L2TP VPN using xl2tpd


L2TP (Layer 2 Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used for VPNs. It uses the UDP port 1701 to communicate. It doesn’t have any encryption, but we can encrypt the L2TP packets by using it with IPSec. For theoretical information on L2TP you can visit its Wiki.

In Linux, you can find so many different applications to build a L2TP server but there is no proper documentation for this. Also, I think no one is using L2TP VPN nowadays. But my requirement could solve by L2TP only. I wanted to configure the VPN for some old devices that does support only L2TP VPN.

I use Centos 5 Linux for VPN server. For VPN application, I use the combination to two applications. One is xl2tpd & rp-l2tpd.

I also had the option of openl2tpd, I tried this on Fedora 8 Linux but there is some bug on fedora 8’s pppd, which stopped me to use that. And when I tried to install openl2tpd on Centos 5, it asked to enable the L2TP support on kernel. I didn’t want to play with kernel that time.

That was the reason, I switched to xl2tpd application. It is the same application l2tpd but maintained by Xelerance Corporation. I don’t use l2tpd due to some compilation problem. I also face the compilation problem with xl2tpd, but it was manageable. You will also see the use of rp-l2tpd, it is also solving some dependency problem for xl2tpd.

L2TP VPN

Downloading & Installing xl2tpd

xl2tpd can be downloaded from http://www.xelerance.com/software/xl2tpd/xl2tpd-1.2.4.tar.gz or you can download it from any other website. After downloading the application use the following commands to install it.

root@rahul-pc~# tar -xvf xl2tpd-1.2.4.tar.gz
root@rahul-pc~# cd xl2tpd-1.2.4
root@rahul-pc~# make

When you give the make command, it can show you some error on compilation (especially on fresh installed Centos 5 system, may be due to some dependencies), but creates the xl2tpd binary. You can use that binary for configuring L2TP VPN server. Copy that binary to /usr/local/sbin/ directory.

root@rahul-pc~# cp xl2tpd /usr/local/sbin/

xl2tpd.conf

Also copy the xl2tpd.conf file, from the examples directory on your xl2tpd source directory, to /etc/xl2tpd/ directory (you need to create that directory as you installing the xl2tpd manually).

root@rahul-pc~# cp examples/xl2tpd.conf /etc/xl2tpd/

Change the xl2tpd.conf according to your usage; means change the IP address in conf file that you require for your VPN network i.e. tunnel IP address. In my case xl2tpd.conf file look something like this.

;; This is a minimal sample xl2tpd configuration file for L2TP without IPsec.
;; The idea is to provide an L2TP daemon to which remote L2TP clients can
; connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 10.10.10.0/24; (i.e. 10.10.10.1 ... 10.10.10.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you can bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below).
[global]
;listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
;ipsec saref = yes
;forceuserspace = yes
;
;debug tunnel = yes
; L2TP Network Server configuration.
[lns default]
ip range = 10.10.10.2-10.10.10.254
local ip = 10.10.10.1
; Always use CHAP instead of PAP, it will provide you a little security
; with L2TP (without IPsec).
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
; PPP option file name, it may use /etc/ppp/options by default, if you comment this
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

You can modify this file according to your requirement. The entire configuration is completed from xl2tp side, now time to configure the PPP parameters.

options.xl2tpd

First of all, create a file named /etc/ppp/options.xl2tpd (option file name written in xl2tpd.conf file) with following entries.

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.22.240
ms-wins 192.168.22.240
noccpauthcrtsctsidle 1800
mtu 1410
mru 1410
defaultroute
debug
lock
proxyarp
connect-delay 5000

You can change your dns and wins server IP address in the file. You can also add some other parameters that are supported by your pppd, like require-mschap-v2, see the man page of your pppd.

chap-secrets

Put your authentication on /etc/ppp/chap-secrets file.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"username"      "*"     "password"             "10.10.10.2"

The IP address field is showing the remote tunnel static IP address. You can assign the dynamic IP addresses also by using radius server & dhcp-pppd plugin etc. But I don’t know what is the easiest method to do this & how to. Also my requirement is completed by using static IP address. But I want to know its other methods also. Anyone, who can put some light on this, please writes.

Same chap-secrets file can be used, if you are using mschap protocol in option file.

Running xl2tpd

After doing the entire above configuration, you can start xl2tpd. Give the following command.

xl2tpd -D

-D option is opening the debug of xl2tpd. It is recommended to start the application in debugging mode at first time (during testing time). Remove –D option to stop the debugs.

When you try to run xl2tpd, it will show you a error for /var/run/xl2tpd/l2tp-control not found. This l2tp-control file can be extracted from rp-l2tpd application. Or you can compile the xl2tpd properly, may be it will gives you the l2tp-control binary. You can also try this by creating a blank non-binary file by using touch command (I didn’t try this, it’s just a silly ideaJ).

Download & compile rp-l2tpd to get the l2tp-control

To download the rp-l2tpd go to http://sourceforge.net/projects/rp-l2tp/. Compile the application by following commands.

root@rahul-pc~# tar -xvf rp-l2tpd-0.4.tar.gz
root@rahul-pc~# cd rp-l2tpd-0.4
root@rahul-pc~# ./configure
root@rahul-pc~# make

After successful compilation you can copy the l2tp-control binary to /usr/local/sbin/ directory.

root@rahul-pc~# cp handlers/l2tp-control /usr/local/sbin/

Create the soft-link of control file to /var/run/xl2tpd/ directory.

root@rahul-pc~# mkdir /var/run/xl2tpd/
root@rahul-pc~# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

Now you can start the xl2tpd tunneling server by giving the above commands. It will start & work perfectly.

Check related posts: how to configure L2TP VPN on CentOS using rp-l2tpd and IPSec Communication for VPN Setup

 

About these ads

34 thoughts on “L2TP VPN using xl2tpd

  1. Pingback: L2TP VPN Without IPsec How to « Linux Explore

  2. Pingback: Centos 5.5 部署 ipsec+l2tpd 简要笔记 at gkp’s post

  3. Pingback: Centos 5.5 部署 ipsec+l2tpd 简要笔记 | gkp's post

  4. This weblog is superior it has got the entire points i sought after to speak about, it has fulfilled my wisdom, i just appreciated this weblog and that i wish to subscribe so can you please inform while your blog gets up to date and what?s the procedure to subscribe in details.

  5. Pingback: 2010 in review « Linux Explore

  6. Fabulous posting bro. This important is just a tremendously nicely structured post, just the critical info I was looking just for. I praise you

  7. Pingback: Linode Gentoo主机安装PPTP和L2TP VPN | Fang Jian's Personal Blog

  8. I’ve followed your great tutorial. But some problems happened. :(

    I just want to build L2TP VPN between 1 linux(server mode[ubuntu desktop 10.10]) and 1 windows machine(client[using windows xp vpn client]) over cross-over cable connection. I configured ubuntu server like tutorial, but windows VPN client launches error 800: Unable to establish the VPN connection. What should i do? Can you post like establishing VPN connection between 2 machine?

  9. I got a comment from an Anonymous user:
    You don’t need to get a binary file named l2pt-control. it’s more of a configuration file.

    Try:
    mkdir -p /var/run/xl2tpd
    echo “c L2TPserver” > /var/run/xl2tpd/l2tp-control

    I didn’t try this but it may be helpful for others.
    enjoy……….

    • after “xl2tpd -D”
      xl2tpd[2294]: setsockopt recvref[22]: Protocol not available
      xl2tpd[2294]: This binary does not support kernel L2TP.
      xl2tpd[2294]: xl2tpd version xl2tpd-1.2.6 started on sain-desktop PID:2294
      xl2tpd[2294]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
      xl2tpd[2294]: Forked by Scott Balmos and David Stipp, (C) 2001
      xl2tpd[2294]: Inherited by Jeff McAdams, (C) 2002
      xl2tpd[2294]: Forked again by Xelerance (www.xelerance.com) (C) 2006
      xl2tpd[2294]: Listening on IP address 0.0.0.0, port 1701
      What does it mean? Is xl2tpd working?

      • The log is showing xl2tpd starts listening on 1701 port.
        Check the “netstat -apn|grep xl2tpd”. it will show you the socket opened by xl2tpd, if it is working.

  10. Rahul Panwar :
    The log is showing xl2tpd starts listening on 1701 port.
    Check the “netstat -apn|grep xl2tpd”. it will show you the socket opened by xl2tpd, if it is working.

    udp 0 0 0.0.0.0:1701 0.0.0.0:* 1079/xl2tpd
    unix 2 [ ] DGRAM 8002 1079/xl2tpd

    I think it’s listening all IP with 1701 port. Do you know how to connect l2tp server with linux l2tp client from command line?

  11. I just want to tell you that I am just beginner to blogs and definitely loved this blog site. Almost certainly I’m likely to bookmark your blog post . You certainly come with terrific articles and reviews. Bless you for sharing with us your web site.

  12. xl2tpd[1819]: setsockopt recvref[22]: Protocol not available
    xl2tpd[1819]: Using l2tp kernel support.
    xl2tpd[1819]: xl2tpd version xl2tpd-1.2.6 started on fwdev PID:1819
    xl2tpd[1819]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[1819]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[1819]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[1819]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[1819]: Listening on IP address 1.0.2.101, port 1701

    if support kernel
    in code of xl2tpd.c
    c->fd always -1 ??
    show tty is not open yet
    please help

  13. I am getting an error when I run xl2tpd -D

    parse_config: line 62: no ‘=’ in data
    init: Unable to load config file

    When i comment out line 62 in /etc/ppp/options.xl2tpd I still get the same error. Can anyone help me. I took out the blank lines in /etc/xl2tpd/xl2tpd.conf. Then I receiver the error:

    parse_config: line 36: no ‘=’ in data

    So I think that it has something to do with this line or else the /etc/ppp/options.xl2tpd. But I can’t find anything wrong there either.

  14. I am trying to use xl2tpd as VPN client .as server i m using xl2tpd only.please help me if anyone knows the configuration settings and commands for the same

  15. it says:
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command 0
    xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command U
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command 0
    xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command U
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command 0
    xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command U
    ^Cxl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command
    xl2tpd[3127]: Unknown command 0
    xl2tpd[3127]: Unknown command 
    xl2tpd[3127]: Unknown command xl2tpd[3127]: Unknown command xl2tpd[3127]: death_handler: Fatal signal 2 received

    Can anyone help please?
    This happened when i typed in xl2tpd -D after i followed these steps.
    I did not configure any of the text files, i just copied what the tutorial had into mine.

  16. When I type echo “c connection-name” > /var…./l2tp-control, The client debug(:xl2tpd) says unknown command!!!
    what’s that????

  17. Pingback: L2TP VPN using xl2tpd « Jay

  18. Pingback: L2TP VPN using xl2tpd | Linux Explore

  19. Pingback: L2TP VPN using xl2tpd « Brain Knowledge

  20. Pingback: [SOLVED] L2TP VPN on Centos

  21. Pingback: Setting up L2TP over IPSec VPN server under CentOS 5.3

  22. Pingback: L2TP VPN Server on Centos

  23. Pingback: IPSec Communication for VPN Setup in CentOS 6 / RHEL 6.3 | Linux Explore

  24. Hey My opportunity is so grateful I recently came across your internet site,
    I seriously found you by error, when i was looking on Aol
    for something diffrent, Anyhow I will be here now and would likely want to say cheers for the remarkable post as well as
    a generally enjoyable blog (Moreover, i love the theme/design),
    I would not sufficient to go through just
    about everything while using minute on the other hand have saved
    it as well as put in your Bottles, as soon as I’ve got time I’m
    going to be oh no- read far more, Make sure you continue with the fantastic job.

  25. VPNs can be used to establish a private connection to private networks in
    unrestricted locations so that a user can effectively browse tthe internet aas iff they were
    in that unrestricted location. In these three steps you can watch
    Hulu on i – Pad with a Hulu VPN. In such condition, VPN service will bee helpful to help to make
    your main network protected and encrypted so tthat yor collective data results in being profoundly safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s