IPSEC over L2TP access from Arch Linux (With Strongswan and xl2tpd)

The setup will differ by the destination VPN server’s configuration.
It is much easier if you know the endpoint configuration. If you don’t,
you will have to capture packets on a client that is able to establish an
ipsec connection.
In my opinion, Windows implementation of IPSEC/L2TP client
is pretty thorough and also common, so it should be a good client to test.

In my case, I captured packets on Windows and got the server side’s setting of IKE
parameters of ISAKMP packets.

Here is my configuration.

1.
I had to add “send_vendor_id = yes” to “/etc/strongswan.conf” in order to
initiate Quicki mode( phase 2 ) communication.
Most of the IPSEC/L2TP implementation requires vendor ID to be sent…

charon {
load_modular = yes
send_vendor_id = yes
plugins {
include strongswan.d/charon/*.conf
}
}

2.
Next thing to set up is ipsec.conf.
I had to change ike and esp parameters according to
the packets from server which I got on Windows.
Make your “right” is IP address of VPN server(Global IP)
In my case IKE key exchange failed due to it.
ikelifetime may have to be changed, too.

There may be a way to set strongswan to accept
any encryption and hash methods. But I did not bother.

conn name will be used later, so name it cool.


config setup
charondebug=”ike 4, knl 4, cfg 2″

conn l2tp-psk
authby = secret
auto = add
keyexchange = ikev1
type = transport
left = %any
leftprotoport=17/1701
right = "VPN SERVER's IP ADDRESS. NOT A DOMAIN NAME!"
rightprotoport=17/1701
ike = aes256-sha1-modp2048
ikelifetime = 8h
esp = aes256-sha1-modp2048

3.
Next thing to set up is ipsec.secrets.
%any should be changed according to your needs.

%any %any : PSK "Presharekey-passphrase"

4.
Configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac l2tp-psk]
lns = "Same as "right" in ipsec.conf"
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

/etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "Username"
password "user's password"

5.
Connect to the VPN Server

ipsec start
ipsec up l2tp-psk
systemctl start xl2tpd
echo "c l2tp-psk" > /var/run/xl2tpd/l2tp-control

Add routing and you are done!

Advertisements