 4500. The l2tp tunnel (port 1701) is encapsulated in the authenticated and encrypted IPsec session setup by Openswan. The l2tp server should not be exposed to the outside world as the tunnel is accessed by IPsec on the local server. Exposing the l2tp port 1701 to the internet is a security risk.

Also consider Strongswan in place of Openswan as the latter has not been regularly maintained. Better still is Openvpn which is simpler to deploy and has apps for all the major OS.

[Link1992]

Much thanks for your tutorial ! It works pretty well.

I am just having problems with booting... What ever I do, the services aren't launching, and I am not able to connect on the server.

To solve this, I have to type this on main user (same thing from SU) :

Code: Select all

sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

I have tried to add these commands in rc.local, but It worked only once...
Anyone getting a solution on how I can make the command run on boot up ?

Thanks in advance !

Looks like I've found a workaround with crontab and shellscript.

Make a script of the two commands given above plus a sleep command before them (I used 30seconds)

it gives you something like this with nano :

Code: Select all

#!/sbin/bash
sleep30
sudo /etc/init.d/ipsec restart
sudo /etc/init.d/xl2tpd restart

Of course, make it executable ( sudo chmod your_script +x )

change the root's crontab and add :

Code: Select all

@reboot your_script.sh

seems to work :/

[Link1992]

If you follow this then please DO NOT open and forward port 1701 on your firewall/router. Exposing the l2tp port 1701 to the internet is a security risk.

Thanks for your advice !

[serviceweb]

Hi hello,
I'm here for the first time and i will tell you that i like Rapberry Pi a lot!!
But i have try to install VPN L2TP and i have a little problem.

When the Raspberry Pi starts up, i see no failed and everything is going perfect.
xL2tpd is starting too. But when i want to see if i have VPN on my iPhone, it it not working
He is telling me that he can't connect. What can be the problem?

I have done a ipsec verify and i have the same result like MAZINGER, here up (date 13 apr 2013).
But what is going wrong? Do i need to open 7201? and is IP range 198.168.1.60 - 192.168.1.65 good too?
In my router i have Maximum Number of DHCP Users: 65. So i think that the range is till 65?
I have a cisco router...

If anybody have a solution for me, please help me.
Thank you,
Marc

[Link1992]

Looks like I'm having the same problem... Probably an update, because everything was working fine a few weeks ago...
I'll go deeper into it when I am having more time

[Link1992]

seem's to be related to a security update of wheezy...
but still looking into a way for solving it...

[mazinger]

Hi,
Please _verify_ that all your router ports are open as UDP, I repeat UDP. I "discovered" that I read wrong instructions/did a mistake and 4500 and 500 were TCP = NOT WORKING!
It might be the case....
I hope it helps
Cheers

[Link1992]

Nope, worked perfectly with a backup dating january... A simple apt-get upgrade made everything kaput...

I'm trying to install strongswan instead, but compiling the last version is way to long... (Plus GMP library with check...)

[serviceweb]

I have try to put everything on UDP but it is still not working
Someone a new solution?

[serviceweb]

Nope, worked perfectly with a backup dating january... A simple apt-get upgrade made everything kaput... I'm trying to install strongswan instead, but compiling the last version is way to long... (Plus GMP library with check...)

So you tell us that there was a update and now it is not working anymore?

[Link1992]

Looks like.
I reset my Pi to zero, and I'll try to install everything again. I maybe added something which made everything not work anymore after an update...

But I previously restored my Pi from a backup made in january, and after an apt-get update/upgrade, it didn't work anymore...

[serviceweb]

Looks like.
I reset my Pi to zero, and I'll try to install everything again. I maybe added something which made everything not work anymore after an update...

But I previously restored my Pi from a backup made in january, and after an apt-get update/upgrade, it didn't work anymore...

Oh, cool... if you want to try and tell us if it is working before the january update.
and if it is possible to let us know after the apt-get update/upgrade. That will be great man.
Thanks already and i hope it will go fine!!

[Link1992]

Ok, so after a clean install (with avahi +netatalk installed before following this tutorial again), I can tell you it is still not working.

I used the lattest wheezy raspian image from Raspberrypi.org (january 2014) with every updates to do and nothing...
It's maybe related to the heartblood critical security problem...

I'll be back to the old fashion pptpd, but still working VPN. (even for windows clients)

Anyway, if someone solve the problem, I would be gratefull