On 13/04/13 14:31, Matthew Cengia wrote:
L2TP/IPsec certainly seems least-effort from a client perspective. I've still not quite gotten the server-side solution working; I've been trying with openswan and xl2tpd. I'd appreciate any suggestions for different implementations or better documentation.
I had success with strongSwan + xl2tpd. It took me several hours of fighting, but in the end it was worth it because I can set up a new VPN client in about 1 minute without installing any extra software on OS X, Windows, iOS, or Android. My ipsec.conf contains the following: conn l2tp keyexchange=ikev1 # use pluto, not charon authby=psk # use certs if you want, else use a LONG psk pfs=no rekey=no left=<your server's local ip> leftnexthop=%defaultroute leftprotoport=udp/1701 leftfirewall=yes right=%any rightprotoport=udp/%any rightsubnetwithin=0.0.0.0/0 esp=aes128-sha1 ike=aes128-sha-modp1024 type=tunnel auto=add Unfortunately the 'pfs' and 'rekey' options are needed for compatibility with various broken clients. Also, even though it's supposed to only require 'type=transport', I found that Windows XP always requested tunnel mode, so 'type=tunnel' was required. This does not affect any of the other clients that I use. xl2tpd was quite straightforward, so I won't go over it. Annoyingly, it lacks IPv6 support, so I have since thrown out the whole Linux-based approach and used a Cisco router, which has supported IPv6 perfectly on L2TP for the better part of a decade, and is orders of magnitude easier to maintain. In case you're wondering, no, I don't have much faith in open source these days. Call me jaded. Interestingly enough, if IPsec negotiation fails, Windows XP and the network-manager-l2tp plugin for Linux are perfectly happy to fall back to using L2TP unencrypted without even warning the user, so don't forget to firewall L2TP on your server (the leftfirewall=yes line punches a hole in said firewall for IPsec clients). And no, don't even think about using the network-manager-l2tp plugin. It's buggy and horrible. If you have Linux clients, deploy OpenVPN as well. L2TP/IPsec is that badly supported on the client end of Linux.