How to Configure L2TP over IPsec using Freeradius on Ubuntu

January 3, 2017 | By in UBUNTU HOWTO
| Reply More

Layer 2 tunneling protocol (L2TP) with IPsec  is used to ensure end-to-end encryption because L2TP does not support security features. OpenSwan tool is used to establish IPsec tunnel which will be compiled on Ubuntu distribution. The authentication security feature is implemented using   FreeRadius server. The purpose of authentication server is  to authenticate the user of L2TP VPN.   The Android and Windows clients support L2TP/IPsec PSK with CHAPv2, therefore, a secure channel will be established between smartphone and server.

Required Packages

Following packages will be installed using openswan-l2tp-installation.sh script.

Tools

  • Freeradius Server/Client (source base installation)
  • xl2tpd
  • Poptop Server
  • MySQL Server/client
  • OpenSwan (source base installation)

Development Packages

  • Bison
  • Flex
  • GMP library

The content of the script is shown in the following snapshot.

#!/bin/bash

##NOTE:  Adding a proper date in lastaccounting filed  to fix the invalid default value issue in /etc/freeradius/sql/mysql/cui.sql.

##-installation of tools-##
apt-get update
apt-get install -y mysql-server mysql-client freeradius-mysql pptpd xl2tpd build-essential libgmp3-dev bison flex

echo "Installing freeradius client --"
wget https://github.com/FreeRADIUS/freeradius-client/archive/master.zip
unzip master.zip
cd freeradius-client-master
./configure --prefix=/
make
make install

echo "Installation of OpenSwan "
wget https://download.openswan.org/openswan/openswan-latest.tar.gz
tar -xvzf openswan-latest.tar.gz
cd openswan-*
make programs
make install
echo " OpenSwan installed"

script for installation of tools

Enter password  "test" for  root user of MySql  server.

enter mysql password

Configuration

Another script "openswan-l2tp-configuration.sh" is used to configure packet forwarding on Ubuntu , iptables rules for xl2tpd subnet, FreeRadius server/client setting for authentication mechanisms and  IPsec tunnel of OpenSwan.  Few snapshots of the configuration script are shown below.

1. iptables & sysctl setting

configuration script for iptables and sysctl setting

2. FreeRadius server setting using mysql

configuration script for freeradius server

3. FreeRadius client setting

configuration script freeradius client

4. Configuration for pptpd & xl2tpd services

configuration script for xl2tpd and pppd service

5. OpenSwan VPN configuration

configuration script for openswan

Before running configuration script, one change is required in the cui.sql file which exists under /etc/freeradius/sql/mysql/. Change the highlighted following line in the specified sql file.

 `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00',

`lastaccounting` timestamp NOT NULL default '2016-10-01 00:00:00',

Run configuration script for automatically setting of installed packages.

running configuration script

Insert username/password in the FreeRadius database for Android/Windows L2TP client using following command.

INSERT INTO radius.radcheck (username, attribute, op, value) VALUES ('test','User-Password',':=','test123');

query insertion for user
Run FreeRadius server using following command and also restart all required services.

freeradius -X

running freeradius in frontend

Run the following command  on localhost to test the configuration of FreeRadius server.

radtest test test123 localhost 0 testing123

testing user for freeradius

/etc/init.d/xl2tpd restart

starting xl2tpd service

/etc/init.d/ipsec  restart

starting ipsec service

It seems that all required services are properly configured and running. Now, configure L2TP/IPsec PSK  VPN on  Windows and Android Clients.

MS Windows 8 Client configuration

Click on "setup a new connection or network" on "Network & Sharing Center" .

setting a new connection option

select  "Connect to a Workplace" option as shown in following snapshot.

connect to workplace option

As shown below. select "use my internet (VPN)" option on the next window.

use my internet option

Enter the title and internet address (machine ip address ) on the VPN connection and click on "create" button.

configuration of new vpn connection

New VPN connection will be created and shown in the network list as shown below.

connection successfully created

Default properties of new VPN connection will not work with the current configuration of FreeRadius server. Therefore, few changes are required in the security setting of MS Windows VPN client.

First of all, change the type of VPN (layer 2 tunneling protocol over IPsec).

security setting of client

Click on  "Advance Setting" and select "use a preshared key for authentication" option.

setting presharedkey for authentication of client

Select "Microsoft CHAP version 2" option under  "Allow these protocols" setting.

setting MSCHAPv2 option

After configuration of the L2TP/IPsec VPN connection, enter username/password (test/test123) as shown below.

enter credential of radius user and password

L2TP/IPsec VPN is successfully connected to server and ip address is assigned address as shown below.

viewing connection properties

Following snapshot shows the status of L2TP/IPsec VPN connection.

status of vpn connection

L2TP/IPsec configuration on Android

To connect the Android L2TP client with the server, create L2TP/IPsec connection on it.  Click on "settings" "More"  and  "VPN" options. Now  "Add VPN Network" and select "L2TP PSK" option for desired VPN connection.

creating l2tp ipsec connection on android

Once, a new L2TP/IPsec VPN  connection is created. Now, click on VPN connection name and enter already created username/password on the FreeRadius server.

connecting L2TP-IPsec vpn

L2TP/IPsec client is connected to the server as shown below.

vpn tunnel createe

FreeRadius status

The following snapshot shows the successful authentication of user and auth type is CHAP.

freeradius authentication status

Tunnel status

As shown below, xfrm state command gives the  status of OpenSwan tunnel.

ip xfrm state

ipsec tunnel status

Another command which is provided in OpenSwan tool is "ipsec look' which gives combines  information of xfrm status, any iptables rule and routing.

ipsec look

1. xfrm state output in ipsec command
xfrm state in ipsec look command

2. xfrm policy output in ipsec command

xfrm policy in ipsec look command

3. Routing and iptables setting in ipsec command

iptables and route in ipsec look commandThe following command gives automatic status of the tunnel as shown below.

ipsec auto --status

ipsec auto status command output

Conclusion

In this tutorial, a tunnel is created at layer 2 using L2TP with OpenSwan to secure the communication between client and server.  The CHAPv2  authentication mechanism is used between client and server using FreeRadius services. Both Android and Windows-based L2TP clients are used to demonstrate the connection  of clients with the server.

Filed Under : SECURITY, UBUNTU HOWTO

Tagged With : , ,

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.