How to Setup L2TP/IPSec VPN Server on Ubuntu 16.04

sudo apt-get install strongswan xl2tpd ppp lsof
echo “net.ipv4.ip_forward = 1” | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo nano /etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
 
    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
 
    keyingtries=3
    #Only negotiate a conn. 3 times.
 
    ikelifetime=8h
    keylife=1h
 
    ike=aes256-sha1,aes128-sha1,3des-sha1
 
    type=transport
    #because we use l2tp as tunnel protocol
 
    left=1.2.3.4 # Your server's public IP
    #fill in server IP above
 
    leftprotoport=17/1701
 
    right=%any
    rightprotoport=17/%any
 
    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
 
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
 
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

sudo nano /etc/ipsec.secrets

1
%any : PSK "PASSWORD"

sudo nano /etc/xl2tpd/xl2tpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[global]
ipsec saref = yes
saref refinfo = 30
 
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
 
[lns default]
ip range = 192.168.1.2-192.168.1.100 ; IP address range for clients
local ip = 192.168.1.1 ; Local IP address for VPN server
require chap = yes
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

sudo nano /etc/ppp/options.xl2tpd

1
2
3
4
5
6
7
8
9
10
11
12
13
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

sudo nano /etc/ppp/chap-secrets

1
username        l2tpd   PASSWORD                *

sudo ipsec update
sudo ipsec reload
sudo ipsec restart
sudo service xl2tpd restart