Talk:Openswan L2TP/IPsec VPN client setup

From ArchWiki
Latest comment: 5 September 2017 by Fengchao in topic Libreswan

Openswan section

I get this output when trying to initialize the openswan configuration with "ipsec auto --up L2TP-PSK"


000 initiating all conns with alias='L2TP-PSK'

021 no connection named "L2TP-PSK"


Even though I had a mistake in my ipsec.secure file, I still don't get it to recognize the connection named "L2TP-PSK". "journalctl -xe" just shows


Mai 15 12:59:56 linux sudo[10540]: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/ipsec auto --up L2TP-PSK

Mai 15 12:59:56 linux sudo[10540]: pam_unix(sudo:session): session opened for user root by user(uid=0)

Mai 15 12:59:56 linux pluto[10075]: initiating all conns with alias='L2TP-PSK'

Mai 15 12:59:56 linux sudo[10540]: pam_unix(sudo:session): session closed for user root

--Bradan (talk) 11:10, 15 May 2015 (UTC)Reply

Libreswan replacement section

I am trying do the same config like read in article, but something fails, and I think because of this:

Old pppd < 2.4.5 could cause xl2tpd to hang on a hanging pppd, so xl2tpd killed pppd itself to avoid this. But that meant pppd did not get to execute its ip-down script. This behaviour can be tweaked using the define TRUST_PPPD_TO_DIE in the xl2tpd Makefile. Fedora and EPEL packages enable this as of April 2015.

Also I would like to provie here my script used to automatically connect and disconnecto

#!/bin/bash

start()
{
	touch /var/run/xl2tpd/l2tp-control
	sleep 3
	systemctl start ipsec
	sleep 10
	systemctl start xl2tpd
	sleep 10
	ipsec auto --add L2TP-PSK
	sleep 3
	ipsec auto --up L2TP-PSK
	sleep 3
	echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
	sleep 3
	ip route add 10.YYY.YYY.0/24 via $(ip -o addr show | grep ppp0 | awk '{print $4}' | sed -e 's#/24##g')
}

stop()
{
    systemctl stop ipsec.service
    systemctl stop xl2tpd
}
cat << EOL > /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
EOL
$1

—This unsigned comment is by Xcfs (talk) 17:17, 7 October 2015‎ (UTC). Please sign your posts with ~~~~!Reply

ipsec verify Command

It might be prudent to point out the command for

Checking if IPsec got installed and started correctly.

Namely,

   ipsec verify

Notably, this page might be incomplete/outdated, as I, too, encounter the same errors as the first section in discussion page shows.


# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.43/K4.1.15-5-ARCH (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [FAILED]
 Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500              [DISABLED]
 Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]

ipsec verify: encountered errors


ILMostro (talk) 15:17, 22 January 2016 (UTC)Reply

Libreswan

Should the wiki recommend using Libreswan instead of Openswan? See this wiki article for more information. I got my employer's VPN working easily with Network Manager L2TP and Libreswan.

Steelbird (talk) 07:54, 26 February 2016 (UTC)Reply

Libreswan is merged to List of applications/Internet now. More detailed comparion is needed if you want to recommend one to another.--Fengchao (talk) 07:38, 5 September 2017 (UTC)Reply

lano1106 (talk) 2 March 2021

I do believe that libreswan is superior to openswan

* More features (Support IKE2)
* More active dev
* Use NSS for all its crypto
* flipping from openswan to libreswan should be trivial