L2TP / IPSec setup guide for CentOS 7

Reference: http://blog.earth-works.com/2013/02/22/how-to-set-up-openswan-l2tp-vpn-server-on-centos-6/

OpenVPN is easy to set up, but needs an extra program installation on client side. On the other hand, L2TP /IPSec is implemented in most operating systems such as Windows 7/8/10, MacOS, several Linux distributions, Android, iOS, and so on, so that we can connect to L2TP/IPSec VPN out-of-the-box with most operating systems.

In this article, we explained how to install L2TP/IPSec server on CentOS 7 Linux distribution.

1. Install epel repository for extra features in CentOS. This is necessary for l2tpd installation.

# sudo yum -y install epel-release

2. Install necessary packages.

# yum install lsof man openswan xl2tpd

3. Design the network and think of the range of IP addresses. In this article, we use the following IP address ranges. Please note that we configure the VPN as the part of the current LAN network of the VPN server, thus VPN-connected clients will join the LAN network.

[Physical settings that already configured]

• 192.168.0.0 / 24 : Physical network of LAN that resides VPN server
• 192.168.0.1 : Physical IP address of VPN server. (Already set up)

[VPN networks using for VPN setting]

• 192.168.0.201 : Local IP used by VPN server for L2TP tunnel. You can choose IP in the LAN network range.
• 192.168.0.202-250 : Local IP range for VPN-connected clients.

4. Allow IP forwarding for NAT in /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

5. Reload sysctl to make the config effective

sysctl -p

7. /etc/rc.local

for each in /proc/sys/net/ipv4/conf/*; do
        echo 0 > $each/accept_redirects
        echo 0 > $each/send_redirects
        echo 0 > $each/rp_filter
done

8. /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version       2.0    # conforms to second version of ipsec.conf specification
# basic configuration
config setup
       protostack=netkey
       plutostderrlog=/var/log/pluto.log
       interfaces="%defaultroute"
       plutodebug=none
       virtual_private=%v4:192.168.0.0/24
       nat_traversal=yes
conn L2TP-PSK
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       type=transport
       left="%defaultroute"
       leftprotoport=17/1701
       right=%any
       rightprotoport=17/0
       # Apple iOS doesn't send delete notify so we need dead peer detection
       # to detect vanishing clients
       dpddelay=10
       dpdtimeout=90
       dpdaction=clear
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

9. Generate a key file to /etc/ipsec.secrets

ipsec newhostkey --output /etc/ipsec.secrets --verbose --configdir /etc/pki/nssdb/

10. Add the PSK key (shared between clients/server) at the end of /etc/ipsec.secrets

192.168.0.1      %any:     PSK     "yourPSKHere"

11. /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 192.168.0.1
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; works around bug: http://bugs.centos.org/view.php?id=5832
force userspace = yes

;
[lns default]
ip range = 192.168.0.202-192.168.0.250
local ip = 192.168.0.201
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = CentOSVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

12. Update DNS server (ms-dns) on /etc/ppp/options.xl2tpd

ms-dns 8.8.8.8

13. Add ID/PW of users at /etc/ppp/chap-secrets

# client        server  secret                  IP addresses
user1           *       sgrongPassword1         *
user2           *       strongPassword2         *

13-1. Alternatively, use Linux's ID/PW for login. Follow the instructions on this article:
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html#Local_user_(PAM//etc/passwd)_authentication

14. Setup iptables

#Allow ipsec traffic
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
#Save your configuration
iptables save

15. Enable and start services

systemctl enable ipsec
systemctl start ipsed
systemctl enable xl2tpd
systemctl start xl2tpd

16. Configure clients (Windows/Mac/Linux/etc..)

• Type of VPN: L2TP/IPSec
• L2TP Security: choose pre-shared key for authentication. Put the PSK ("yourPSKHere") configured in Step 10.
• ID/PW: ones set up in Step 13