Chapter 8
iptables -A OUTPUT -p udp --sport 1701 -j ACCEPT #for KLIPS add -o ipsec0 iptables -A INPUT -p udp --dport 1701 -j ACCEPT #for KLIPS add -i ipsec0 iptables -A INPUT -p esp -j ACCEPT
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
Choosing an L2TP Daemon
There are a few different L2TP software packages available, and most of them are available in different patched versions.
The most commonly used daemon is still l2tpd, though the main website and source repository have vanished. A retirement page can be found at http://l2tpd.sourceforge.net/. RPMs for SuSE, Red Hat, Fedora, and Mandrake can be found on Jacco's L2TP pages. l2tpd is still included in Debian, though you might need to use the version in Debian unstable to get a modern enough version. The authors are maintaining l2tpd in Fedora Extras.
l2tpd is known to work with an IPsec/L2TP setup and has been used by many people.
The old homepage for L2TP, www.l2tpd.org, has been squatted by a domain squatter. A malicious person could re-instate this domain with malicious code on it. We recommend downloading the source from the SourceForge page, or from Debian, Fedora Extra, or Jacco de Leeuw's website directly.
Another L2TP daemon is rp-l2tpd, though this project's activity seems to have stalled as well. There is not as much experience running rp-l2tpd with IPsec as there is with l2tpd, but it has been reported to work by various people. However, rp-l2tpd cannot assign virtual IP addresses by itself. You can either assign static virtual IP addresses per user, or let the PPP daemon (pppd) handle virtual IP address assignment either using a plug-in called ppp-dhcp, or using pppd 2.4.2 or newer, which supports RADIUS. However, this does require that you set up a RADIUS server that supports 'IP pools'.
Be aware when testing different L2TP daemons that both l2tpd and rp-l2tpd use the same filename to install their daemon, /usr/sbin/l2tpd.
l2tpd can also use the PPP with RADIUS options mentioned for rp-l2tpd.
There are two more L2TP servers worth mentioning. One is being pushed by IBM, and is called OpenLTP. Another L2TP implementation, one that does not run as a daemon but as a kernel module, is confusingly called l2tp. You can find it under that name as a SourceForge.net project.
Some versions of the L2TP daemons used to require 'Legacy (BSD) PTY' support. Most modern Linux distributions no longer support this legacy feature, which has been replaced by Unix98
PTYs. Fedora Core and Mandrake are known to require a kernel recompile to add this feature. Both l2tpd and rp-l2tpd, no longer require Legacy PTYs. Debian and Fedora Extras contains a modern enough l2tpd implementation as well.
163
Interoperating with Microsoft Windows and Apple Mac OS X
Configuring L2TPD
Configuration of the L2TPD program is fairly straightforward, especially when using Jacco's prepackaged version that is already set up for using L2TP with IPsec, and is also the basis for the Fedora Extras package. Most configuration options go into /etc/l2tpd/l2tpd.conf.
[global]
;if you run l2tpd on the internal interface only, enable the line below
;listen-addr = 192.168.1.98
[lns default]
ip range = 192.168.1.128192.168.1.254 local ip = 192.168.1.98
require chap = yes refuse pap = yes
require authentication = yes name = OpenswanVPNServer
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd length bit = yes
Be careful not to create conflicting files in /etc/l2tpd.conf and
/etc/l2tpd/l2tpd.conf.
In our example, we have reserved 192.168.1.128 to 192.168.1.254 for virtual IP addresses that can be assigned to incoming L2TP connections. Make sure the local DHCP server in the network does not assign these addresses as well. Our next step is to create the options for the pppd daemon that are specific to using pppd with L2TP. This is done in /etc/ppp/options.l2tp:
ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.1 ms-dns 192.168.1.3 ms-wins 192.168.1.1 ms-wins 192.168.1.3 noccp
auth crtscts idle 1800 mtu 1200 mru 1200
# change line below to defaultroute to make all traffic go through the VPN nodefaultroute
debug lock proxyarp
connect-delay 5000
It is important that no packet fragmentation occurs, because if multiple clients are trying to use L2TP behind the same NAT router, Openswan would not be able to distinguish the fragments. This is why the values of 1200 are chosen for the MTU and MRU in options.l2tp. It is also strongly recommended to set the public interface (in our example eth0) mtu to 1440 to prevemt fragmentation in the IPsec layer as well.
164