Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through them, at no additional cost to you.
In this article, we will guide you through the process of configuring an L2TP/IPsec VPN server using StrongSwan on a Linux server. The setup will involve configuring the necessary components such as IPsec, L2TP, and enabling the server to accept client connections securely. StrongSwan is a popular open-source software that implements IPsec, allowing secure connections over untrusted networks.
System Requirements
- A Linux server (Ubuntu or CentOS preferred).
- Root access to the server.
- StrongSwan installed (for IPsec support).
- XL2TPD installed (for L2TP support).
Installing StrongSwan and XL2TPD
To get started, we need to install both StrongSwan and XL2TPD. Run the following commands based on your Linux distribution.
On Ubuntu/Debian
sudo apt update
sudo apt install strongswan xl2tpdOn CentOS/RHEL
sudo yum install epel-release
sudo yum install strongswan xl2tpdConfiguring IPsec with StrongSwan
StrongSwan needs to be configured to work with L2TP for IPsec-based VPN services. We will first configure IPsec settings and then move on to configuring L2TP.
Edit the StrongSwan Configuration
The main configuration file for StrongSwan is located at /etc/ipsec.conf. Open this file in your preferred text editor.
sudo nano /etc/ipsec.confHere is a basic configuration for IPsec:
config setup
charondebug="ike 2, knl 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn L2TP-IPsec
keyexchange=ikev1
authby=secret
pfs=no
ikelifetime=60m
keylife=20m
type=transport
left=
leftprotoport=17/1701
right=%any
rightdns=,
rightsourceip=10.10.10.0/24
auto=addConfigure IPsec Secrets
Next, configure the shared secret for IPsec authentication. Open the file /etc/ipsec.secrets and add your pre-shared key (PSK).
sudo nano /etc/ipsec.secretsHere’s an example of how to set the PSK:
: PSK "your-psk-here"Configuring L2TP with XL2TPD
Next, we configure XL2TPD for handling L2TP connections. The main configuration file is /etc/xl2tpd/xl2tpd.conf.
Edit the XL2TPD Configuration
sudo nano /etc/xl2tpd/xl2tpd.confUpdate the configuration file with the following settings:
[lns default]
ip range = 10.10.10.2-10.10.10.10
local ip = 10.10.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.clientConfigure PPP Options for L2TP
Next, configure PPP options to enable secure client connections. Open /etc/ppp/options.l2tpd.client:
sudo nano /etc/ppp/options.l2tpd.clientEnsure the following options are present:
require-mschap-v2
refuse-mschap
ms-dns
ms-dns
proxyarp
nodefaultroute
debug
lock
connect-delay 5000Starting StrongSwan and XL2TPD
Now that both configurations are in place, we can start the services and enable them to start automatically on boot.
Enable and Start StrongSwan
sudo systemctl enable strongswan
sudo systemctl start strongswanEnable and Start XL2TPD
sudo systemctl enable xl2tpd
sudo systemctl start xl2tpdConfiguring Firewall Rules
Ensure that the necessary ports for IPsec and L2TP are open on your firewall. The required ports are:
- UDP 500 (IPsec)
- UDP 4500 (IPsec NAT-T)
- UDP 1701 (L2TP)
On Ubuntu/Debian
sudo ufw allow 500,4500/udp
sudo ufw allow 1701/udpOn CentOS/RHEL
sudo firewall-cmd --zone=public --add-port=500/udp --permanent
sudo firewall-cmd --zone=public --add-port=4500/udp --permanent
sudo firewall-cmd --zone=public --add-port=1701/udp --permanent
sudo firewall-cmd --reloadTesting the VPN Server
After completing the configuration, it’s essential to test the VPN server to ensure it is working correctly. Use a client device to connect to the VPN server and verify the connection.
