18 Apr

OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

Download and Install the OpenSwan from its respective sites.


You can get the different versions of OpenSwan from the below URL:
We highly reccomend to go for the version: 2.6.33 from the below loc:
Go for the normal mode of source code installation:
-cd dir
-make programs install

Before proceeding to installing the ipsec, please make sure that gcc, make, iproute, flex, bison, libgmp3-dev (libgmp2-dev might also work)
These are all available in the yum repo(if you are using the RHEL based server)

Ina debian based server, you can get it done by running the apt-get-install

After installing the IPSEC restart the service from the init, then please try the below command to check the working:

should give you something of the sort:

In IPsec there are several ways to use different IPs from their end to connect to the VPN, we use the below mechanism in our explanation:

* One Preshared Key (PSK) shared by every user

Preshared Key

A Preshared Key is a secret password that is shared by both sides of the IPsec tunnel. All users with dynamic IP addresses will have to share the same PSK (“group secret”). This is of course a significant security risk: if one user leaves the company or loses his laptop, all the other users will have to get a new PSK. The alternative would be to give every user a different PSK, but this is only supported in IPsec if all users have fixed (= static) IP addresses.

After the installation of the IPSEC in the server, you may please specify the PSK in the server at: ‘/etc/ipsec.secrets’ in the following format:

Then adjust the config file according to your needs: /etc/ipsec.conf

#NOTE: Please specify the directive ‘pfs=no‘ THis is because,
This parameter is required because Apple’s and Microsoft’s L2TP/IPsec clients do not enable PFS. Openswan, on the other hand, enables PFS by default.

Now please configure IPSEC/L2TP client( please check URL to see ways to do it: at your local end and try to create and initiate a connection to the server
Please check the /var/log/secure, if you see the below log:


If this log is obtained, then IPSEC is working fine in the server.

The IPsec connection you just configured is to be used for tunnelling the L2TP protocol,
So basically l2tp authenticates/initiates the connection and then IPSEC creates the encrypted tunnelling between the server and the clients

l2tpd configuration

Going on to the l2tpd section:

There are many l2tp daemons to work with like:


for l2tp and rp-l2tp, the development has been stalled. openl2tp is an option. In our example, we will go for the xl2tpd as its ‘Xelerance'(xl2tpd) that has been sponsoring the continued development of Openswan since version 1.0
Xelerance Corporation currently also maintains a version of the Layer 2 Tunneling Protocol (L2TP) daemon: XL2TPD


You can get the latest version of the xl2tpd from the below location:


installation as usual follows the common steps:
untarring the source code
make install
then copying the binary(formed at the pwd) from the current location to /usr/local/sbin(binary location)
the installation is pretty simple and straight forward

#NOTE: make sure to install the latest xl2tpd as per availability at xalerence site(http://www.xelerance.com/services/software/xl2tpd/) current version at the time of writing this is xl2tpd 1.2.7

you can do a dry run to check the xl2tpd installation by running the below command:

Should give you an output in the similar lines as:


And if no errors are reported then cancel the above process and then start the xl2tpd by running the binary directly by executing the command:

xl2tpd Configuration

There are multiple config files included in the configuration. The main config file is: l2tpd.conf. The default example config file can be found with the sourcecode(if you are using the source code) in the docs directory: xl2tpd-1.2.7/doc/l2tpd.conf.sample
Edit the config file as per need

PPP installation and configuration

Once the L2TP connection is up, it hands over control to the PPP daemon
the authentication details are given in the ppp daemon conf file: /etc/ppp/chap-secrets in the below format:
client server secret IP addresses
<username> pptpd <passwd> *

the xl2tpd/ppp configurations(connection properties are specified at: /etc/ppp/options.xl2tpd


The IPSEC logging are enabled in /var/log/secure by default
The xl2tpd logging are enabled in /var/log/messages

Once it is installed, please check the following configuration files.


Input the below code into that file and then wq! to save it.

Input the following code  to the mentioned file ‘test.secrets’.

y.y.y.y – > The IP address of the VPN server.

Eg : %any: PSK “support”

Input the below values to the file /etc/ipsec.d/l2tp-psk.conf

Install XL2TPD

The next step is to install the xl2tpd. Once the installation is over, open the file /etc/xl2tpd/xl2tpd.conf and input the below values in that file.


The next step is to open the file /etc/ppp/options.xl2tpd and input the below values in that file. Add the plug-in radius.so if you are going to use radius.

The next step is to open the file /etc/xl2tpd/l2tp-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

The next step is to open the file /etc/ppp/chap-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

user_name_of_VPN pptpd Password_of_VPN *

The final step of configuring the VPN is to add the route in the iptables



y.y.y.y – > The IP address of the VPN server


Step :

Add the VPN server in the client.conf file of the radius server.

Check the SQL.conf

Step :

We need to add the new client(OpenSwan VPN) to the radius server for authenticating.


y.y.y.y -> The IP address of the VPN server.

short_name_of_VPN_Server -> short name of VPN Server

secret_set_in_servers -> secret set in both the servers.

Eg :

Step :

Verify the client is added properly to the database.

Eg :

Final Step :

Select the radius user from the radius database


Leave a Reply

Your email address will not be published. Required fields are marked *

3 × four =