MPD5 L2TP IPsec Server On FreeBSD 10.3 amd64
Prerequisites:
I assume you have installed src package when you were installing the freebsd so the source package are in /usr/src
if you don’t have it, please fetch using SVN:
svn update /usr/src
or copy and extract from installation DVD:
location in DVD: /USR/FREEBSD_DIST/SRC.TXZ
Editing and Building Kernel:
cd /usr/src/sys/amd64/conf/ cp GENERIC GENERIC_IPsec vi GENERIC_IPsec
Edit the Line Blow:
ident GENERIC
and change it to:
ident GENERIC_IPsec
add this after first big options block:
# Options for an IPsec enabled kernel options IPSEC options IPSEC_NAT_T device crypto
write the file then start building:
cd /usr/src/ make buildkernel KERNCONF=GENERIC_IPsec
it takes some time to build the kernel depending on your hardware
now install the kernel:
make installkernel KERNCONF=GENERIC_IPsec
The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel.
reboot the system too boot from new kernel:
reboot
Now We are ready to do server stuffs
install mpd5 and strongswan:
pkg install mpd5 pkg install strongswan
in this config my server ip address is “192.168.0.1” and my secret is “912secret912” so change them to suit your needs
vi /usr/local/etc/ipsec.conf
config setup strictcrlpolicy=no cachecrls=yes uniqueids=yes charondebug="" conn %default keyingtries=%forever dpddelay=30s dpdtimeout=120s ikelifetime=8h ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear rekey=no left=%any leftsubnet=0.0.0.0/0 leftid=@vpn.test leftcert=vpnHostCert.pem right=%any auto=add conn L2TP-IPSec-PSK dpdaction=clear #Server IP left=192.168.0.1 #Server default gateway leftnexthop=192.168.0.254 leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnet=0.0.0.0/0 leftauth=psk rightauth=psk leftid="192.168.0.1" ikelifetime=1h keylife=8h ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024 esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024 auto=add keyexchange=ike type=transport conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore
configure shared secret:
vi /usr/local/etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file #this is the shared secret #: PSK "912secret912" 192.168.0.1 %any : PSK "912secret912"
configure mpd:
vi /usr/local/etc/mpd5/mpd.conf
startup: # set user operations secret_changeme admin default: load l2tp_server l2tp_server: # Define dynamic IP address pool. set ippool add pool1 10.0.0.2 10.0.0.254 # Create clonable bundle template named B create bundle template VPN set iface enable netflow-in set iface enable netflow-out set iface enable ipacct set iface enable proxy-arp set iface enable tcpmssfix set ipcp yes vjcomp # Specify IP address pool for dynamic assigment. set ipcp ranges 10.0.0.1/32 ippool pool1 set ipcp dns 8.8.8.8 # The five lines below enable Microsoft Point-to-Point encryption # (MPPE) using the ng_mppc(8) netgraph node type. set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless # Create clonable link template named L create link template L l2tp # Set bundle template to use set link action bundle VPN set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap-msv2 set link enable chap set link keep-alive 10 60 # We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1400 # Configure l2tp set l2tp self 192.168.0.1 set l2tp enable length set l2tp disable dataseq # Allow to accept calls set link enable incoming
define username and password if you dont use radius:
vi /usr/local/etc/mpd5/mpd.secret
mehdi "123456"
using radius server with mpd has been described HERE: https://msadighian.com/index.php/freebsd/freebsd-10-3-mpd5-pptp-server/
excellent, enable mpd and strongswan:
sysrc mpd_enable="yes" sysrc strongswan_enable="YES" service strongswan start service mpd5 restart
OK we are ready, configure your L2TP-VPN client on mac,iPhone,PC,Linux,… and connect to 192.168.0.1 with specified per-shared key
By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com
TAG: FreeBSD,FreeBSD 10.3,Freebsd 10,ipsec,l2tp,VPN,strongswan,mpd,mpd5