Talk:Openswan L2TP/IPsec VPN client setup
Openswan section
I get this output when trying to initialize the openswan configuration with "ipsec auto --up L2TP-PSK"
000 initiating all conns with alias='L2TP-PSK'
021 no connection named "L2TP-PSK"
Even though I had a mistake in my ipsec.secure file, I still don't get it to recognize the connection named "L2TP-PSK". "journalctl -xe" just shows
Mai 15 12:59:56 linux sudo[10540]: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/ipsec auto --up L2TP-PSK
Mai 15 12:59:56 linux sudo[10540]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Mai 15 12:59:56 linux pluto[10075]: initiating all conns with alias='L2TP-PSK'
Mai 15 12:59:56 linux sudo[10540]: pam_unix(sudo:session): session closed for user root
--Bradan (talk) 11:10, 15 May 2015 (UTC)
Libreswan replacement section
I am trying do the same config like read in article, but something fails, and I think because of this:
Old pppd < 2.4.5 could cause xl2tpd to hang on a hanging pppd, so xl2tpd killed pppd itself to avoid this. But that meant pppd did not get to execute its ip-down script. This behaviour can be tweaked using the define TRUST_PPPD_TO_DIE in the xl2tpd Makefile. Fedora and EPEL packages enable this as of April 2015.
Also I would like to provie here my script used to automatically connect and disconnecto
#!/bin/bash start() { touch /var/run/xl2tpd/l2tp-control sleep 3 systemctl start ipsec sleep 10 systemctl start xl2tpd sleep 10 ipsec auto --add L2TP-PSK sleep 3 ipsec auto --up L2TP-PSK sleep 3 echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control sleep 3 ip route add 10.YYY.YYY.0/24 via $(ip -o addr show | grep ppp0 | awk '{print $4}' | sed -e 's#/24##g') } stop() { systemctl stop ipsec.service systemctl stop xl2tpd } cat << EOL > /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 EOL $1
—This unsigned comment is by Xcfs (talk) 17:17, 7 October 2015 (UTC). Please sign your posts with ~~~~!
ipsec verify Command
It might be prudent to point out the command for
Checking if IPsec got installed and started correctly.
Namely,
ipsec verify
Notably, this page might be incomplete/outdated, as I, too, encounter the same errors as the first section in discussion page shows.
# ipsec verify Checking if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Openswan U2.6.43/K4.1.15-5-ARCH (netkey) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects! ICMP default/accept_redirects [NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects! XFRM larval drop [OK] Hardware random device check [N/A] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] ipsec verify: encountered errors
ILMostro (talk) 15:17, 22 January 2016 (UTC)
Libreswan
Should the wiki recommend using Libreswan instead of Openswan? See this wiki article for more information. I got my employer's VPN working easily with Network Manager L2TP and Libreswan.
Steelbird (talk) 07:54, 26 February 2016 (UTC)
- Libreswan is merged to List of applications/Internet now. More detailed comparion is needed if you want to recommend one to another.--Fengchao (talk) 07:38, 5 September 2017 (UTC)
I do believe that libreswan is superior to openswan
* More features (Support IKE2) * More active dev * Use NSS for all its crypto * flipping from openswan to libreswan should be trivial