How to configure IPSec/L2TP VPN server in CentOS 6

I’ve been using PPTP as a VPN solution for a while (despite is security obsolescence) however I have the feeling that one of my ISPs has started filtering and/or throttling PPTP traffic that goes outside its network.

As a result, I had to look for an alternate VPN system to use when I need to dial back to my home network while on the move to access my media library or when I require a trusted connection or a whitelisted IP.

The next best thing (and least complicated to set up going from PPTP) is IPSec/L2TP, which has built-in support in most current operating systems (including Windows, Linux and Android).

Prerequisites

Due to its double-encapsulation nature (L2TP performs the tunnelling of data and IPSec provides the encrypted channel), L2TP/IPSec has a more complex setup and configuration procedure, both for the server and the client:

  • OpenSWAN provides the IPSEC component, encapsulating packets from the client to/from the server, providing basic network connectivity and authentication.  On connection, the client provides a pre-shared key to the server, and then OpenSWAN establishes the IPSEC tunnel and passes control to xl2tpd.
  • xl2tpd provides the component which connects the two networks (the client’s and the server’s) together.  It talks to pppd to authenticate a user, and then makes that user appear on the local network as some IP in its defined range.
  • pppd provides authentication for users. 

This way, there are 2 passwords required – one for the IPSec component provided by OpenSWAN (set as the pre-shared key), and one for the actual user account which is connecting to the VPN.

The numbers used in the configurations below – adjust them to suit your specific network setup needs:

  • 192.168.1.0/24 – local LAN network range
  • 192.168.1.100 – LAN IP of VPN server (also running the DNS server)
  • 192.168.1.1 – peer local IP of the L2TP VPN
  • 192.168.1.101-120 – local IP range used for the L2TP tunnels, outside of the DHCP allocation range
  • 192.168.1.254 – router NATting internet traffic for the LAN

Packages

To set up a server on CentOS, we start by installing the necessary software:
yum install openswan xl2tpd pppd
chkconfig ipsec on
chkconfig xl2tpd on

Then edit /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

Edit /etc/rc.local and add the following at the end:

IPSec

Edit /etc/ipsec.conf to contain:

Next edit /etc/ipsec.secrets and define the PSK secret (preshared key as it’s named in most clients) for IPSec:

Xl2tpd

Moving on to xl2tp, edit /etc/xl2tpd/xl2tpd.conf to contain:

Then /etc/ppp/options.xl2tpd:

The last step is to edit /etc/ppp/chap-secrets and insert records for all logins allowed into the VPN:

Finalizing

Almost done. (Re)start the services:
service ipsec restart
service xl2tpd restart

And you should be able to connect from your Windows, Linux or Android clients (tutorials coming soon).

 

Source: this tutorial is pretty much a copy of IPSec/L2TP VPN Server on CentOS 6 (PSK)

 

Leave a Reply