This is an unformatted brain dump of my experiences getting a VPN server set up using Ubuntu 10.04 LTS. My target was to get this solution working with native Mac OS X clients as well as Microsoft Windows XP, Vista and 7 clients. I wanted to simply have to give my clients a username, password and preshare key and they would have everything they needed to connect to the VPN. I was able to get this working with strongswan (and not openswan) as well as using xl2tpd.

- Clear any install of strongswan or openswan:

apt-get remove strongswan strongswan-dbg strongswan-ikev1 strongswan-ikev2 strongswan-nm strongswan-starter libstrongswan openswan

- Install xl2tpd (l2tp server), libfcgi0ldbl, ipsec-tools and libcurl3 (strongswan dependencies)

apt-get install xl2tpd libfcgi0ldbl ipsec-tools libcurl3

- Install the 4.5.0 back ported packages files (downloadable here).

This is required since I was having troubles with Ubuntu 10.04 default packages of strongswan (4.3.1) when authenticating windows native clients with a PSK, so I simply took the *unstable* version of strongswan 4.5.0 and built them under a fresh 10.04 install. I also activated nat transport mode at compile time since the 4.3.1 packages that ship with 10.04 don’t have this option activated.

If these packages don’t work for you, simply build your own.


dpkg -i \
strongswan_4.5.0-1ubuntu2_all.deb \
strongswan-dbg_4.5.0-1ubuntu2_i386.deb \
strongswan-ikev1_4.5.0-1ubuntu2_i386.deb \
strongswan-ikev2_4.5.0-1ubuntu2_i386.deb \
strongswan-nm_4.5.0-1ubuntu2_i386.deb \
strongswan-starter_4.5.0-1ubuntu2_i386.deb


/etc/ipsec.conf:


config setup
nat_traversal=yes
plutostart=yes
charonstart=yes

conn L2TP-VPN
type=transport
keyexchange=ikev1
keyingtries=3
authby=psk
pfs=no
rekey=no
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add


Here we define the IPsec part of our L2TP over IPsec VPN connection.

We specify a transport type and force the use of IKE v1 (keyexchange=ikev1). This is important because since 4.5.0 strongswan defaults to IKE V2 and at this time fewer client use this (native Windows XP and native Mac OS X still use IKE V1). We will authenticate the IPsec layer with a pre shared key that we give to your clients. (authby=psk) The left part of our link is the server itself (defaultroute being the current main IP, left=%defaultroute), and the right part of our link can be anything (right=%any). We specify rightprotoport=17/%any because OSX clients do not use source port 1701 when connecting. pfs=no makes sure perfect forward is not enabled since our mainstream clients do not support it. rekey=no will make sure the VPN server will not initiate a rekey by itself. auto=add will make the connection start automatically when it matches an incoming client.

/etc/ipsec.secrets:


< SERVER PUBLIC IP > %any: PSK “< YOUR_PRESHARE_KEY_STRING >“

Here you put your preshare key for your VPN server. This information needs to be given to clients to allow them to connect.
(username, password and PSK).

/etc/xl2tpd/xl2tpd.conf:


[global]
port = 1701
listen-addr = < SERVER_PUBLIC_IP >
ipsec saref = no

[lns default]
ip range = 172.16.45.2-255
local ip = 172.16.45.1
require authentication = yes
refuse pap = yes
require chap = yes
pppoptfile = /etc/ppp/options.xl2tpd
ppp debug = yes
name = < SERVER_NAME >
length bit = yes


The listen-addr here is important to prevent the daemon from not listening correctly once the ipsec link is done. The Ubuntu default kernel for 10.04 does not come with SAref support, so we explicitely disable it. We require authentication on this link and refuse clear text passwords (pap). We require authentication with chap (the accounts should be defined in the /etc/ppp/chap-secrets file).

/etc/ppp/options.xl2tpd:


require-mschap-v2
ms-dns < YOUR_DNS_SERVER >
asyncmap 0
auth
crtscts
idle 1800
lock
hide-password
modem
debug
name < SERVER_NAME >
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1410
mru 1410
connect-delay 500


- /etc/ppp/chap-secrets:


myusername * mypassword *
myotherusername * myotherpassword *


- Start xl2tpd and ipsec:


service xl2tpd start
service ipsec start


- Firewall rules to put in to allow incoming connections over protocol ESP, ISAKMP(500) , L2TP (1701), PPTP (1723) and Nat traversal (4500).


-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT


Lastly for your firewall you will have to decide what you allow your VPN users to see and reach. You can firewall them specifically using the ppp+ interfaces in your iptables.

(ie: -A FORWARD -i ppp+ -d < SERVER HOST > -p tcp -m tcp –dport 22 -j ACCEPT )

* Note: It seems there’s is an issue with the 4.5.0 packages in which describing networks in ipsec.conf with full netmask representation (ie: 255.255.255.248) would cause the charon daemon to die. Using the network address mask instead (/29) proved to work correctly…probably a bug in that version…

Connections should now work from iphones, ipads, windows native clients as well as OSX, provided you use the right creds! I tested on Android 2.2+ and was able to connect correctly. I would’nt use these specific versions in production but the process of setting it up and understanding the issues has been somewhat…entertaining.

I hope this helped someone.

-b