L2TP/IPsec with PSK with Libreswan
In this scenario, Layer 2 Tunneling Protocol (L2TP) is combined with IPsec. This arrangement uses fixed port numbers and is therefore easily blocked by censors. Also, a preshared key (PSK) is not particularly secure. Nevertheless, there may be situations where ease-of-use is your top priority. Many client devices support L2TP/IPsec PSK without the installation of additional software.
This configuration requires xL2TPd as well as Libreswan. For a simpler configuration, review the article on IPsec with Libreswan.
The article on this page will show you how to create an L2TP/IPsec server on CentOS 8. Note that CentOS 8 reaches end-of-life on December 31, 2021.
In the examples, your workstation is at IP address xx.xx.xx.xx
, and the server is at IP address yy.yy.yy.yy
. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.
We also give instructions for an Android device as a sample client. Mobile devices are easily tracked and strongly linked to an individual. Again, we assume ease-of-use is your main concern in this scenario and that you are in a country where L2TP/IPsec is not blocked.
1. Server
1.1. Install and Configure Firewall
We begin by installing a firewall and configuring it to accept IPsec. We also masquerade outgoing IP addresses. Issue the commands that follow:
yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent
For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx
, make that the only IP address that will be trusted for SSH access:
firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent
1.2. Allow Forwarding
Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d
:
vi /usr/lib/sysctl.d/40-ipv4-forward.conf
Insert a single line:
net.ipv4.ip_forward=1
Save the file. Make this change effective immediately.:
sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf
1.3. Install Packages
Add the Extra Packages for Enterprise Linux repository:
yum install epel-release -y
Install LibreSwan and xL2TPd:
yum install libreswan xl2tpd -y
1.4. Set Up Preshared Key
Edit the IPsec secrets file:
vi /etc/ipsec.d/psk.secrets
Insert a line with your preshared key. We will use as an example a preshared key of ArialBrainChimpDentsEarth
:
%any: PSK "ArialBrainChimpDentsEarth"
Save the file.
1.5. Configure Libreswan
Create a new file for L2TP/IPsec connections with a preshared key:
vi /etc/ipsec.d/l2tp-ipsec-psk.conf
Insert lines specifying a configuration like this:
conn ikev1 authby=secret pfs=no auto=add rekey=no left=%defaultroute right=%any ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024 esp=aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1;modp1024 type=transport leftprotoport=17/1701 rightprotoport=17/%any dpddelay=15 dpdtimeout=30 dpdaction=clear conn ikev1-nat also=ikev1 rightsubnet=vhost:%priv
Save the file.
1.6. Configure xL2TPd
Edit the xL2TPd configuration file:
vi /etc/xl2tpd/xl2tpd.conf
Insert a configuration like this. Change the virtual IP address range and local IP of the server if you wish.
[global] ipsec saref = yes [lns default] ip range = 10.0.8.64-10.0.8.127 local ip = 10.0.8.1 require chap = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
Save the file. If you want more explanation of what the options do, issue the command:
man xl2tpd.conf
1.7. Configure Point-to-Point Protocol Options
Edit the Point-to-Point Protocol options file:
vi /etc/ppp/options.xl2tpd
Insert a configuration like this:
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 1.1.1.1 noccp auth idle 1800 mtu 1410 mru 1410 nodefaultroute debug proxyarp connect-delay 5000
Save the file. If you want more explanation of what the options do, issue the command:
man pppd
1.8. Set Up Usernames and Passwords
Edit the Point-to-Point Protocol secrets file:
vi /etc/ppp/chap-secrets
Insert usernames and passwords like this:
# Secrets for authentication using CHAP # client server secret IP addresses alice * "ku9mvc94" * bob * "szkkzg2s" * carol * "dft97m29" *
Save the file.
1.9. Start Libreswan
Start Libreswan after every reboot, and also start it now:
systemctl enable ipsec
systemctl start ipsec
1.10. Start xL2TPd
Start xL2TPd after every reboot, and also start it now:
systemctl enable xl2tpd
systemctl start xl2tpd
1.11. Check Libreswan and xL2TPd
Check that Libreswan and xL2TPd are active and running:
systemctl status ipsec
systemctl status xl2tpd
2. Android Client
The place where you add a VPN in Android varies from release to release. It may be under Settings > Network & Internet > Advanced > VPN or it may be under Settings > Connections > More networks > VPN.
Add a new VPN:
- Name is whatever you want, e.g.
yy.yy.yy.yy
- Type is L2TP/IPsec PSK
- Server address in our example is
yy.yy.yy.yy
- L2TP secret is blank
- IPsec identifier is blank
- IPsec pre-shared key is
ArialBrainChimpDentsEarth
in our example - Username
alice
- Password
ku9mvc94
Click Save. Select the VPN, and click Connect.
3. Note for Windows Clients
If you try this with a Windows client, it will be necessary to change the adapter settings for the L2TP/IPsec adapter. Right-click on the L2TP/IPsec adapter, and select Properties. On the Security tab, select the radio button for Allow these protocols. Check the boxes for Unencrypted password (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Version 2 (MS-CHAP v2).
Also, it would be better to edit the Windows registry to allow use of modp2048
. This would allow the use of stronger Diffie-Hellman groups than the modp1024
(DH group 2) in our example configuration. To edit the registry, press the Win+r keys, type regedit
, then press Enter. Navigate to HKEY_LOCAL_MACHINE
> SYSTEM
> CurrentControlSet
> Services
> Rasman
> Parameters
. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256
. The value is 1
, which means enable AES-256-CBC and MODP-2048.
4. Get Help and Report Issues
For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.
Updated 2021-06-17