🔗L2TP

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.

🔗L2TP/IPSec

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193.

https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol

🔗Setting up an L2TP/IPSec FreeBSD server

Requirements:

mpd5
strongswan
ng_ipacct
pf (for doing NAT)

Install mpd5:

$ pkg install mpd5

Install strongswan:

$ pkg install strongswan

🔗Setting up mpd

Example of an mpd.conf, clients obtain an IP on the 172.16.13.0/24 segment.

startup:
        # set user operations secret_changeme admin

default:
    load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
    set ippool add pool1 172.16.13.2 172.16.13.254

# Create clonable bundle template named B
    create bundle template VPN
    set iface enable netflow-in
    set iface enable netflow-out
    set iface enable ipacct
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
    set ipcp ranges 172.16.13.1/32 ippool pool1
    set ipcp dns 8.8.8.8

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

# Create clonable link template named L
    create link template L l2tp

# Set bundle template to use
    set link action bundle VPN
    set link enable multilink
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2
    set link enable chap
    set link keep-alive 10 60

# We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1400

# Configure l2tp
    set l2tp self 0.0.0.0
    set l2tp enable length
    set l2tp disable dataseq

# Allow to accept calls
    set link enable incoming

An example of the mpd.secret file:

username1 password 172.16.13.3
username2 password
* !/external/script

🔗strongswan

The ipsec.conf file:

config setup
    strictcrlpolicy=no

conn %default
    ikelifetime=8h
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftid=@vpn.test
    leftcert=vpnHostCert.pem
    right=%any
    auto=add

conn L2TP-IPSec-PSK
    type=transport
    leftauth=psk
    rightauth=psk

The ipsec.secrets:

: PSK "the-shared-secret-key"

🔗PF NAT

High are the changes you will require to use NAT in that case this configuration may help:

scrub in all
nat on xn0 from !xn0:0 to any -> (xn0)
set skip on lo
pass all

IT notes

L2TP over IPSec