MPD5 L2TP IPsec Server – Mehdi Sadighian (مهدی صدیقیان)

MPD5 L2TP IPsec Server On FreeBSD 10.3 amd64

Prerequisites:

I assume you have installed src package when you were installing the freebsd so the source package are in /usr/src
if you don’t have it, please fetch using SVN:

svn update /usr/src

or copy and extract from installation DVD:

location in DVD: /USR/FREEBSD_DIST/SRC.TXZ

Editing and Building Kernel:

cd /usr/src/sys/amd64/conf/

cp GENERIC GENERIC_IPsec

vi GENERIC_IPsec

Edit the Line Blow:

ident           GENERIC

and change it to:

ident           GENERIC_IPsec

add this after first big options block:

# Options for an IPsec enabled kernel
options         IPSEC
options         IPSEC_NAT_T
device          crypto

write the file then start building:

cd /usr/src/
make buildkernel KERNCONF=GENERIC_IPsec

it takes some time to build the kernel depending on your hardware

now install the kernel:

make installkernel KERNCONF=GENERIC_IPsec

The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel.

reboot the system too boot from new kernel:

reboot

Now We are ready to do server stuffs

install mpd5 and strongswan:

pkg install mpd5
pkg install strongswan

in this config my server ip address is “192.168.0.1” and my secret is “912secret912” so change them to suit your needs

vi /usr/local/etc/ipsec.conf

config setup
    strictcrlpolicy=no
    cachecrls=yes
    uniqueids=yes
    charondebug=""

conn %default
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    ikelifetime=8h
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftid=@vpn.test
    leftcert=vpnHostCert.pem
    right=%any
    auto=add

conn L2TP-IPSec-PSK
    dpdaction=clear
    #Server IP
    left=192.168.0.1
    #Server default gateway
    leftnexthop=192.168.0.254
    leftprotoport=17/1701
    rightprotoport=17/%any
    right=%any
    rightsubnet=0.0.0.0/0
    leftauth=psk
    rightauth=psk
    leftid="192.168.0.1"
    ikelifetime=1h
    keylife=8h
    ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    auto=add
    keyexchange=ike
    type=transport

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

configure shared secret:

vi /usr/local/etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
#this is the shared secret
#: PSK "912secret912"
192.168.0.1 %any : PSK "912secret912"

configure mpd:

vi /usr/local/etc/mpd5/mpd.conf

startup:
        # set user operations secret_changeme admin

default:
    load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
    set ippool add pool1 10.0.0.2 10.0.0.254

# Create clonable bundle template named B
    create bundle template VPN
    set iface enable netflow-in
    set iface enable netflow-out
    set iface enable ipacct
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
    set ipcp ranges 10.0.0.1/32 ippool pool1
    set ipcp dns 8.8.8.8

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

# Create clonable link template named L
    create link template L l2tp

# Set bundle template to use
    set link action bundle VPN
    set link enable multilink
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2
    set link enable chap
    set link keep-alive 10 60

# We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1400

# Configure l2tp
    set l2tp self 192.168.0.1
    set l2tp enable length
    set l2tp disable dataseq

# Allow to accept calls
    set link enable incoming

define username and password if you dont use radius:
vi /usr/local/etc/mpd5/mpd.secret

mehdi   "123456"

using radius server with mpd has been described HERE: https://msadighian.com/index.php/freebsd/freebsd-10-3-mpd5-pptp-server/

excellent, enable mpd and strongswan:

sysrc mpd_enable="yes"
sysrc strongswan_enable="YES"

service strongswan start
service mpd5 restart

OK we are ready, configure your L2TP-VPN client on mac,iPhone,PC,Linux,… and connect to 192.168.0.1 with specified per-shared key

By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com
TAG: FreeBSD,FreeBSD 10.3,Freebsd 10,ipsec,l2tp,VPN,strongswan,mpd,mpd5