ProL2TP L2TP/IPSec VPN Server Appliance User Guide

This document describes how to configure L2TP/IPSec VPN clients to connect to a ProL2TP L2TP/IPSec VPN Server.

Introduction

Your administrator should give you the following information:

  • An IPSec client certificate file (a .p12 file extension) or a PreSharedKey/PSK password. If a certificate is supplied, you will also be given a password which is required only to import the certificate onto your system.
  • A VPN username and password.
  • The IP address or hostname of the VPN server to connect.

Setup a VPN connection

L2TP VPN software is pre-installed in most operating systems, including Windows, MacOS, iOS, Android, Linux so no additional software should be required on your computer. To set your system up to access the VPN, you install the supplied IPSec certificate (if any) then configure a new L2TP/IPSec VPN connection. These steps are different for each OS.

Windows 10/8/7

Unfortunately, all Windows versions require a system configuration tweak in the Windows Registry in order to connect to a server using L2TP/IPSec when behind a NAT gateway. Most home or office computers connect to the internet through a NAT gateway so it is difficult to understand why Microsoft don't make this the default! More information can be found in the Microsoft issue database at https://support.microsoft.com/en-us/kb/926179. This change needs to be done only once on each PC:

  1. Download this file to your PC. This is a script to modify the Windows Registry.
  2. Double-click on the .reg file that you downloaded. This will apply the change. Windows will warn that modifying the Registry may break something. Just click OK.
  3. Restart your PC. The registry change won't be applied until the system is restarted.

Windows 10

If you were provided an IPSec certificate file (with a .p12 extension), import the certificate using the Certificate Manager application certmgr.msc. Import the certificate by following the instructions here.

To setup an L2TP VPN connection:

  1. From the Windows 10 Start Menu, click Settings.
  2. Click Network & Internet.
  3. On the left navigation menu, select VPN.
  4. Click Add a VPN connection.
  5. In the VPN provider text box, select Windows (built-in).
  6. In the Connection name text box, type a name for the Mobile VPN (such as "L2TP VPN")
  7. In the Server name or address text box, type the DNS name or IP address you were given to connect to the VPN server.
  8. From the VPN Type drop-down list, select Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec).
  9. Click Save. The VPN is added to the Network & Internet VPN settings page.
  10. On the VPN settings page, click Change adapter options.
  11. Click your VPN to select it.
  12. Click Change settings of this connection. The Properties for this VPN appear.
  13. Click the Security tab.
  14. From the Data encryption drop-down list, select Require encryption (disconnect if server declines).
  15. Select Allow these protocols.
  16. Ensure that PAP is selected as an allowed protocol.
  17. Click Advanced settings. The Advanced Properties dialog box appears.
  18. If your VPN is configured to use a pre-shared key as the IPSec credential method, select Use pre-shared key for authentication. In the Key text box, type the pre-shared key for this tunnel.
  19. If your VPN is configured to use a certificate as the IPSec credential method, select Use certificate for authentication.

Windows 7

If you were provided an IPSec certificate file (with a .p12 extension), import the certificate using the Certificates snap-in of Microsoft Management Console mmc. Import the certificate by following the instructions here. Windows accepts certificates with either a .p12 or .pfx filename.

  1. Open up Control Panel by clicking Start then Control Panel
  2. Click Network and Internet
  3. Click Network and Sharing Center
  4. Click Set up a new connection or network
  5. Click Connect to a workplace
  6. Click Use my Internet connection (VPN)
  7. Enter in "Internet address" your VPN address. This will be given to you by your administrator, e.g. vpn.example.com. Then click Next.
  8. Enter your username and password and click Connect
  9. It will say Connection Failed. Click Set up the connection anyway
  10. Click Change adapter settings
  11. Click the VPN connection
  12. Click Change settings of this connection
  13. Click the Security Tab
  14. Change the following settings:
    1. Type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)
    2. Allow these Protocols: Unencrypted Authentication Protocol (PAP)
  15. Click Advanced Settings
  16. If your VPN is configured to use a pre-shared key as the IPSec credential method, select Use pre-shared key for authentication. In the Key text box, type the pre-shared key for this tunnel.
  17. If your VPN is configured to use a certificate as the IPSec credential method, select Use certificate for authentication.
  18. Click Ok
  19. Click Ok
  20. Click Start this connection

MacOS

To import an IPSec certificate (.p12 file), see Import keychain items using Keychain Access on Mac. Enter the certificate password when prompted.

To configure the L2TP VPN connection:

  1. Open System Preferences.
  2. Select Network under Internet & Wireless.
  3. Add a new network by selecting "+" below the network list.
  4. Under Interface, select VPN.
  5. Under VPN Type, select L2TP over IPsec.
  6. Set Service Name as you see fit, e.g. "example.com VPN".
  7. Click "Create".
  8. Set Server Address and Account Name to match the user name and server given to you by your administrator.
  9. Click "Authentication Settings..."
    1. Select Password for User Authentication and fill in the password given to you by your administrator.
    2. If your VPN is configured to use a pre-shared key as the IPSec credential method, select "Shared Secret for Machine Authentication" and enter the pre-shared key given to you.
    3. If your VPN is configured to use a certificate as the IPSec credential method, select "Use certificate for authentication".
    4. Click OK
  10. Click "Advanced..."
  11. Make sure "Send all traffic over VPN connection" is checked, and click OK.
  12. From the gear drop-down under the network list, select "Set Service Order..."
  13. Drag and drop the services to ensure that your VPN connection is at the top of the Service Order list, and click OK.

iOS

To import an IPSec certificate (.p12 file):

  1. Send the certificate file to your phone in an email attachment.
  2. Open the email, and tap on the .p12 file attachment. This should open the certicate and a new window appears.
  3. Tap Install. Enter the device's password when prompted.
  4. Enter the certificate import password given to you by your administrator.
  5. Delete the email along with its certificate attachment.
  1. Open Settings
  2. Tap General
  3. Scroll Down and Tap VPN
  4. Tap Add VPN Configuration
  5. Select the type of VPN: L2TP.
  6. Enter the following information:
    1. Description: Your description of the VPN
    2. Server: The VPN Server address given to you by your administrator, e.g. vpn.example.com
    3. Account: Your VPN username
    4. Password: Your VPN password
  7. If your VPN is configured to use a pre-shared key as the IPSec credential method, in the Secret text box, type the pre-shared key for this tunnel.
  8. If your VPN is configured to use a certificate as the IPSec credential method, select Use certificate for authentication and select the certificate previously installed.
  9. Tap Save
  10. Go back into the General Settings and scroll to the top
  11. Turn the VPN on

Android

To import an IPSec certificate (.p12 file):

  1. Send the certificate file to your phone in an email attachment.
  2. Open the email, and tap on the .p12 file attachment. This should open the certicate and a new window appears.
  3. Change the "certificate name" to a more descriptive name, e.g. "vpn.example.com". This name will appear in certificate lists later.
  4. Enter the certificate import password given to you by your administrator. Click OK.
  5. Delete the email along with its certificate attachment.

Follow the steps below to connect your Android device to our VPN servers using L2TP:

  1. Launch the Settings app from the home screen of your Android device. If you don't have it on your home screen, tap the application drawer at the bottom, search for the Settings app to open it.
  2. Once the Settings app is open, scroll to the top and tap More under the WIRELESS & NETWORKS category.
  3. Tap VPN below the More option.
  4. The VPN screen will appear. You will need to create a new VPN configuration by tapping the Add VPN Profile (+) symbol on the bottom of the screen. You will be redirected to the Add VPN profile screen.
  5. If your VPN is configured to use a certificate as the IPSec credential method, enter the following information:
    1. Name: Select any name you prefer.
    2. TYPE: Select L2TP/IPSEC RSA from the drop-down.
    3. Server address: Enter the address given to you by your administrator, e.g. vpn.example.com.
    4. L2TP Secret: Leave as blank
    5. IPSec user certificate: Select the certificate that you previously installed from the drop-down.
    6. IPSec CA certificate: Select the certificate that you previously installed from the drop-down.
    7. IPSec server certificate: Select the certificate that you previously installed from the drop-down.
    8. DNS search names: Leave blank unless your administrator tells you otherwise.
    9. DNS servers: Leave blank unless your administrator tells you otherwise.
    10. Forwarding routes: Leave blank unless your administrator tells you otherwise.
    11. Username: Enter the VPN username given to you.
    12. Password: Enter the VPN password given to you.
    13. Always on VPN: enable only if desired.
    14. Tap the 'OK' button on top right to save the profile.
  6. If your VPN is configured to use a pre-shared key as the IPSec credential method, enter the following information:
    1. Name: Select any name you prefer.
    2. TYPE: Select L2TP/IPSEC PSK from the drop-down.
    3. Server address: Enter the address given to you by your administrator, e.g. vpn.example.com.
    4. L2TP Secret: Leave as blank
    5. IPSec Identifier: Leave blank
    6. IPSec Pre-Shared Key: Enter the secret given to you by your administrator.
    7. Username: Enter the username given to you.
    8. Password: Enter the password given to you. This is not the IPSec PSK.
    9. Always on VPN: enable only if desired.
    10. Tap the 'OK' button on top right to save the profile.

Linux

Linux client setup involves configuring the IPSec software (strongswan, or libreswan) and L2TP software (xl2tpd or go-l2tp). Some Linux systems have a UI, though at this time it does not support IPSec certificates. The instructions here show how to configure Strongswan and go-l2tp.

  1. Install strongswan: apt-get install --no-install-recommends strongswan-swanctl charon-systemd
  2. If using IPSec certificates, copy your .p12 file to /etc/swanctl/pkcs12/ directory and create a file /etc/swanctl/conf.d/vpnclient-cert.conf. Use this file as a template, modifying the VPN server address, local and remote IDs and the certificate import password. The local ID must be "vpnclientN" where N is derived from the p12 filename. The remote ID is a name set on the server. Your administrator should tell you what it is.
  3. If using IPSec PSK, create a file /etc/swanctl/conf.d/vpnclient-psk.conf. Use this file as a template, modifying the server address and PSK.
  4. Update the configuration: swanctl --load-all
  5. Initiate the connection to test it. This will happen automatically when the L2TP connection is started, but this is useful to test that the IPSec configuration is correct. 
    $ sudo swanctl --initiate --child vpnclient-cert
[ENC] generating QUICK_MODE request 1573306711 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 10.0.2.15[4500] to 1.2.3.4[4500] (588 bytes)
[NET] received packet: from 1.2.3.4[4500] to 10.0.2.15[4500] (604 bytes)
[ENC] parsed QUICK_MODE response 1573306711 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ
[IKE] received 28800s lifetime, configured 0s
[IKE] CHILD_SA vpnclient-cert{14} established with SPIs c2d50e2e_i c1fad3d4_o and TS 10.0.2.15/32 === 1.2.3.4/32[udp/l2f]
[ENC] generating QUICK_MODE request 1573306711 [ HASH ]
initiate completed successfully

Next, install an L2TP client. We prefer go-l2tp. Install using the instructions on the go-l2tp site. Configure the client as follows:

  1. Create l2tp-client.toml. Use this file as a template, modifying the peer address to your VPN server's address.
  2. Create vpnclient-pppd.args. Use this file as a template, modifying the user and password to those given to you by your administrator.
  3. Start the client: sudo ~/go/bin/kl2tpd -config l2tp-client.toml -verbose
  4. If you need to add IP routes when the VPN link is established, add commands in a script in /etc/ppp/ip-up.d/. See pppd(8) man page for more details.

Support

If you have problems connecting to your VPN server, please contact our support team through your VPN server's administrator.