Skip to content

Instantly share code, notes, and snippets.

@rkasigi

rkasigi/install-L2TP-IPsec-on-ubuntu-18.04.md

Last active July 1, 2025 03:08
Show Gist options
  • Save rkasigi/5747022d91a47ce568ac12a1670b6688 to your computer and use it in GitHub Desktop.
Save rkasigi/5747022d91a47ce568ac12a1670b6688 to your computer and use it in GitHub Desktop.
Download ZIP
Install VPN L2TP IPSec on Ubuntu 18.04
Raw
install-L2TP-IPsec-on-ubuntu-18.04.md

Install L2TP IPsec Connection on Ubuntu 18.04

L2TP on its own is not secure enough, so we’ll need to pair this protocol with IPSec.

To establish an L2TP VPN connection from the Ubuntu command line, we must first install strongswan and xl2tpd

Install requirements

We’re going to use StrongSwan for IPSec.

apt-get install strongswan xl2tpd -y

Configure XL2TP

Open /etc/xl2tpd/xl2tpd.conf and configure it as seen below

[lac testvpn]
lns = YOUR_VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

Edit /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name YOUR_VPN_USER
password YOUR_VPN_PASS

chmod 600 /etc/ppp/options.l2tpd.client

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Configure IPSec Strongswan

Configure Strongswan by editing /etc/ipsec.conf. Delete everything in that file and add the following:

config setup
 
 
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp2048!
  esp=aes128-sha1-modp2048!
 
conn testvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=YOUR_SERVER_IP

Add the Secret

Add the IPSec Secret in /etc/ipsec.secrets. If you’re not using VPNBaron, make sure to replace with the server from the provider you are subscribed to.

YOUR_LOCAL_IP_GATEWAY YOUR_SERVER_IP : PSK "YOU_PRE_SHARED_KEY"

Restart the services to reload the settings:

service strongswan restart
service xl2tpd restart

Establish the VPN Connection

ipsec up testvpn

echo "c testvpn" > /var/run/xl2tpd/l2tp-control

This should add a ppp0 adapter. Run the ifconfig command to see it.

Redirecting traffic through the newly established VPN Connection:

ip route

Copy the IP from the output in default via ##.##.##.## . You’re going to need it to add a new route to that address.

route add VPN_SERVER_IP gw ##.##.##.##

Route the traffic

Redirect the traffic through the newly created tunnel:

route add default dev ppp0

Done! The connection is established and the traffic will be redirected through the VPN Server.

Base Source: https://vpnbaron.com/articles/ubuntu-command-line-vpn-connection/

Raw
vpn-start.sh
service strongswan restart
service xl2tpd restart
echo "wait 3 seconds"
sleep 3
ipsec up testvpn
echo "wait 3 seconds"
sleep 3
echo "c testvpn" > /var/run/xl2tpd/l2tp-control
echo "wait 3 seconds"
sleep 3
route add VPN_SERVER_IP gw LOCAL_GATEWAY_IP
route add default dev ppp0
curl -w "\n" https://api.ipify.org
Raw
vpn-stop.sh
route del default dev ppp0
route del VPN_SERVER_IP gw LOCAL_GATEWAY_IP
echo "d testvpn" > /var/run/xl2tpd/l2tp-control
ipsec down testvpn
service xl2tpd stop
service strongswan stop
curl -w "\n" https://api.ipify.org
@anyinu0
Copy link

anyinu0 commented Jul 1, 2025

不用PPP 1701端口的配置 怎么配置呢?因为我server端没有映射1701端口到公网,用的是UDP 500 4500,这个方案在windows mac iphone 安卓 全部都可以用,在这个ubuntu系统上我也不想配TCP 1701的端口。可行吗?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment