strongSwan + xl2tpd VPN server: how to configure several config files?
Don't use the aggressive mode, the connection will be less secure. Anyway try with this configuration. I use it on a my VPN Server with strongswan-5.3.5 and xl2tpd-1.3.6
ipsec.conf
config setup
cachecrls=yes
uniqueids=yes
charondebug=""
conn %default
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
conn L2TP
dpdaction=clear
#Server IP
left=192.168.1.130
#Server default gateway
leftnexthop=192.168.1.254
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnet=0.0.0.0/0
leftauth=psk
rightauth=psk
leftid="<insert-the-public-ip-here>"
ikelifetime=1h
keylife=8h
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
auto=add
keyexchange=ike
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.secrets
<insert-the-left-id-here> %any : PSK "<my-password>"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login
/etc/ppp/chap-secrets
username * "l2tppassword" *
restart services
sudo service strongswan restart
sudo service xl2tpd restart
Related videos on Youtube
Taiki Bessho
I'm interested in physics and mathematics; particularly mathematical and geometrical aspects of string theory. I have a PhD in theoretical physics. I want to explore interesting questions and contribute them, also expect your helpful answers to my questions. Thank you in advance.
Updated on September 18, 2022Comments
-
Taiki Bessho over 1 year
I set up my VPN server with strongSwan and xl2tpd on Ubuntu server 16.04. After configuring, I tried to connect from a iPad, but got the errors as follows:
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (788 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received NAT-T (RFC 3947) vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received FRAGMENTATION vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received DPD vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] 61.205.5.249 is initiating a Main Mode IKE_SA Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ] Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (136 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (380 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] local host is behind NAT, sending keep alives Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] remote host is behind NAT Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (396 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] received packet: from 61.205.5.249[4500] to 192.168.193.3[4500] (108 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Mar 26 02:22:13 myname-ubuntu-server charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.193.3...61.205.5.249[100.75.130.131] Mar 26 02:22:13 myname-ubuntu-server charon: 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2960834334 [ HASH N(AUTH_FAILED) ] Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] sending packet: from 192.168.193.3[4500] to 61.205.5.249[4500] (108 bytes)
I thought the critical point of the error is "found 1 matching config, but none allows pre-shared key authentication using Main Mode". Do anyone know how to resolve this error?
I found a answer for this problem that suggested to add "aggressiveness=yes" to /etc/ipsec.conf and tried but didn't work... (Maybe I add the line "aggressiveness=yes" in a wrong position... I'm a beginner in Linux...)
I set up config files by following this site: http://qiita.com/namoshika/items/30c348b56474d422ef64 (I'm sorry but it's written in Japanese...I think you can read code parts at least.)
If someone tell me reliable instruction documents for setting up VPN server on Ubuntu16.04 with L2TP/IPsec, I would appreciate it.
-
Taiki Bessho about 7 yearsAdditionally, I needed to add a line:
* l2tpd "" *
to /etc/ppp/pap-secrets and It worked!!! Thank you!! -
Taiki Bessho about 7 yearsAgain, if you want to use chap authentication, you should write the line
username * "l2tppassworddesu" *
to /etc/ppp/chap-secrets instead of /etc/ppp/pap-secrets -
marstone over 6 yearsworks for me except for leftnexthop is deprecated in ubuntu 16.04 lts
-
DarkVex over 6 years@marstone yes, you're right! it's deprecated starting from the version 5.0.0 of strongswan (wiki.strongswan.org/projects/strongswan/wiki/…)