# L2TP VPN Server



## amr (Mar 26, 2013)

Hello all,

I hope you are doing well, I would like to install "L2TP VPN Server" in fact I couldn't install it after several attempts I've got OpenVPN working fine but not L2TP. Instruction on handbook only for site-to-site which is not What I am looking for. I've tried net/mpd5 but with no luck of course because I've no experience with net/mpd5.

Here is what I have and what I would like to do; I've VPS server has FreeBSD 9.1 installed I've configured BIND9, Web Server and Asterisk for VOIP. I've one Ethernet with one public IP. I would like to install L2TP VPN Server to use Asterisk VOIP, for NAT Traversal & Firewall
I've for clients

 IP Phone @home
 IP Phone @home country
 Android 4.1
Please advise if I need to set up IPSec also or just L2TP VPN Server is enough.

Thanks a lot!
Amr


----------



## Anonymous (Mar 26, 2013)

Some time ago, I wrote a Howto dealing with this subject, perhaps it is suitable for your requirements:

    [thread=26755]Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)[/thread]


----------



## amr (Mar 27, 2013)

Thanks a lot, I've read your article before and it's really amazing. I said before I will give it a try. I need to know if I can install an L2TP server without IPSec.

*H*ere is what I want exactly. I would like to run VOIP through VPN to bypass NAT and firewall. *S*o I need to run the server on a port like 80 or 443. Can I do that or I must use IPsec?

Thanks,
Amr


----------



## Anonymous (Mar 27, 2013)

As a matter of fact, L2TP VPN on the iPhone is L2TP/IPsec, so for this you need IPsec. I don't know whether Android offers an option without IPsec, though. I also never ran VOIP through my VPNs, so I cannot tell if this would work.


----------



## amr (Mar 28, 2013)

Well, Android also supports L2TP/IPSec so I will go with your tutorial on FreeBSD 9.

*C*ould you please let me know if I can run L2TP/IPSec on port number 80 or 443?

Thanks a lot,
Amr


----------



## Anonymous (Mar 28, 2013)

amr said:
			
		

> ... could you please let me know if I can run L2TP/IPSec on port number 80 or 443...



I have never tested this, however, at the server side you will find adjustable parameters, so you could give it a try. In /usr/local/etc/racoon.conf (see racoon.con(5)()) you would change in the listen {} block the port numbers of the parameters isakmp and/or isakmp_natt, for example:


```
...
listen
{
        isakmp           x.x.x.x [500];
        isakmp_natt      x.x.x.x [443];
        strict_address;
}
...
```

In /usr/local/etc/mpd5/mpd.conf you would add the desired port number to the set l2tp self directive, for example:


```
...
        set l2tp self x.x.x.x 80
...
```

In /usr/local/etc/racoon/setkey.conf  you have to change the obvious port number too.

Now you have only to find out how to do something similar on your iPhones and Androids. Perhaps somebody in the various Jail-Breakers Heavens and Hells can give you a hand for this task.


----------



## amr (Mar 28, 2013)

Really thanks for your valuable time, now I am installing L2TP server on VPS with one public IP. I don't have an internal LAN, so what should I replace this 192.168.0.1

```
isakmp           192.168.0.1 [500];
        isakmp_natt      192.168.0.1 [4500];
        strict_address;
```
or shall I create an alias on the same WAN NIC?

Thanks.


----------



## Anonymous (Mar 28, 2013)

Without LAN, simply use the WAN IP address. You don't need to set up NAT redirection.


----------



## amr (Mar 29, 2013)

*H*ere is my mpd.conf:

```
startup:
        # configure mpd users
        set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
        set ipcp dns [FILE]127.0.0.1[/FILE] i've inserted local loop because I am running bind

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
        set l2tp self [FILE]my public IP[/FILE]
        set l2tp enable length
# Allow to accept calls
        set link enable incoming
```

I've installed it, but I couldn't connect *and* here is my Racoon log:

```
2013-03-29 03:16:34: INFO: respond new phase 1 negotiation: 65.49.80.32[500]<=>178.152.169.253[500]
2013-03-29 03:16:34: INFO: begin Identity Protection mode.
2013-03-29 03:16:34: INFO: received Vendor ID: RFC 3947
2013-03-29 03:16:34: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-29 03:16:34: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-03-29 03:16:34: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-03-29 03:16:34: INFO: received broken Microsoft ID: FRAGMENTATION
2013-03-29 03:16:34: INFO: received Vendor ID: DPD
2013-03-29 03:16:34: [178.152.169.253] INFO: Selected NAT-T version: RFC 3947
2013-03-29 03:16:34: [65.49.80.32] INFO: Hashing 65.49.80.32[500] with algo #2
2013-03-29 03:16:34: INFO: NAT-D payload #0 verified
2013-03-29 03:16:34: [178.152.169.253] INFO: Hashing 178.152.169.253[500] with algo #2
2013-03-29 03:16:34: INFO: NAT-D payload #1 doesn't match
2013-03-29 03:16:34: INFO: NAT detected: PEER
2013-03-29 03:16:34: [178.152.169.253] INFO: Hashing 178.152.169.253[500] with algo #2
2013-03-29 03:16:34: [65.49.80.32] INFO: Hashing 65.49.80.32[500] with algo #2
2013-03-29 03:16:34: INFO: Adding remote and local NAT-D payloads.
2013-03-29 03:16:34: [178.152.169.253] ERROR: couldn't find the pskey for 178.152.169.253.
2013-03-29 03:16:34: [178.152.169.253] ERROR: failed to process ph1 packet (side: 1, status: 4).
2013-03-29 03:16:34: [178.152.169.253] ERROR: phase1 negotiation failed.
```


----------



## Anonymous (Mar 29, 2013)

amr said:
			
		

> ```
> ...
> 2013-03-29 03:16:34: [178.152.169.253] ERROR: couldn't find the pskey for 178.152.169.253.
> ...
> ```



Did you apply the patch to racoon, that enables Wildcard-PSK (= Pre-Shared Key) handling?

Check whether the pre-shared key that you entered in /usr/local/etc/racoon/psk.txt matches exactly the key, that you are using on the device which wants to connect to the server.

Did change the access rights of that file? `# chmod 600 /usr/local/etc/racoon/psk.txt`


----------



## amr (Mar 29, 2013)

*W*ell, I couldn't patch it in the first time. After downloading the attached patches in your tutorial I could. And I am still not able to connect but this time I am getting new error message "Timeout".
please check my /var/log/racoon.log


```
2013-03-29 14:48:30: INFO: respond new phase 1 negotiation: 65.49.80.32[500]<=>78.100.126.208[500]
2013-03-29 14:48:30: INFO: begin Identity Protection mode.
2013-03-29 14:48:30: INFO: received Vendor ID: RFC 3947
2013-03-29 14:48:30: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-29 14:48:30: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-03-29 14:48:30: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-03-29 14:48:30: INFO: received broken Microsoft ID: FRAGMENTATION
2013-03-29 14:48:30: INFO: received Vendor ID: DPD
2013-03-29 14:48:30: [78.100.126.208] INFO: Selected NAT-T version: RFC 3947
2013-03-29 14:48:31: [65.49.80.32] INFO: Hashing 65.49.80.32[500] with algo #2
2013-03-29 14:48:31: INFO: NAT-D payload #0 verified
2013-03-29 14:48:31: [78.100.126.208] INFO: Hashing 78.100.126.208[500] with algo #2
2013-03-29 14:48:31: INFO: NAT-D payload #1 doesn't match
2013-03-29 14:48:31: INFO: NAT detected: PEER
2013-03-29 14:48:31: [78.100.126.208] INFO: Hashing 78.100.126.208[500] with algo #2
2013-03-29 14:48:31: [65.49.80.32] INFO: Hashing 65.49.80.32[500] with algo #2
2013-03-29 14:48:31: INFO: Adding remote and local NAT-D payloads.
2013-03-29 14:48:32: INFO: NAT-T: ports changed to: 78.100.126.208[4500]<->65.49.80.32[4500]
2013-03-29 14:48:32: INFO: KA list add: 65.49.80.32[4500]->78.100.126.208[4500]
2013-03-29 14:48:32: INFO: ISAKMP-SA established 65.49.80.32[4500]-78.100.126.208[4500] spi:c44678d722fbbe24:5136275ff4100b39
2013-03-29 14:48:32: [78.100.126.208] INFO: received INITIAL-CONTACT
2013-03-29 14:48:34: INFO: respond new phase 2 negotiation: 65.49.80.32[4500]<=>78.100.126.208[4500]
2013-03-29 14:48:34: INFO: Adjusting my encmode UDP-Transport->Transport
2013-03-29 14:48:34: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2013-03-29 14:48:35: INFO: IPsec-SA established: ESP/Transport 65.49.80.32[500]->78.100.126.208[500] spi=162368227(0x9ad8ae3)
2013-03-29 14:48:35: INFO: IPsec-SA established: ESP/Transport 65.49.80.32[500]->78.100.126.208[500] spi=210650341(0xc8e44e5)
2013-03-29 14:49:58: [78.100.126.208] INFO: DPD: remote (ISAKMP-SA spi=c44678d722fbbe24:5136275ff4100b39) seems to be dead.
2013-03-29 14:49:58: INFO: purging ISAKMP-SA spi=c44678d722fbbe24:5136275ff4100b39.
2013-03-29 14:49:58: INFO: purged IPsec-SA spi=210650341.
2013-03-29 14:49:58: INFO: purged IPsec-SA spi=162368227.
2013-03-29 14:49:58: INFO: purged ISAKMP-SA spi=c44678d722fbbe24:5136275ff4100b39.
2013-03-29 14:49:58: INFO: ISAKMP-SA deleted 65.49.80.32[4500]-78.100.126.208[4500] spi:c44678d722fbbe24:5136275ff4100b39
2013-03-29 14:49:58: INFO: KA remove: 65.49.80.32[4500]->78.100.126.208[4500]
```


----------



## Anonymous (Mar 30, 2013)

amr said:
			
		

> ... I am still not able to connect but this time I am getting new error message "Timeout".
> please check my /var/log/racoon.log
> 
> 
> ...



Up to that point, everything went fine as far as IPsec is concerned. Even the follow-up messages below are correct from the point of view of IPsec. DPD, i.e. *D*ead *P*eer *D*etection detected, that the peer is dead, and then correctly teared the connection down.



			
				amr said:
			
		

> ```
> 2013-03-29 14:49:58: [78.100.126.208] INFO: DPD: remote (ISAKMP-SA spi=c44678d722fbbe24:5136275ff4100b39) seems to be dead.
> ...
> ```



According to that log messages, the IPsec part of L2TP/IPsec looks good so far, and troubleshooting has to focus on L2TP.

Force a manual clean-up by issuing the following 2 commands:

`# setkey -DF`
`# service ipsec restart`

Please stop the mpd5 service: `# service mpd5 stop`
Then restart an interactive mpd5 session: `# mpd5`

Now start another connection trial. In the interactive mpd5 console, diagnostic messages about the running connection trial should appear. Lookout for something obvious in there.

The raccon.log tells us, that your client is sitting behind a NAT. The respective firewall must allow UDP traffic on ports 1701 and 4500.


----------



## amr (Mar 31, 2013)

Well, in the begining I would like to thank you for all what you have done. I've restarted IPsec, mpd5 and I made the trial connection with no luck.


```
root@PBX: # mpd5
Multi-link PPP daemon for FreeBSD

process 5594 started, version 5.6 (root@PBX 15:02 28-Mar-2013)
CONSOLE: listening on 127.0.0.1 5005
web: listening on 0.0.0.0 5006
L2TP: waiting for connection on X.X.X.X 1701
[L_l2tp]
```

I think it's a NAT and firewall issue for that reason I want to run the server on port 443 and 80.


----------



## amr (Mar 31, 2013)

When I try to connect I am getting "Timeout" message, could you please review my /usr/local/etc/mpd5/mpd.conf config file:


```
startup:
        # configure mpd users
        set user amr amr admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
        set ipcp dns 8.8.8.8

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
        set l2tp self X.X.X.X
```


----------

