Layer 2 tunneling protocol (L2TP) with IPsec is used to ensure end-to-end encryption because L2TP does not support security features. OpenSwan tool is used to establish IPsec tunnel which will be compiled on Ubuntu distribution. The authentication security feature is implemented using FreeRadius server. The purpose of authentication server is to authenticate the user of L2TP VPN. The Android and Windows clients support L2TP/IPsec PSK with CHAPv2, therefore, a secure channel will be established between smartphone and server.
Following packages will be installed using openswan-l2tp-installation.sh script.
- Freeradius Server/Client (source base installation)
- Poptop Server
- MySQL Server/client
- OpenSwan (source base installation)
- GMP library
The content of the script is shown in the following snapshot.
##NOTE: Adding a proper date in lastaccounting filed to fix the invalid default value issue in /etc/freeradius/sql/mysql/cui.sql.
##-installation of tools-##
apt-get install -y mysql-server mysql-client freeradius-mysql pptpd xl2tpd build-essential libgmp3-dev bison flex
echo "Installing freeradius client --"
echo "Installation of OpenSwan "
tar -xvzf openswan-latest.tar.gz
echo " OpenSwan installed"
Enter password "test" for root user of MySql server.
Another script "openswan-l2tp-configuration.sh" is used to configure packet forwarding on Ubuntu , iptables rules for xl2tpd subnet, FreeRadius server/client setting for authentication mechanisms and IPsec tunnel of OpenSwan. Few snapshots of the configuration script are shown below.
1. iptables & sysctl setting
2. FreeRadius server setting using mysql
3. FreeRadius client setting
4. Configuration for pptpd & xl2tpd services
5. OpenSwan VPN configuration
Before running configuration script, one change is required in the cui.sql file which exists under /etc/freeradius/sql/mysql/. Change the highlighted following line in the specified sql file.
`lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00',
`lastaccounting` timestamp NOT NULL default '2016-10-01 00:00:00',
Run configuration script for automatically setting of installed packages.
Insert username/password in the FreeRadius database for Android/Windows L2TP client using following command.
INSERT INTO radius.radcheck (username, attribute, op, value) VALUES ('test','User-Password',':=','test123');
Run FreeRadius server using following command and also restart all required services.
Run the following command on localhost to test the configuration of FreeRadius server.
radtest test test123 localhost 0 testing123
It seems that all required services are properly configured and running. Now, configure L2TP/IPsec PSK VPN on Windows and Android Clients.
MS Windows 8 Client configuration
Click on "setup a new connection or network" on "Network & Sharing Center" .
select "Connect to a Workplace" option as shown in following snapshot.
As shown below. select "use my internet (VPN)" option on the next window.
Enter the title and internet address (machine ip address ) on the VPN connection and click on "create" button.
New VPN connection will be created and shown in the network list as shown below.
Default properties of new VPN connection will not work with the current configuration of FreeRadius server. Therefore, few changes are required in the security setting of MS Windows VPN client.
First of all, change the type of VPN (layer 2 tunneling protocol over IPsec).
Click on "Advance Setting" and select "use a preshared key for authentication" option.
Select "Microsoft CHAP version 2" option under "Allow these protocols" setting.
After configuration of the L2TP/IPsec VPN connection, enter username/password (test/test123) as shown below.
L2TP/IPsec VPN is successfully connected to server and ip address is assigned address as shown below.
Following snapshot shows the status of L2TP/IPsec VPN connection.
L2TP/IPsec configuration on Android
To connect the Android L2TP client with the server, create L2TP/IPsec connection on it. Click on "settings" . "More" and "VPN" options. Now "Add VPN Network" and select "L2TP PSK" option for desired VPN connection.
Once, a new L2TP/IPsec VPN connection is created. Now, click on VPN connection name and enter already created username/password on the FreeRadius server.
L2TP/IPsec client is connected to the server as shown below.
The following snapshot shows the successful authentication of user and auth type is CHAP.
As shown below, xfrm state command gives the status of OpenSwan tunnel.
ip xfrm state
Another command which is provided in OpenSwan tool is "ipsec look' which gives combines information of xfrm status, any iptables rule and routing.
1. xfrm state output in ipsec command
2. xfrm policy output in ipsec command
3. Routing and iptables setting in ipsec command
The following command gives automatic status of the tunnel as shown below.
ipsec auto --status
In this tutorial, a tunnel is created at layer 2 using L2TP with OpenSwan to secure the communication between client and server. The CHAPv2 authentication mechanism is used between client and server using FreeRadius services. Both Android and Windows-based L2TP clients are used to demonstrate the connection of clients with the server.