Oil and Fish

L2TP/IPsec with PSK with Libreswan

In this scenario, Layer 2 Tunneling Protocol (L2TP) is combined with IPsec. This arrangement uses fixed port numbers and is therefore easily blocked by censors. Also, a preshared key (PSK) is not particularly secure. Nevertheless, there may be situations where ease-of-use is your top priority. Many client devices support L2TP/IPsec PSK without the installation of additional software.

This configuration requires xL2TPd as well as Libreswan. For a simpler configuration, review the article on IPsec with Libreswan.

The article on this page will show you how to create an L2TP/IPsec server on CentOS 8. Note that CentOS 8 reaches end-of-life on December 31, 2021.

In the examples, your workstation is at IP address xx.xx.xx.xx, and the server is at IP address yy.yy.yy.yy. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.

We also give instructions for an Android device as a sample client. Mobile devices are easily tracked and strongly linked to an individual. Again, we assume ease-of-use is your main concern in this scenario and that you are in a country where L2TP/IPsec is not blocked.

1. Server

1.1. Install and Configure Firewall

We begin by installing a firewall and configuring it to accept IPsec. We also masquerade outgoing IP addresses. Issue the commands that follow:

yum update -y

yum install firewalld -y

systemctl enable firewalld

systemctl start firewalld

firewall-cmd --add-service=ipsec

firewall-cmd --add-masquerade

firewall-cmd --runtime-to-permanent

For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx, make that the only IP address that will be trusted for SSH access:

firewall-cmd --zone=trusted --add-service=ssh

firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32

firewall-cmd --zone=public --remove-service=ssh

firewall-cmd --zone=public --remove-service=cockpit

firewall-cmd --runtime-to-permanent

1.2. Allow Forwarding

Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d:

vi /usr/lib/sysctl.d/40-ipv4-forward.conf

Insert a single line:

net.ipv4.ip_forward=1

Save the file. Make this change effective immediately.:

sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf

1.3. Install Packages

Add the Extra Packages for Enterprise Linux repository:

yum install epel-release -y

Install LibreSwan and xL2TPd:

yum install libreswan xl2tpd -y

1.4. Set Up Preshared Key

Edit the IPsec secrets file:

vi /etc/ipsec.d/psk.secrets

Insert a line with your preshared key. We will use as an example a preshared key of ArialBrainChimpDentsEarth:

%any: PSK "ArialBrainChimpDentsEarth"

Save the file.

1.5. Configure Libreswan

Create a new file for L2TP/IPsec connections with a preshared key:

vi /etc/ipsec.d/l2tp-ipsec-psk.conf

Insert lines specifying a configuration like this:

conn ikev1
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=%defaultroute
    right=%any
    ikev2=never
    ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024
    esp=aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1;modp1024
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear

conn ikev1-nat
    also=ikev1
    rightsubnet=vhost:%priv

Save the file.

1.6. Configure xL2TPd

Edit the xL2TPd configuration file:

vi /etc/xl2tpd/xl2tpd.conf

Insert a configuration like this. Change the virtual IP address range and local IP of the server if you wish.

[global]
ipsec saref = yes

[lns default]
ip range = 10.0.8.64-10.0.8.127
local ip = 10.0.8.1
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Save the file. If you want more explanation of what the options do, issue the command:

man xl2tpd.conf

1.7. Configure Point-to-Point Protocol Options

Edit the Point-to-Point Protocol options file:

vi /etc/ppp/options.xl2tpd

Insert a configuration like this:

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000

Save the file. If you want more explanation of what the options do, issue the command:

man pppd

1.8. Set Up Usernames and Passwords

Edit the Point-to-Point Protocol secrets file:

vi /etc/ppp/chap-secrets

Insert usernames and passwords like this:

# Secrets for authentication using CHAP
# client server secret      IP addresses
alice    *      "ku9mvc94"  *
bob      *      "szkkzg2s"  *
carol    *      "dft97m29"  *

Save the file.

1.9. Start Libreswan

Start Libreswan after every reboot, and also start it now:

systemctl enable ipsec

systemctl start ipsec

1.10. Start xL2TPd

Start xL2TPd after every reboot, and also start it now:

systemctl enable xl2tpd

systemctl start xl2tpd

1.11. Check Libreswan and xL2TPd

Check that Libreswan and xL2TPd are active and running:

systemctl status ipsec

systemctl status xl2tpd

2. Android Client

The place where you add a VPN in Android varies from release to release. It may be under Settings > Network & Internet > Advanced > VPN or it may be under Settings > Connections > More networks > VPN.

Add a new VPN:

• Name is whatever you want, e.g. yy.yy.yy.yy
• Type is L2TP/IPsec PSK
• Server address in our example is yy.yy.yy.yy
• L2TP secret is blank
• IPsec identifier is blank
• IPsec pre-shared key is ArialBrainChimpDentsEarth in our example
• Username alice
• Password ku9mvc94

Click Save. Select the VPN, and click Connect.

3. Note for Windows Clients

If you try this with a Windows client, it will be necessary to change the adapter settings for the L2TP/IPsec adapter. Right-click on the L2TP/IPsec adapter, and select Properties. On the Security tab, select the radio button for Allow these protocols. Check the boxes for Unencrypted password (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Version 2 (MS-CHAP v2).

Also, it would be better to edit the Windows registry to allow use of modp2048. This would allow the use of stronger Diffie-Hellman groups than the modp1024 (DH group 2) in our example configuration. To edit the registry, press the Win+r keys, type regedit, then press Enter. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Rasman > Parameters. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256. The value is 1, which means enable AES-256-CBC and MODP-2048.

4. Get Help and Report Issues

For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.

Updated 2021-06-17

This site is provided for information only. It cannot replace the advice of a trained security professional. If lives or safety depend on your security, please seek the advice of an expert.