Create IPSec/L2TP, IPSec EAP for Android VPN

Introduction

Android supports IPSEC/L2TP & IPSEC with XAuth with either PSK or Certificates. I struggled to find any thorough information on setting up the server in its various forms so have written this blog mainly so I don’t forget how to do it! I am using a Ubuntu server with Strongswan providing the IPSec, XL2TPD providing the XL2TP and PPP. IPSec provides the encryption, L2TP does not provide any security! Firewall rules need to be added to prevent someone trying to connect to the L2TP port outside of the IPSec tunnel.

IPSec/L2TP PSK (Pre Shared Key)

Firstly lets start with the easiest one to setup; this doesn’t use certificates so makes it quicker to setup. We need to install strongswan to provide the IPSec, ppp and xl2tpd.

apt-get install strongswan xl2tpd ppp

Once that is installed then we need to configure strongswan first. There are several files to configure. Firstly lets configure /etc/ipsec.conf

You can create many connections in here (“conn”) and it gets matched when an incoming connection comes in.

Now we need to edit the /etc/ipsec.secrets file, this contains the PSK in this case.

You can test the IPSec out even though the connection will fail. While tailing the syslog conect via your android device and check if the IPSec connection gets established.

Choose L2TP/IPSec PSK as the type. Enter the IPSec preshared key entered in the secrets file. Click Save and then tap to connect. When it asks for username and password just enter anything for now.

Once your happy that the IPSec is connecting then we can edit the XL2TPD configuration file /etc/xl2tpd/xl2tpd.conf

I’ll just show the bottom bit of config as the rest is comments.

The IP range is the IP’s you want to give to clients, make sure you don’t override anything in your network. I have a DHCP server configured to not hand out those addresses however they are still in the local network range. I have done this so I can use a internal Bind9 DNS server which I have configured to block Ads. I will write a post about this soon. The local ip is the servers IP.

Now we will configure the PPP part. Edit this file /etc/ppp/options.xl2tpd

Now we need to edit the /etc/ppp/chap-secrets file which contains the username/password the Android client asked for.

I have used an internal DNS server address here but you could use Googles 8.8.8.8

Restart all the services.

Firewall Rules and IP Forwarding

To allow devices to browse the web then we need to enable ip forwarding.

To protect the L2TP tunnel from anything outside the IPSec layer enter these commands.

Other implementations coming soon

References

 

 

Please share 🙂
  • Ed

    Really awesome post! Thank you so much. Following this I was able to get a VPN server set up to use with my Android phone. A couple of things I had to do in order to connect and reach the Internet through the VPN:

    1. My chap-secrets line was
    l2tpd * “pass” *

    2. I needed the iptables command
    iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT –to-source serveripaddress

    • Hi,
      Thanks for the additional commands, I will add those to the post.