How to Install L2TP VPN on Centos

This tutorial is for installing L2TP VPN on CentOS, I have tested it on SSD VPS with 128mb memory.

yum update
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced nano
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install
yum install xl2tpd
nano /etc/ipsec.conf

Change Left=xx.xx.xx.xx to your VPS/Dedicated IP

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=xx.xx.xx.xx             
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
nano /etc/ipsec.secrets

Change xx.xx.xx.xx to your VPS/Dedicated Server IP, change password as password.

xx.xx.xx.xx %any: PSK "password"
nano /etc/sysctl.conf

Change or Add following lines.

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -p
ipsec setup -restart
ipsec verify

Output example:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
nano /etc/xl2tpd/xl2tpd.conf

Change xx.xx.xx.xx to your VPS/Dedicated Server Ip

[global]
ipsec saref = yes
listen-addr = xx.xx.xx.xx
[lns default]
ip range = 10.1.2.2-10.1.2.254   
local ip = 10.1.2.1   
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
nano /etc/ppp/options.xl2tpd

Output example:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nano /etc/ppp/chap-secrets

Edit username and password:

# user server password ip 
username * userpass *
iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.xx/24 -o eth0 -j MASQUERADE
iptables-save
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

7 thoughts on “How to Install L2TP VPN on Centos

  1. Anyone notice that all versions of centos 6 have very high cpu usage under userland mode with xl2tp? This problem does not occur in centos 5.8. Any idea what was changed, so I can correct it? The xl2tpd load starts very low 0%, then the connection comes in and ill test with a file download at a constant 150Kbyte/s. First goes between 1-2%, then 2-3%, then 3-4%, then back down to 1% then to 5%, then 5-6, 6-7, 7-8, 8-9 then back down to 5%, then to 10%. This goes on and on until xl2tpd is consuming 100% cpu. If I stop all bandwidth (stop transferring data over xl2tpd) cpu usage goes to zero, when I restart the download cpu usage goes back to 100%.

    When running in kernel mode, I can download 150Mbytes then the connection dies (but cpu usage is 0%).

    What did they do to break both kernel mode l2tp and userland mode l2tp in centos 6? I’m still running centos 5.8 because it “just works”, but it would be nice to upgrade….

  2. Hi, thanks for your tuto. but i’ve got some problem during installation of ipsec. when i make “ipsec verify” i had:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.32/K2.6.18-308.13.1.el5PAE (netkey)
    Checking for IPsec support in kernel [OK]
    SAref kernel support [N/A]
    NETKEY: Testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking that pluto is running [FAILED]
    whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
    Two or more interfaces found, checking IP forwarding [FAILED]
    whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
    Checking NAT and MASQUERADEing [OK]
    Checking for ‘ip’ command [OK]
    Checking /bin/sh is not /bin/dash [OK]
    Checking for ‘iptables’ command [OK]
    Opportunistic Encryption Support [DISABLED]

    can you help me?

Leave a Reply

Your email address will not be published. Required fields are marked *