Build an IPSec + L2TP VPN Server In Debian 7

Source: Internet
Author: User

Due to the company's network restrictions, a lot of information could not be found, so I decided to build a VPN over the wall, but the domestic VPN is really not flattering, stability is called a poor ~ A friend just recommended a foreign VPS host and checked it out. The node in Tokyo, Japan was very fast and he decided to start one. Based on the principle of self-help and rich clothes, after I built the Debian 7 System on VPS, I began to build my VPN Server. I have to say that this is not a difficult task, however, the configuration tutorial provided by Du Niang is too bad. I don't understand it, it's messy, and the layout is still messy. So I recorded my own configuration process today, I hope to help my friends who have the same requirements. OK. Go to the topic and Let's Go ~!

1. When installing OpenSWAN sudo apt-get install openswan, If you ask: Use an X.509 certificate for this host, the answer is NO. 1.1 configure the sysctl parameter sudo mv/etc/sysctl. conf/etc/sysctl. conf. baksudo vim/etc/sysctl. conf ----------- enter the following content ------------- net. ipv4.ip _ forward = 1net. ipv4.conf. all. accept_redirects = 0net. ipv6.conf. all. accept_redirects = 0net. ipv4.conf. all. send_redirects = 0
1.2 load the sysctl parameter sysctl-p
Sudo bash-c 'for each in/proc/sys/net/ipv4/conf /*
Echo 0> $ each/accept_redirects
Echo 0> $ each/send_redirects


1.3 generate iptables and configure sudo mv/etc/rc. local/etc/rc. local. bak
Sudo vim/etc/rc. local
----------- Enter the following content -------------
#! /Bin/sh-e
Iptables-t nat-a postrouting-s eth0-j MASQUERADE
Exit 0 # Add execution permission and run Configuration
Sudo chmod + x/etc/rc. local
Sudo/etc/rc. local

1.4 configure ipsec. secrets sudo mv/etc/ipsec. secrets/etc/ipsec. secrets. bak
Sudo vim/etc/ipsec. secrets
----------- Enter the following content -------------
# Replace the IP address and password with the server IP address and the Set Password
111.222.333.444% any: PSK "0123456" # The password here is the server's shared key, which is provided from time to time during connection.
1.5 configure ipsec. conf sudo mv/etc/ipsec. conf/etc/ipsec. conf. bak
Sudo vim/etc/ipsec. conf
----------- Enter the following content -------------
Version 2.0:
Config setup
Nat_traversal = yes
Virtual_private = % v4:, % v4:, % v4:
Oe = off
Protostack = netkey

Rightsubnet = vhost: % priv
Also = L2TP-PSK-noNAT

Authby = secret
Pfs = no
Auto = add
Keyingtries = 3
Rekey = no
Ikelifetime = 8 h
Keylife = 1 h
Type = transport
Left = 111.222.333.444 # change to server ip Address
Leftprotoport = 17/1701
Right = % any
Rightprotoport = 17/% any 1.6 activate the ipsec service sudo update-rc.d ipsec defaults
2. install xl2tpd sudo apt-get install xl2tpd 2.1 and configure xl2tpd. conf sudo mv/etc/xl2tpd/xl2tpd. conf/etc/xl2tpd/xl2tpd. conf. bak
Sudo vim/etc/xl2tpd/xl2tpd. conf
----------- Enter the following content -------------
Ipsec saref = yes

[Lns default]
Ip range =
Local ip =
Refuse chap = yes
Refuse pap = yes
Require authentication = yes
Ppp debug = yes
Pppoptfile =/etc/ppp/options. xl2tpd
Length bit = yes2.2 configure options. xl2tpd sudo mv/etc/ppp/options. xl2tpd/etc/ppp/options. xl2tpd. bak
Sudo vim/etc/ppp/options. xl2tpd
----------- Enter the following content -------------
Asyncmap 0
Name l2tpd
Lcp-echo-interval 30
Lcp-echo-failure 4

2.3 configure chap-secrets sudo mv/etc/ppp/chap-secrets/etc/ppp/chap-secrets.bak
Sudo vim/etc/ppp/chap-secrets
----------- Enter the following content -------------
# User server password ip
User1 l2tpd 123456 *
User 2 l2tpd 123456 *


2.4 start L2TP server sudo invoke-rc.d xl2tpd restart
Sudo invoke-rc.d ipsec restart 2.5 verify server status sudo ipsec verify displays the following information: Checking your system to see if IPsec got installed and started correctly: version check and ipsec on-path [OK] Linux Openswan U2.6.28/K2.6.32.16-linode28 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'IP' command [OK] Checking for 'iptable' command [OK] Opportunistic Encryption Support [DISABLED]

In this way, the VPN configuration is successful. Next, you can log on with the two created users, ueer1 and user2. Select L2TP for logon ~~ Hey ~~ Now, the configuration is complete. It's very easy ~~!

This post is original. Please describe the source of this post. Thank you for your cooperation.

This post address:


Recommended reading: RoadWarrior mode for IPSecVPN using OpenSWAN in CentOS6.3

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.