IPSEC over L2TP access from Arch Linux (With Strongswan and xl2tpd)

The setup will differ by the destination VPN server’s configuration.
It is much easier if you know the endpoint configuration. If you don’t,
you will have to capture packets on a client that is able to establish an
ipsec connection.
In my opinion, Windows implementation of IPSEC/L2TP client
is pretty thorough and also common, so it should be a good client to test.

In my case, I captured packets on Windows and got the server side’s setting of IKE
parameters of ISAKMP packets.

Here is my configuration.

I had to add “send_vendor_id = yes” to “/etc/strongswan.conf” in order to
initiate Quicki mode( phase 2 ) communication.
Most of the IPSEC/L2TP implementation requires vendor ID to be sent…

charon {
load_modular = yes
send_vendor_id = yes
plugins {
include strongswan.d/charon/*.conf

Next thing to set up is ipsec.conf.
I had to change ike and esp parameters according to
the packets from server which I got on Windows.
Make your “right” is IP address of VPN server(Global IP)
In my case IKE key exchange failed due to it.
ikelifetime may have to be changed, too.

There may be a way to set strongswan to accept
any encryption and hash methods. But I did not bother.

conn name will be used later, so name it cool.

config setup
charondebug=”ike 4, knl 4, cfg 2″

conn l2tp-psk
authby = secret
auto = add
keyexchange = ikev1
type = transport
left = %any
ike = aes256-sha1-modp2048
ikelifetime = 8h
esp = aes256-sha1-modp2048

Next thing to set up is ipsec.secrets.
%any should be changed according to your needs.

%any %any : PSK "Presharekey-passphrase"

Configure xl2tpd

[lac l2tp-psk]
lns = "Same as "right" in ipsec.conf"
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


idle 1800
mtu 1410
mru 1410
connect-delay 5000
name "Username"
password "user's password"

Connect to the VPN Server

ipsec start
ipsec up l2tp-psk
systemctl start xl2tpd
echo "c l2tp-psk" > /var/run/xl2tpd/l2tp-control

Add routing and you are done!

Snapshot with BTRFS (On remote volume)

Run the bash script below.
Change the srcdir, dstdir, mt (mount point), old (for deleting 365 days older backups) variable to your preference.


## Variable declaration
# date string for the subvolume name of a remote backup
datetime=`date +%d-%h-%Y_%H-%M`
# Local snapshot subvolume
# Remote snapshot subvolume

# Check if whether the destination Volume is mounted. If not, exit the script
if [ `df | grep -c 2tbhdd` -eq 0 ]; then
printf "backup destination is not mounted\n"
exit 1

# Check if there is an original snapshot locally for creating an inceremental backup. If not, start the initial backup
if [ ! -d "$srcdir" ]; then
printf "Issuing an initial backup\n"
btrfs subvolume snapshot -r / ${srcdir}
printf "Copy snapshot to remote destinatioin"
btrfs send ${srcdir} | btrfs receive ${dstdir}

# Start incremental backup from the local snapshot subvolume
printf "Creating a local snapshot\n"
btrfs subvolume snapshot -r / ${srcdir}_${datetime}
printf "Copying incremental snapshot to remote destination\n"
btrfs send -p ${srcdir} ${srcdir}_$datetime | btrfs receive ${dstdir}

# Replace the original subvolume with the snapshot newly created snapshot
printf "Replace the original subvolume with the snapshot newly created snapshot\n"
btrfs subvolume delete ${srcdir}
printf "Renaming the subvolume"
mv ${srcdir}_$datetime ${srcdir}

# Delete snapshots older than a year on remote volume.
old=`find ${dstdir} -maxdepth 1 -mtime +365`
if [ -z "$old" ]; then
printf "no older backups\n"
printf "Deleting snapshot more than one year old."
find ${dstdir} -maxdepth 1 -mtime +365 -exec btrfs subvolume delete {} \;

My URXVT, and VIMRC conf on openSUSE

For URXVT (Don’t forget to run xrdb -load .Xresources)

URxvt*saveLines: 12000
URxvt*.depth: 32
URxvt.background: [90]#000000
URxvt*foreground: White
URxvt*background: Black
URxvt*scrollBar: true
URxvt*scrollBar_right: true
URxvt*scrollstyle: rxvt
URxvt*color4: #2554C7
URxvt*color12: #2554C7
Xcursor.theme: aero-drop-left
URxvt*font: xft:Ricty:size=13:antialias=true:hinting=true
URxvt*letterSpace: -2
URxvt*keysym.Home: \033[1~
URxvt*keysym.End: \033[4~
URxvt*perl-ext-common: selection-to-clipboard

for /etc/tmux.conf
set -g default-command "${SHELL}"
set -g default-terminal "screen-256color"

set -g default-command “${SHELL}”
set -g default-terminal “screen-256color”
bind-key -t emacs-copy M-w copy-pipe “xsel -i -p -b”
bind-key C-y run “xsel -o | tmux load-buffer – ; tmux paste-buffer”

for bashrc
alias ssh='TERM=xterm-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

For vimrc

syntax on
set nobackup
set noswapfile
set clipboard=unnamed,unnamedplus
set guifont=Inconsolata\ 14
set iminsert=0
set imsearch=0
set bs=2
set nowrapscan
set number
set list
set hlsearch
set cursorline
set mouse=a
colorscheme badwolf

For attaching to a existing tmux session or creating a new tmux session on SSH.
TERM=screen-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t ‘. /etc/profile; tmux at’ || TERM=screen-256color ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t ‘. /etc/profile; tmux’

IPIP tunnel with Linux (IP in IP)

ip tunnel add tun0 mode ipip local “GLOBAL IP “remote “GLOBAL IP”
ip link set tun0 up
ip addr add “LOCAL IP” dev tun0