How to setup L2TP on CentOS

Description: In this tutorial we’ll explain the installation and configuration of the L2TP on CentOS in steps.

Step 1:

First install the repo’s:

For 64bit CentOS 6:

rpm -ivh

yum -y install ipsec-tools

For 64bit CentOS 5:

rpm -ivh

Step 2:

Next step we create the script /etc/racoon/


# set security policies

echo -e “flush;\n\


spdadd[0][1701] udp -P

in ipsec esp/transport//require;\n\

spdadd[1701][0] udp -P

out ipsec esp/transport//require;\n”\

| setkey -c

# enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Change the permission of the file:

chmod  750 /etc/racoon/

Step 3:

Now call the script to  rc.local by using the following command:

sed –in-place ‘/\/etc\/racoon\/’ /etc/rc.d/rc.local

echo /etc/racoon/ >> /etc/rc.d/rc.local

Step 4:

Now create the file /etc/racoon/racoon.conf or if it already exist edit it as following:

path include “/etc/racoon”;

path pre_shared_key “/etc/racoon/psk.txt”;

path certificate “/etc/racoon/certs”;

path script “/etc/racoon/scripts”;

remote anonymous


exchange_mode aggressive,main;

passive on;

proposal_check obey;

support_proxy on;

nat_traversal on;

ike_frag on;

dpd_delay 20;



                encryption_algorithm aes;

               hash_algorithm sha1;

               authentication_method pre_shared_key;

                dh_group modp1024;




                                       encryption_algorithm 3des;

                                       hash_algorithm sha1;

                                       authentication_method pre_shared_key;

                                       dh_group modp1024;



sainfo anonymous


           encryption_algorithm aes,3des;

           authentication_algorithm hmac_sha1;

           compression_algorithm deflate;

           pfs_group modp1024;


After this change the permission:

chmod 600 /etc/racoon/racoon.conf

Step 5:

Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.

This is the needed entry in /etc/racoon/psk.txt for Android clients:

myhomelan mysecret

This is the needed entry in /etc/racoon/psk.txt for iPhone and iPad iOS clients:

* mysecret

Set permissions:

chmod 600 /etc/racoon/psk.txt

Now we need to install repo’s and XL2TPD and dependencies from the following:

For 64bit CentOS 5:

rpm -Uvh

For 64bit CentOS 6:

rpm -Uvh

And run this command for some dependencies:

yum install libpcap-devel ppp -y

Now install the xl2tpd by typing this command:

yum install xl2tpd -y

Step 6:

Now open /etc/ppp/options.xl2tpd file and add the following lines mention below:


idle 1800

mtu 1200

mru 1200





connect-delay 5000







Step 7:

Now you need to add the following and changing the values of the server in /etc/xl2tpd/xl2tpd.conf file:


force userspace = yes

[lns default]

ip range =

local ip =

refuse chap = yes

refuse pap = yes

require authentication = yes

name = l2tp

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

Step 8:

Now its time to run the commands for IP tables:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i eth0 -p udp –dport 1701 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m udp –dport 4500 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m udp –dport 500 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –dport 1701 -j ACCEPT

And save the tables by following command:

service iptables save

Step 9:

Restart the services for any error:

service xl2tpd restart

service racoon restart

Step 10:

Now you need to edit the /etc/sysctl.conf file and change the ipforwading to 1:

net.ipv4.ip_forward = 0


net.ipv4.ip_forward = 1

And add these lines to at the bottom of the same file.

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.eth0.send_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.lo.send_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

And save it by using  sysctl -p command.

If you want to setup the radius client to have authenticate the user using radius client rather than the L2TP.

Step 11:

For CentOS 5 and 6:


Install by using this command:

rpm -i radiusclient-0.3.2-0.2.el5.rf.x86_64.rpm

Step 12:

Open the /etc/radiusclient/servers file and change the values as mention below:

#Server Name or Client/Server pair Key
#—————- ————— hardlyasecret donttellanyone

This is as same as you specified in the /etc/raddb/clients.conf on your freeradius server.

Step 13:

Now open up the main configuration file for the radiusclient /etc/radiusclient/radiusclient.conf and make sure it looks something like below:

auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
radius_timeout 10
radius_retries 3
login_local /bin/login

Save the file and open the directory /etc/radiusclient you find the dictionary file, at the bottom of it add this line:

INCLUDE /etc/radiusclient/, is not included in the radius client by default but you can download it from this link and upload into /etc/radiusclient/ directory.

Now edit the /etc/ppp/options.xl2tpd file for the adding the lines at the bottom.



Step 14:

Now restart all the services:

service racoon restart

service xl2tpd restart


chkconfig racoon on

chkconfig xl2tpd on

  1. 2 years ago

Leave a Reply

Your email address will not be published. Required fields are marked *