CentOS 7 L2TP VPN server – XL2TPD+libreswan

November 22, 2023

L2TP VPN SERVER ON CentOS
1. yum –y update
2. yum –y install epel-release
3. yum –y install xl2tpd libreswan nano
4. nano /etc/ipsec.conf
config setup
# NAT-TRAVERSAL support, see README.NAT-Traversal
#nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
#oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
#force_keepalive=yes
keep_alive=1800

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=your server IP
leftid=your server IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute
ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
sha2-truncbug=yes
5. nano /etc/xl2tpd/xl2tpd.conf
[global]
; ipsec saref = yes
listen-addr = your server IP
auth file = /etc/ppp/chap-secrets
port = 1701
[lns default]
ip range = 10.10.100.10-10.10.100.100
local ip = 10.10.100.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd Here are some configurations of xl2tpd
length bit = yes

6. nano /etc/ppp/options.xl2tpd
#require-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
#crtscts
#lock
hide-password
#modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000

7. nano /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0

– nano /etc/ipsec.secrets
your server IP %any: PSK “admin123″

– nano /etc/ppp/chap-secrets
USER * PASS *

8. cd /usr/lib/firewalld/services
9. touch l2tpd.xml
10. nano l2tpd.xml
(?xml version=”1.0″ encoding=”utf-8″?)
(service)
(short) l2tpd (/short)
(description) L2TP IPSec (/description)
(port protocol=”udp” port=”500″/)
(port protocol=”udp” port=”4500″/)
(port protocol=”udp” port=”1701″/)
(/service)
!!!!!! Ganti tanda kurung () di atas menjadi tanda kurung siku !!!!!!
11. firewall-cmd –reload
12. firewall-cmd –permanent –add-service=pptpd
13. Firewall-cmd –permanent –add-service=l2tpd
14. firewall-cmd –permanent –add-service=ipsec
15. firewall-cmd –permanent –add-masquerade
16. firewall-cmd –permanent –direct –add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS –syn –set-mss 1356
17. firewall-cmd –reload
18. systemctl enable ipsec xl2ptd
19. systemctl restart ipsec xl2tpd
20. test