IPSEC over L2TP access from Arch Linux (With Strongswan and xl2tpd)

The setup will differ by the destination VPN server’s configuration.
It is much easier if you know the endpoint configuration. If you don’t,
you will have to capture packets on a client that is able to establish an
ipsec connection.
In my opinion, Windows implementation of IPSEC/L2TP client
is pretty thorough and also common, so it should be a good client to test.

In my case, I captured packets on Windows and got the server side’s setting of IKE
parameters of ISAKMP packets.

Here is my configuration.

1.
I had to add “send_vendor_id = yes” to “/etc/strongswan.conf” in order to
initiate Quicki mode( phase 2 ) communication.
Most of the IPSEC/L2TP implementation requires vendor ID to be sent…

charon {
load_modular = yes
send_vendor_id = yes
plugins {
include strongswan.d/charon/*.conf
}
}

2.
Next thing to set up is ipsec.conf.
I had to change ike and esp parameters according to
the packets from server which I got on Windows.
Make your “right” is IP address of VPN server(Global IP)
In my case IKE key exchange failed due to it.
ikelifetime may have to be changed, too.

There may be a way to set strongswan to accept
any encryption and hash methods. But I did not bother.

conn name will be used later, so name it cool.


config setup
charondebug=”ike 4, knl 4, cfg 2″

conn l2tp-psk
authby = secret
auto = add
keyexchange = ikev1
type = transport
left = %any
leftprotoport=17/1701
right = "VPN SERVER's IP ADDRESS. NOT A DOMAIN NAME!"
rightprotoport=17/1701
ike = aes256-sha1-modp2048
ikelifetime = 8h
esp = aes256-sha1-modp2048

3.
Next thing to set up is ipsec.secrets.
%any should be changed according to your needs.

%any %any : PSK "Presharekey-passphrase"

4.
Configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac l2tp-psk]
lns = "Same as "right" in ipsec.conf"
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

/etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "Username"
password "user's password"

5.
Connect to the VPN Server

ipsec start
ipsec up l2tp-psk
systemctl start xl2tpd
echo "c l2tp-psk" > /var/run/xl2tpd/l2tp-control

Add routing and you are done!

Snapshot with BTRFS (On remote volume)

Run the bash script below.
Change the srcdir, dstdir, mt (mount point), old (for deleting 365 days older backups) variable to your preference.

#!/bin/bash

## Variable declaration
# date string for the subvolume name of a remote backup
datetime=`date +%d-%h-%Y_%H-%M`
# Local snapshot subvolume
srcdir="/snapshot"
# Remote snapshot subvolume
dstdir="/mnt/2tbhdd/Snapshot"

# Check if whether the destination Volume is mounted. If not, exit the script
if [ `df | grep -c 2tbhdd` -eq 0 ]; then
printf "backup destination is not mounted\n"
exit 1
fi

# Check if there is an original snapshot locally for creating an inceremental backup. If not, start the initial backup
if [ ! -d "$srcdir" ]; then
printf "Issuing an initial backup\n"
btrfs subvolume snapshot -r / ${srcdir}
printf "Copy snapshot to remote destinatioin"
btrfs send ${srcdir} | btrfs receive ${dstdir}
sync
fi

# Start incremental backup from the local snapshot subvolume
printf "Creating a local snapshot\n"
btrfs subvolume snapshot -r / ${srcdir}_${datetime}
sync
printf "Copying incremental snapshot to remote destination\n"
btrfs send -p ${srcdir} ${srcdir}_$datetime | btrfs receive ${dstdir}

# Replace the original subvolume with the snapshot newly created snapshot
printf "Replace the original subvolume with the snapshot newly created snapshot\n"
btrfs subvolume delete ${srcdir}
printf "Renaming the subvolume"
mv ${srcdir}_$datetime ${srcdir}

# Delete snapshots older than a year on remote volume.
old=`find ${dstdir} -maxdepth 1 -mtime +365`
if [ -z "$old" ]; then
printf "no older backups\n"
else
printf "Deleting snapshot more than one year old."
find ${dstdir} -maxdepth 1 -mtime +365 -exec btrfs subvolume delete {} \;
fi

My URXVT, and VIMRC conf on openSUSE

For URXVT (Don’t forget to run xrdb -load .Xresources)

URxvt*saveLines: 12000
URxvt*.depth: 32
URxvt.background: [90]#000000
URxvt*foreground: White
URxvt*background: Black
URxvt*scrollBar: true
URxvt*scrollBar_right: true
URxvt*scrollstyle: rxvt
URxvt*color4: #2554C7
URxvt*color12: #2554C7
Xcursor.theme: aero-drop-left
URxvt*font: xft:Ricty:size=13:antialias=true:hinting=true
URxvt*letterSpace: -2
URxvt*keysym.Home: \033[1~
URxvt*keysym.End: \033[4~
URxvt*perl-ext-common: selection-to-clipboard

for /etc/tmux.conf
set -g default-command "${SHELL}"
set -g default-terminal "screen-256color"

set -g default-command “${SHELL}”
set -g default-terminal “screen-256color”
bind-key -t emacs-copy M-w copy-pipe “xsel -i -p -b”
bind-key C-y run “xsel -o | tmux load-buffer – ; tmux paste-buffer”

for bashrc
alias ssh='TERM=xterm-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

For vimrc


syntax on
set nobackup
set noswapfile
set clipboard=unnamed,unnamedplus
set guifont=Inconsolata\ 14
set iminsert=0
set imsearch=0
set bs=2
set nowrapscan
set number
set list
set hlsearch
set cursorline
set mouse=a
colorscheme badwolf

For attaching to a existing tmux session or creating a new tmux session on SSH.
TERM=screen-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null 10.0.0.1 -t ‘. /etc/profile; tmux at’ || TERM=screen-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null 10.0.0.1 -t ‘. /etc/profile; tmux’

IPIP tunnel with Linux (IP in IP)

ip tunnel add tun0 mode ipip local “GLOBAL IP “remote “GLOBAL IP”
ip link set tun0 up
ip addr add “LOCAL IP” dev tun0