Solved L2TP/IPsec client settings

stig

Member

Reaction score: 8
Messages: 27

This is a short guide to setup a FreeBSD L2TP/IPsec client, by using mpd5 and IPsec, to connect to a Unifi L2TP/IPsec server (using a shared key).

For this to work Strongswan and mpd5 need to be installed on the client.

The first two configs are ipsec.conf and ipsec.secret. Please read the man pages for each entry if you want more information. Alter the IP's and password in the two config files. Use ipsec start/stop/reload to start/stop/reload IPsec and ipsec up/down l2tp to establish or close the l2tp connection, when testing your changes.

IPsec.conf
Code:
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
        # strictcrlpolicy=yes
        uniqueids = yes
        charondebug="ike 1, knl 1, cfg 4"

# Add connections here.
conn l2tp
      keyexchange=ikev1
      fragmentation=yes
      forceencaps = yes
      ike=aes256-sha1-modp4096!
      esp=aes256-sha1-modp4096!
      type=transport
      auto=start
      closeaction=restart
      dpdaction=restart
      dpddelay=300s
      rightprotoport=17/1701
      rightauth=psk
      rekey=yes

# Left
      leftid=ClientIP
      left=%defaultroute
      leftauth=psk
      leftfirewall=yes
# Right
      right=ServerIP        # target server (same IP as the L2TP peer)
      rightprotoport=17/1701
      rightauth=psk

ipsec.secrets
Code:
 ipsec.secrets - strongSwan IPsec secrets file
#
# : PSK "Password"
ClientIP ServerIP : PSK "Password"

After getting IPsec working it is time to work on the L2TP side of the solution. The shown mpd.conf config needs to be altered to your use. Please consult the man pages for each entry. Use the command mpd5 + name of the connection to open the connection.

mpd.conf
Code:
startup:
 # Set web self 127.0.0.1 5008
# Set user vpntest vpntest admin
# Set web open

log +ALL +EVENTS -FRAME -ECHO

default:
load l2tp

l2tp:
create bundle static B1
set iface route #.#.#.#/#
set iface enable tcpmssfix
set ipcp yes vjcomp

set ipcp dns #.#.#.#

set ccp yes mppc
set mppc yes e128
set mppc yes stateless

create link static L1 l2tp
set link action bundle B1
set link max-redial 0
set link mtu 1460
set link keep-alive 0 0#20 75
set link accept chap-msv2

set l2tp peer ServerIP

set auth authname "username"
set auth password "password"

open

You should be able to connect now.
If you need the connection to start on boot up add the following to your rc.conf.

rc.conf
Code:
#VPN
mpd_enable="YES"
mpd_flags="-b -s mpd5 l2tp"
strongswan_enable="YES"
gateway_enable="YES"

Hope you can use it.
 
Top