Set up a L2TP/IPSec VPN connection on Ubuntu desktop

Context:

The VPN server runs on a Vyatta firewall (version 6.5). This has been tested on Ubuntu 13.10 (saucy) and 14.04 (trusty).

How to set up the VPN client on Ubuntu

1. Packages required:

$ sudo apt-get install openswan
$ sudo apt-get install xl2tpd
$ sudo apt-get install l2tp-ipsec-vpn

2. You need to restart your computer to see the little “L2TP IPSEC VPN Manager” appear in the  status bar

3. Configure the connection with the “L2TP IPSEC VPN Manager”:

Enter the VPN server address and the pre-shared key

Image

Go to the PPP tab and enter the username and password (you can let all the protocols checked as we will unban them later):

Image

Click on “IP Settings” and check the box:

Image

Before closing, click on “Routes” and make sure you use the gateway on the remote network:

Image

Close the “L2TP IPSEC VPN Manager” to apply the changes.

4. Before connecting to the VPN you need to make some more changes in the configuration files

In the file /etc/ppp/<your_vpn_connection_name>.options.xl2tpd
– Add the password line
– Be sure the lines refuse-xxxx are commented:

$ sudo vi /etc/ppp/<your_vpn_connection_name>.options.xl2tpd
  #debug
  #dump
  #record /var/log/pppd

  plugin passprompt.so
  ipcp-accept-local
  ipcp-accept-remote
  idle 72000
  ktune
  noproxyarp
  asyncmap 0
  #noccp
  noauth
  crtscts
  lock
  hide-password
  modem
  noipx

  ipparam L2tpIPsecVpn-<your_connection>

  promptprog "/usr/bin/L2tpIPsecVpn"

  #refuse-eap
  #refuse-pap
  #refuse-chap
  #refuse-mschap
  #refuse-mschap-v2
  #require-mschap-v2

  remotename ""
  name "<your_username>"
  password "<your_password>"

  defaultroute

  usepeerdns

5. Restart xl2tp and ipsec to apply the changes

$ sudo /etc/init.d/ipsec restart
$ sudo /etc/init.d/xl2tp restart

6. Finally, go to your (home) connection settings and deactivate the IPv6:

Image

7. You can now connect to your (home) connection and connect to the VPN connection you just created

Issues? Check the last lines of /var/log/syslog

FYI: the VPN server configuration
Here is the VPN configuration on the Vyatta firewall (version 6.5) which is our VPN server:
Any content in <> has to be replaced.
See Vyatta documentation for more details.

vpn {
    ipsec {
        esp-group ESP1 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE1 {
            dead-peer-detection {
                action clear
                interval 150
                timeout 450
            }
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface <eth0>
        }
        nat-networks {
            allowed-network <192.168.0.0/16> {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username <user1> {
                        password <user1password>
                    }
                    username <user2> {
                        password <user2password>
                    }
                }
                mode local
            }
            client-ip-pool {
                start <vpn_ip_pool_start>
                stop <vpn_ip_pool_stop>
            }
            dns-servers {
                server-1 <internal_dns_server>
                server-2 <internal_dns_server2>
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret <choose_a_shared_secret>
                }
                ike-lifetime 3600
            }
            outside-address <your_external_ip>
            outside-nexthop <your_gateway>
            wins-servers {
                server-1 <your_wins_server_ip>
            }
        }
    }
}
Set up a L2TP/IPSec VPN connection on Ubuntu desktop