L2TP/IPsec with PSK with Libreswan

In this scenario, Layer 2 Tunneling Protocol (L2TP) is combined with IPsec. This arrangement uses fixed port numbers and is therefore easily blocked by censors. Also, a preshared key (PSK) is not particularly secure. Nevertheless, there may be situations where ease-of-use is your top priority. Many client devices support L2TP/IPsec PSK without the installation of additional software.

This configuration requires xL2TPd as well as Libreswan. For a simpler configuration, review the article on IPsec with Libreswan.

The article on this page will show you how to create an L2TP/IPsec server on CentOS 8. In the examples, your workstation is at IP address xx.xx.xx.xx, and the server is at IP address yy.yy.yy.yy. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.

We also give instructions for an Android device as a sample client. Mobile devices are easily tracked and strongly linked to an individual. Again, we assume ease-of-use is your main concern in this scenario and that you are in a country where L2TP/IPsec is not blocked.

1. Server

1.1. Install and Configure Firewall

We begin by installing a firewall and configuring it to accept IPsec. We also masquerade outgoing IP addresses. Issue the commands that follow:

yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent

For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx, make that the only IP address that will be trusted for SSH access:

firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent

1.2. Allow Forwarding

Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d:

vi /usr/lib/sysctl.d/40-ipv4-forward.conf

Insert a single line:

net.ipv4.ip_forward=1

Save the file. Make this change effective immediately.:

sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf

1.3. Install Packages

Add the Extra Packages for Enterprise Linux repository:

yum install epel-release -y

Install LibreSwan and xL2TPd:

yum install libreswan xl2tpd -y

1.4. Set Up Preshared Key

Edit the IPsec secrets file:

vi /etc/ipsec.d/psk.secrets

Insert a line with your preshared key. We will use as an example a preshared key of ArialBrainChimpDentsEarth:

%any: PSK "ArialBrainChimpDentsEarth"

Save the file.

1.5. Configure Libreswan

Create a new file for L2TP/IPsec connections with a preshared key:

vi /etc/ipsec.d/l2tp-ipsec-psk.conf

Insert lines specifying a configuration like this:

conn ikev1
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=%defaultroute
    right=%any
    ikev2=never
    ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024
    esp=aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1;modp1024
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear
	
conn ikev1-nat
    also=ikev1
    rightsubnet=vhost:%priv

Save the file.

1.6. Configure xL2TPd

Edit the xL2TPd configuration file:

vi /etc/xl2tpd/xl2tpd.conf

Insert a configuration like this. Change the virtual IP address range and local IP of the server if you wish.

[global]
ipsec saref = yes

[lns default]
ip range = 10.0.8.64-10.0.8.127
local ip = 10.0.8.1
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Save the file. If you want more explanation of what the options do, issue the command:

man xl2tpd.conf

1.7. Configure Point-to-Point Protocol Options

Edit the Point-to-Point Protocol options file:

vi /etc/ppp/options.xl2tpd

Insert a configuration like this:

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000

Save the file. If you want more explanation of what the options do, issue the command:

man pppd

1.8. Set Up Usernames and Passwords

Edit the Point-to-Point Protocol secrets file:

vi /etc/ppp/chap-secrets

Insert usernames and passwords like this:

# Secrets for authentication using CHAP
# client server secret      IP addresses
alice    *      "ku9mvc94"  *
bob      *      "szkkzg2s"  *
carol    *      "dft97m29"  *

Save the file.

1.9. Start Libreswan

Start Libreswan after every reboot, and also start it now:

systemctl enable ipsec
systemctl start ipsec

1.10. Start xL2TPd

Start xL2TPd after every reboot, and also start it now:

systemctl enable xl2tpd
systemctl start xl2tpd

1.11. Check Libreswan and xL2TPd

Check that Libreswan and xL2TPd are active and running:

systemctl status ipsec
systemctl status xl2tpd

2. Android Client

The place where you add a VPN in Android varies from release to release. It may be under Settings > Network & Internet > Advanced > VPN or it may be under Settings > Connections > More networks > VPN.

Add a new VPN:

Click Save. Select the VPN, and click Connect.

3. Note for Windows Clients

If you try this with a Windows client, it will be necessary to change the adapter settings for the L2TP/IPsec adapter. Right-click on the L2TP/IPsec adapter, and select Properties. On the Security tab, select the radio button for Allow these protocols. Check the boxes for Unencrypted password (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Version 2 (MS-CHAP v2).

Also, it would be better to edit the Windows registry to allow use of modp2048. This would allow the use of stronger Diffie-Hellman groups than the modp1024 (DH group 2) in our example configuration. To edit the registry, press the Win+r keys, type regedit, then press Enter. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Rasman > Parameters. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256. The value is 1, which means enable AES-256-CBC and MODP-2048.

4. Get Help and Report Issues

For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.