This is the configuration I am using to run a L2TP VPN host based on OpenSwan in Ubuntu 14.04. It is primarily based on an article from the Ubuntu Community Help Wiki with modification and additions as needed. I am not a big linux sysadmin person, but  I can say that this works with Mac OS X and iOS clients.

Feel free to message me if you have any suggestions; @tylerbaird.


Installation

Most everything will take place in the terminal, I am assuming a basic knowledge.

sudo apt-get install xl2tpd openswan ppp

IPSEC Setup

First we will create the IPsec configuration file: /etc/ipsec.conf 

Note: change the line 8 from the bottom to the IP address of your Ubuntu system.

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey
    dumpdir=/var/run/pluto/

conn L2TP
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.1.11   # REPLACE with the local IP of your Ubuntu Host
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

STARTUP Script

Second, we will setup a custom script to start and stop the VPN. This will simplify restarting the VPN and will be the first attempt to enable IP Forwarding. I had issues ensuring this was enabled and, therefore, enabled it in multiple ways. You probably don't need all of them.

Create the ipsec.vpn start script: /etc/init.d/ipsec.vpn 

Note: the iptables rules assumes you are on the '192.168.1.0' private network and that you are connecting via the 'wlan0' interface. Change the two iptables lines ending in 'MASQUERADE' as needed.

case "$1" in
  start)
echo "Starting VPN"
iptables  -t nat   -A POSTROUTING -o wlan0 -s 192.168.1.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec start
/etc/init.d/xl2tpd start
;;
stop)
echo "Stoping VPN"
iptables --table nat --flush
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec stop
/etc/init.d/xl2tpd stop
;;
restart)
echo "Restarting VPN"
iptables  -t nat   -A POSTROUTING -o wlan0 -s 192.168.1.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
 
;;
  *)
 echo "Usage: /etc/init.d/ipsec.vpn  {start|stop|restart}"
 exit 1
  ;;
esac

Change the permissions to allow running it.

sudo chmod 755 ipsec.vpn

L2TP Setup

Add to the bottom of the xl2tpd.conf file: /etc/xl2tpd/xl2tpd.conf 

Note: change 'local ip' to the IP address of your Ubuntu system. 'ip range' will pick the range of IP addresses the VPN assign clients to.

[global]
ipsec saref = no
 
[lns default]
ip range = 192.168.1.200-254
local ip = 192.168.1.11
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Next we will setup the options.xl2tpd file: /etc/ppp/options.xl2tpd 

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Setting your Share Secret

Set your IPsec secret in: /etc/ipsec.secrets 

Note: change the IP address to that of your Ubuntu system.

192.168.1.11 %any: PSK "ipsecSecret"

 

Creating a User

Finally, we will create a user by editing the chap-secrets file: /etc/ppp/chap-secrets

client is the username
server is set in the options.xl2tpd file above
secret is the password
IP address is the allowed IP addresses for the user to access from, * for all

# client    server  secret      IP address
user        l2tpd   password    *

Note: all passwords and secrets tested and confirmed working with symbols.

FIREWALL and Routing

First we will enable IP Forwarding in: /etc/sysctl.conf 

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

When done, run the following command to load the settings.

sudo sysctl -p

Second, we will allow the the VPN through the firewall. I used UFW however, this can also be done with iptables.

Note: if you are setting this up via SSH, run sudo ufw allow ssh before enabling the firewall, or bad things will happen.

sudo ufw allow 1701/tcp
sudo ufw allow 4500/udp
sudo ufw allow 500/udp
sudo ufw enable

Finally, enable port forwarding on your router for 1701 tcp, 4500 udp, and 500 udp with a destination IP of your Ubuntu system.

Starting Up

Run the following command to start the VPN. The VPN should always start with the system.

sudo /etc/init.d/ipsec.vpn start

Next, verify that IPsec is running correctly.

sudo ipsec verify

Everything should be 'OK' with the following exceptions.

SAref kernel support                                    [N/A]
Two or more interfaces found, checking IP forwarding    [FAILED]
    # this has a known perl bug and will fail, it's ok
Checking /bin/sh is not /bin/dash                       [WARNING]
Opportunistic Encryption Support                        [DISABLED]

Remote Connection ios 8

1. Go to Settings > General > VPN > Add VPN Configuration...
2. Select L2TP
3. Description = anything you like
4. Server = the public IP address or DynDNS domain name for your router
5. Account = the username set above
6. RSA SecurID = no
7. Password = password from creating a user
8. Secret = ipsecSecret
9. Send All Traffic = yes
10. Save

To enable, go to Settings and flip the switch for VPN.

Remote Connection MAC OS X

1. Go to System Preferences > Network > press the  in the bottom left
2. Interface = VPN
3. VPN Type = L2TP over IPsec
4. Service Name = anything you like
5. Create
6. Configuration = Default
7. Server Address = the public IP address or DynDNS domain name for your router
8. Account Name = the username set above
9. Click Authentication Settings...
10. User Authentication: Password = password from creating a user
11. Machine Authentication: Shared Secret = ipsecSecret

12. Click OK > Apply

To enable, go to System Preferences, select the VPN on the left and click Connect.

Please feel free to hit me up on twitter (@tylerbaird) if you have questions or corrections.