Setup L2TP/IPSec VPN server on Gentoo Linux

It is not trivial to setup VPN server on Gentoo. After several trial and errors, the VPN is up and running. I think it is better to leave a documentation of what I did.

The final outcomes I want to achieve are

  1. A gentoo linux with a public IP that runs VPN server. Its IP is
  2. Other clients, esp my android phone, can connect to the VPN server via L2TP/IPSec protocol.

There are two great articles that help me make it.

Unlike the Gentoo wiki, I do not use certificate files like *.ca or *.crt. I use psk.txt to do the auth job. It would keep the setup task simple.

Install necessary packages

    # emerge ipsec-tools xl2tpd pptpd

Setup ipsec-tools (racoon)

There are 3 configuration files for racoon. The first is /etc/racoon/psk.txt. It controls what information clients should provide, as shown below.

# Peer IP/FQDN  Secret
* be903514

Note that I specify the IP field as *, which means all clients use the same Secret.

The second configuration file is racoon.conf:

path pre_shared_key "/etc/racoon/psk.txt";

remote anonymous {
        exchange_mode main;
        my_identifier fqdn "";
        passive on;
        generate_policy on;
        nat_traversal on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
sainfo anonymous {
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;

Finally, the 3rd configuration file for racoon is /etc/ipsec-tools.conf

spdadd[l2tp] udp -P out ipsec
spdadd[l2tp] udp -P in ipsec

After setting up the three files, it's time to call racoon up:

# /etc/init.d/racoon start

Setup xl2tpd

x2ltpd has only one configuration file /etc/xl2tpd/xl2tpd.conf

port = 1701
access control = no
[lns default]
ip range =
local ip =
require authentication = yes
name = LinuxVPN
pppoptfile = /etc/ppp/options.xl2tpd

Note that pppoptfile variable refs to a file outside the /etc/xl2tpd directory. We need to create it later.

I also setup iptable rules as suggested in the Gentoo Wiki:

iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable 

Setup pptd

The first step is to edit /etc/ppp/chap-secrets. The following is my config:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
pptpuser  * I_am_client   *

Next create a file /etc/ppp/options.xl2tpd that matches the setting of /etc/xl2tpd/xl2tpd.conf

mtu 1410
mru 1410

OK. Now the xl2tpd and pptpd are ready to run.

# /etc/init.d/xl2tpd start
# /etc/init.d/pptpd start

Reap fruits

Now, check the android if it can connect to the VPN server. Tap Settings - More - VPN - Add VPN profile. The following window shows up, and I fill up only the Name, Type, Server IP, and pre-shared key. The IPSec pre-shared key is be903514 in my case (see /etc/racoon/psk.txt).

Save and profile and Tap it again to connect. I will open a dialog. Now, fill in the values that correspond to /etc/ppp/chap-secrets. In my case, Username is pptpuser and the password is I_am_client.

If all goes well, a "Connected" message would show in the android.