L2TP/IPsec VPN client setup

From ArchWiki
Revision as of 12:35, 16 October 2010 by Rendman (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

L2TP/IPsec is a secure Virtual Private Network solution that is well supported on many different platforms.

This article aims to describe in a HOWTO like fashion how to configure and use a L2TP/IPsec client on Arch Linux. This article will cover the installation and setup of several software packages. One of the packages is only available in the AUR, so knowledge of how to build and install AUR packages on your system is required, as I will not cover how to do that.

This guide is primarly for clients connecting to a Windows Server machine. It uses some setting that are specific to the Microsoft implementation of L2TP/IPsec.

Installation

Execute the following commands as a superuser to install the required software packages to setup the VPN connection.

 #pacman -S xl2tpd
 #pacman -U openswan-2.6.28-1-arch.pkg.tar.xz

Some additional software dependencies may be required and will be discovered during dependency resolution if required.

Configuration

OpenSwan

Edit Template:Filename: It should contain the following lines:

 #config setup
 #     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
 #     nat_traversal=yes
 #     protostack=netkey
 #     oe=no
 ## Replace eth0 with your network interface
 #     plutoopts="--interface=eth0"
 #conn L2TP-PSK
 #     authby=secret
 #     pfs=no
 #     auto=add
 #     keyingtries=3
 #     dpddelay=30
 #     dpdtimeout=120
 #     dpdaction=clear
 #     rekey=yes
 #     ikelifetime=8h
 #     keylife=1h
 #     type=transport
 # Replace IP address with your local IP (private, behind NAT IP is okay as well)
 #     left=192.168.1.101
 #     leftnexthop=%defaultroute
 #     leftprotoport=17/1701
 ## Replace IP address with your VPN server's IP
 #     right=68.68.32.79
 #     rightprotoport=17/1701

This file contains the basic information to establish a secure IPsec tunnel to the VPN server. It enables NAT Traversal for if your machine is behind a NATing router(most people are), and various other options that are necessay to connect correctly to the remote IPsec server. The next file contains your PSK for the server.

Create the file Template:Filename: It should contain the following lines:

 # 192.168.1.101 68.68.32.79 : PSK "your_pre_shared_key"

Remeber to replace the local (192.168.1.101) and remote (68.68.32.79) IP addresses with the correct numbers for your location. The pre shared key will be supplied by the VPN provider and will need to be placed in this file in cleartext form.

At this point the IPsec configuration is complete and we can move onto the L2TP configuration.

xl2tpd

Edit Template:Filename: It should resemeble the following:

 #[lac vpn-connection]
 #lns = 68.68.32.79
 #ppp debug = yes
 #pppoptfile = /etc/ppp/options.l2tpd.client
 #length bit = yes

This file configures xl2tpd with the connection name, server IP address(which again, please remember to change to your servers address) and various options that will be passed to pppd one the tunnel is set up.

Now modify Template:Filename:

 #ipcp-accept-local
 #ipcp-accept-remote
 #refuse-eap
 #require-mschap-v2
 #noccp
 #noauth
 #idle 1800
 #mtu 1410
 #mru 1410
 #defaultroute
 #usepeerdns
 #debug
 #lock
 #connect-delay 5000
 #name your_vpn_username
 #password your_password

Place your assigned username and password for the VPN server in this file. Alot if these options are set so that this daemon can interoperate with the Windows L2TP server

This concludes the configuration of the applicable software suites to connect to a L2TP/IPsec server. To start the connection do the following:

 #/etc/rc.d/openswan start
 #/etc/rc.d/xl2tpd start
 #ipsec auto --up L2TP-PSK
 #echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

At this point the tunnel is up and you should be able to see the interface for it if you type:

 #ifconfig

You should see a pppX device that represent the tunnel. Right now, nothing is going to get routed through it. You need to add some routing rules to make it work right:

Routing

Routing traffic to a single IP address through the tunnel

This is as easy as adding a routing rule to your kernel table:

 #route add xxx.xxx.xxx.xxx gw yyy.yyy.yyy.yyy eth0

Replace xxx.xxx.xxx.xxx with the specific ip address of the server that you wish to communicate with through the tunnel, then replace yyy.yyy.yyy.yyy with the remote IP your PPP connection. The remote IP of a PPP connection can be discovered by issuing:

 #ifconfig

and reading the P-t-P address for the PPP interface that corresponds to your tunnel.

Routing all traffic through the tunnel

This is a lot more complex, but all your traffic will travel through the tunnel. Start by adding a special route for the actual VPN server through your current gateway:

 #route add 68.68.32.79 gw 192.168.1.1 eth0

This will ensure that once the default gateway is changed to the ppp interface that your network stack can still find the VPN server by routing around the tunnel. If you miss this step you will lose connectivity to the Internet and the tunnel will collapse. Now add a default route that routes to the PPP remote end:

 #route add default gw yyy.yyy.yyy.yyy eth0

The remote PPP end can be discovered by following the step in the previous section. Now to ensure that ALL traffic is routing through the tunnel, delete the original default route:

 #route delete default gw 192.168.1.1 eth0

To restore your system to the previous state, you can reboot or reverse all of the above steps.

Tips and Tricks

Script start up and shut down

You can create some scripts either in your home directory or elsewhere(remember where you put them) to bring up the tunnel then shut it back down.

First, a utility script to automatically discover PPP distant ends: getip.sh

 ##!/bin/bash
 #
 #/sbin/ifconfig $1 | grep "P-t-P" | gawk -F: '{print $2}' | gawk '{print $1}'

Next, the script to bring the tunnel up. This will replace the default route, so all traffic will pass via the tunnel: startvpn.sh

 ##!/bin/bash
 #
 #/etc/rc.d/openswan start
 #sleep 2                                                   #delay to ensure that IPsec is started before overlaying L2TP
 #/etc/rc.d/xl2tpd start
 #/usr/sbin/ipsec auto --up L2TP-PSK                        
 #/bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control     
 #sleep 2                                                   #delay again to make that the PPP connection is up.
 #PPP_GW_ADD=`./getip.sh ppp0`
 #
 #route add 68.68.32.79 gw 192.168.1.1 eth0
 #route add default gw $PPP_GW_ADD
 #route delete default gw 192.168.1.1

Finally, the shutdown script, it simply reverses the process: stopvpn.sh

 ##!/bin/bash
 #
 #/usr/sbin/ipsec auto --down L2TP-PSK
 #/bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control
 #/etc/rc.d/xl2tpd stop
 #/etc/rc.d/openswan stop
 #
 #route delete 68.68.32.79 gw 192.168.1.1 eth0
 #route add default gw 192.168.1.1

AUR link for the OpenSwan package

Openswan can be found on the AUR at:

External links