L2TP Linux Server and Client Setup

 

This article is about setting up a L2TP VPN server and Client with Open-source tools.

What is L2TP VPN:  l2TP means layer 2 tunneling protocol. It works on the layer2 level of the TCP/IP stack with the help of ppp.L2TP is an IETF standard for tunneling Point-to-Point Protocol (PPP) across any intervening network. It forwards data transparently from an access concentrator (LAC) to a network server (LNS). The LAC may be an individual host or an ISP’s network access server.

Why to use L2TP Tunnel:

L2TP provides data-independent framing,

Ability to multiplex IP and non-IP protocols,

Tunnel endpoint authentication

Dynamic address (DHCP) assignment.

Portable across all operating systems.

Why not use  L2TP  Tunnel:

Old technology.

No default data encryption.(We need to install additional encryption technologies).

No active community for further development and plugins

Below the network details:.

Office Network:

Lan : 192.168.10.0/24

Firewall Public IP Address: 1.2.3.4

Firewall Os : Centos 5.7

Home Network:

Lan : 192.168.1.0/24 ( not so relevent)

User Dynamic IP Address.

Desktop/Laptop  Os: Ubuntu 10.04

Network Diagram:

L2tp vpn

 

 

 

 

 

 

 

Office Side:

We have to harden the Centos  as a router. Hardening the os is not the scope of this  article. We will cover only the l2tp parts here.

Centos directly doesn’t provide any l2tp packages from the os. We need to download and compile the os.

Steps: (Assuming you have root privilage )

1. Download the xl2tp. Compile and install. Here we use xl2tp package from Xelrence.com

cd /root/

yum install gcc

yum install libpcap

yum install libpcap-devel

wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz

tar -zxvf xl2tpd-1.3.0.tar.gz

cd xl2tpd-1.3.0

./configure

make

make install

Your applications will get installed in mainly /usr/local. Mainly under /usr/local/sbin you can see the  xl2tpd and  xl2tpd-control

binaries. You have to create the  configuration directory and copy the default config file

mkdir /etc/xl2tpd

cp /root/xl2tpd-1.3.0/examples/xl2tpd.conf   /etc/xl2tpd/xl2tpd.conf

Here  in the server side you need  to make sure the following section is uncommente

[global]
listen-addr = 1.2.3.4   # Which the Public IP address towards the Internet[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = office
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

And then edit  the /etc/ppp/options.xl2tpd file as below:

name pppd
ms-dns  8.8.8.8     # Replace with your  local DNS server ip if exists.
ms-dns  4.2.2.2     # Replace  with your local secondary DNS server if exists.
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

One more file you need to edit here is  /etc/ppp/chap-secrets

*    *     password     *                         # Replace with your password.

 Client Side Setup

I have selected the client side os as Ubuntu 10.04. The advantage with Ubuntu is that you can dirctly install xl2tpd from the repository. No need for the compilation. You can select Ubuntu as the server  instead of Centos. It works perfectly fine. For a choice I have selected Centos as the server and ubuntu as the client

apt-get install ppp.

 apt-get install ppp

apt-get install xl2tpd

After installation  of the package edit  /etc/xl2tpd/xl2tpd.conf and make sure the  following entries are available

[lac office]                                                    ;  Your remote LNS server name
lns = 1.2.3.4                                                :  Your  remote LNS server public IP Address

pppoptfile = /etc/ppp/options.xl2tpd.client   ;

And in the /etc/ppp/options.xl2tpd.client  file contains below details

refuse eap
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000

Edit /etc/ppp/chap-secrets as below

*       *       password

Now all the configuration files are done. We need to run the VPN as below

 How to Run the   VPN Connection

On the server side  run:

# /usr/local/sbin/xl2tpd -D 

You can see the output similar to this:

xl2tpd[25550]: setsockopt recvref[22]: Protocol not available
xl2tpd[25550]: This binary does not support kernel L2TP.
xl2tpd[25550]: xl2tpd version xl2tpd-1.3.0 started on test-centos PID:25550
xl2tpd[25550]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[25550]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[25550]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[25550]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[25550]: Listening on IP address 1.2.3.4, port 1701n

Now your server is running and waiting for the client to connect:

On the client side you need  to run the service ( or deamon) and run a control command to connect.

Run the daemon as below

/usr/sbin/xl2tpd -D

Then  you need to  run the control command as below

echo “c office” > /var/run/xl2tpd/l2tp-control:

On the server side you should be able to see:

xltpd[25550]: control_finish: Peer requested tunnel 58539 twice, ignoring second one.
xl2tpd[25550]: control_finish: Peer requested tunnel 58539 twice, ignoring second one.
xl2tpd[25550]: Connection established to 117.192.244.193, 21456.  Local: 31936, Remote: 58539 (ref=0/0).  LNS session is ‘default’
xl2tpd[25550]: start_pppd: I’m running:
xl2tpd[25550]: “/usr/sbin/pppd”
xl2tpd[25550]: “passive”
xl2tpd[25550]: “nodetach”
xl2tpd[25550]: “192.168.1.99:192.168.1.128”
xl2tpd[25550]: “refuse-pap”
xl2tpd[25550]: “auth”
xl2tpd[25550]: “require-chap”
xl2tpd[25550]: “name”
xl2tpd[25550]: “office”
xl2tpd[25550]: “debug”
xl2tpd[25550]: “file”
xl2tpd[25550]: “/etc/ppp/options.xl2tpd”
xl2tpd[25550]: “ipparam”
xl2tpd[25550]: “4.3.2.1”
xl2tpd[25550]: “/dev/pts/1”
xl2tpd[25550]: Call established with 4.3.2.1, Local: 33438, Remote: 5927

Where 4.3.2.1 is the NATed public IP of your laptop.

On the client side you should be able to notice  as belowxl2tpd[4436]: Connecting to host 122.166.3.167, port 1701
xl2tpd[4436]: Connection established to 1.2.3.4, 1701.  Local: 58539, Remote: 31936 (ref=0/0).
xl2tpd[4436]: Calling on tunnel 58539
xl2tpd[4436]: check_control: Received out of order control packet on tunnel 31936 (got 0, expected 1)
xl2tpd[4436]: handle_packet: bad control packet!
xl2tpd[4436]: check_control: Received out of order control packet on tunnel 31936 (got 0, expected 1)
xl2tpd[4436]: handle_packet: bad control packet!
xl2tpd[4436]: Call established with 1.2.3.4, Local: 59273, Remote: 33438, Serial: 2 (ref=0/0)
xl2tpd[4436]: start_pppd: I’m running:
xl2tpd[4436]: “/usr/sbin/pppd”
xl2tpd[4436]: “passive”
xl2tpd[4436]: “nodetach”
xl2tpd[4436]: “:”
xl2tpd[4436]: “/dev/pts/6”:

At this point from the client side you should be able to ping servers  private IP address 192.168.1.99

ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99) 56(84) bytes of data.
64 bytes from 192.168.1.99: icmp_seq=1 ttl=64 time=169 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=64 time=175 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=64 time=157 ms

That indicates your VPN connection to the server is up and fine.  Now you need to add relevent  routes and returnroutes to connect to the  inside systems in office.

In the server side enable the  IP forward with the following command

 sysctl -w “net.ipv4.ip_forward=1”

sysctl -p

On the client side add the following route

/sbin/route add -net 192.168.10.0/4  dev ppp0

At this point you should be able to ping systems inside the Office network.

Please note that  this  VPN tunnel  does not take care of the encryption of your data.  For encrypting the L2TP tunnel we need to  integrate this with any of the ipsec packages like openswan. We will cover this in a separate article.

Leave a Reply