I had this idea for a while to make life a bit easier with the good old macbook. I also tested this on my Iphone and I can confirm that this will work as well.

this configuration was build on a 64bit Ubuntu 10.04 installation with one interface and no dhcp server.

This is what I did:

First start building strongswan with nat-traversal enabled, I recommend you create a directory to do this this in:

apt-get install build-essential fakeroot dpkg-dev devscripts
apt-get source strongswan
apt-get install libcurl4-openssl-dev ipsec-tools
apt-get build-dep strongswan
cd strongswan-4.2.4/
dch -i

Next add the –enable-nat-transport rule:

nano -w debian/rules

Change:

–disable-md5 –disable-sha1 –disable-sha2

To

–disable-md5 –disable-sha1 –disable-sha2 –enable-nat-transport

Build the packages:

dpkg-buildpackage -rfakeroot -uc -b

Install the packages

dpkg -i ../*.deb

Always keep the original just in case

mv /etc/ipsec.conf /etc/ipsec.conf.ORI

nano -w /etc/ipsec.conf

Place the following content in the now empty file:

config setup
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
conn L2TP
authby=psk
pfs=no
rekey=no
type=tunnel
esp=aes128-sha1
ike=aes128-sha-modp1024
left=your.ip.goes.here
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add

Now open up the ipsec.secrets

nano -w /etc/ipsec.secrets

and add/replace it with the following content

your.ip.goes.here %any: PSK “yoursharedkeygoeshere”

Finally restart ipsec

/etc/init.d/ipsec restart

The next step is to install l2tp

apt-get install xl2tpd

Create a backup of the original config

mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.ORI

Open the now empty config file

nano -w /etc/xl2tpd/xl2tpd.conf

Place the following content in the config:

[global]
debug network = yes
debug tunnel = yes
[lns default]
ip range = 10.0.0.200-10.0.0.254
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = yourname.com
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Open the chap-secrets file.
It holds the passwds that will give you access to your vpn server:

nano -w /etc/ppp/chap-secrets

it will look like this:
# Secrets for authentication using CHAP
# client server secret IP addresses
username1 * user1passwd *
username2 * user2passwd *

You can leave the username out and replace it with a *. This way you will be able to login with any username.

First create a backup

mv /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.ORI

Open the options.xl2tpd

nano -w /etc/ppp/options.xl2tpd

and add the following content in the now empty file:

ipcp-accept-local
ipcp-accept-remote
ms-dns you.dns.ip.here
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Restart the process

/etc/init.d/xl2tpd restart

Open the sysctl.conf

nano -w /etc/sysctl.conf

Uncomment the following line to enable packet forwarding for IPv4/IPv6

net.ipv4.ip_forward=1

next, run the following command to activate it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Now you will be able to make a connection but without IP Masquerading and packet forwarding enabled it will be a useless connection.

I use the ubuntu firewall, because it’s there. So I will explain that first:

nano -w /etc/default/ufw

edit the following line so it looks like this:

DEFAULT_FORWARD_POLICY=”ACCEPT”

nano -w /etc/ufw/sysctl.conf

uncomment the following lines, you can obviously always leave ipv6 out.

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1

now create the masquerading rules

nano -w /etc/ufw/before.rules

Add the following at the beginning of the file under the comments:

# nat Table rules
*nat
OSTROUTING ACCEPT [0:0]

# Forward traffic through eth0.

-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

# don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
COMMIT

and restart the firewall

ufw disable && ufw enable

If you use iptables you can use the following:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Now open up port 1701/udp

ufw allow 1701/udp

port 1723/tcp

ufw allow 1723/tcp

port 500/udp

ufw allow 500/udp

port 4500/udp

ufw allow 4500/udp

and finally protocol 50

iptables -A INPUT -p 50 -j ACCEPT

Was to lazy to figure out how to do this protocol forwarding with ufw. Will update that later perhaps. Until that moment do not forget to save this option or else it will be gone after a reboot of the system.

This will allow the vpn traffic to pass through the firewall.

Now under network preferences add a vpn network on your mac or iphone.
If you want to go out and use it to browse from wifi hotspots safely don’t forget the setting that forces all the traffic over the vpn connection.

Good Luck !

I shamelessly robbed the content from the following sites with a few additions of my own:

http://nielspeen.com/blog/

https://help.ubuntu.com/8.04/serverguide/C/firewall.html

来自：http://www.bybacon.com/2010/08/28/l2tp-ipsec-vpn-ubuntu-10-04-server-maciphone-clients/