Arch linux l2tp server

Openswan L2TP/IPsec VPN client setup

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

This article describes how to configure and use a L2TP/IPsec Virtual Private Network client on Arch Linux. It covers the installation and setup of several needed software packages. L2TP refers to the w:Layer 2 Tunneling Protocol and for w:IPsec, the Openswan implementation is employed.

This guide is primarily targeted for clients connecting to a Windows Server machine, as it uses some settings that are specific to the Microsoft implementation of L2TP/IPsec. However, it is adaptable with any other common L2TP/IPsec setup. The Openswan wiki features instructions to set up a corresponding L2TP/IPSec Linux server.

Contents

Installation

To use with NetworkManager, install the networkmanager-l2tp and strongswan packages.

Now you can start openswan.service . If it’s not running you may get an error message about a missing pluto_ctl connect(pluto_ctl) failed: No such file or directory .

Run ipsec verify to check your configuration and resolve possible issues before continuing.

Configuration

NetworkManager

Open the NetworkManager UI, then:

1. Go to Network > VPN. Click «+»
2. Select «Layer 2 Tunneling Protocol (L2TP).»
3. You can choose a name for the VPN.
4. Enter Your VPN Server IP for the Gateway.
5. Enter Your VPN Username for the User name.
6. Right-click the ? in the Password field, select Store the password only for this user. (If this option gives you trouble, you might want to use «Store password for all users»)
7. Enter Your VPN Password for the Password.
8. Leave the NT Domain field blank.
9. Click the IPsec Settings. button.
10. Check the Enable IPsec tunnel to L2TP host checkbox.
11. Leave the Gateway ID field blank.
12. Enter Your VPN IPsec PSK for the Pre-shared key.
13. OK, then click Add to save the VPN connection information.

Now you should be able to start the VPN, by switching the Toggle-Button on.

OpenSwan

Edit /etc/ipsec.conf to contain the following lines:

This file contains the basic information to establish a secure IPsec tunnel to the VPN server. It enables NAT Traversal for if your machine is behind a NAT’ing router (most people are), and various other options that are necessary to connect correctly to the remote IPsec server. The next file contains your pre-shared key (PSK) for the server.

Create the file /etc/ipsec.secrets : It should contain the following line:

Remember to replace the local ( 192.168.0.123 ) and remote ( 68.68.32.79 ) IP addresses with the correct numbers for your location. The pre-shared key will be supplied by the VPN provider and will need to be placed in this file in cleartext form. You may find this file already exists and already have some data, try to back it up and create a new file only with your PSK if you will see «Can’t authenticate: no preshared key found for . » when enabling connection in next section. Do not forget to set proper permissions (600) for this file or you will get error message «We cannot identify ourselves with either end of this connection.».

Add the connection, so it’s available to use:

At this point the IPsec configuration is complete and we can move on to the L2TP configuration.

Running Openswan in a container

Do not forget to add CAP_SYS_MODULE capability and access to host module tree. Example for nspawn:

xl2tpd

Edit /etc/xl2tpd/xl2tpd.conf so it has the following contents:

This file configures xl2tpd with the connection name, server IP address (which again, please remember to change to your servers address) and various options that will be passed to pppd once the tunnel is set up.

Now create /etc/ppp/options.l2tpd.client with the following contents:

Place your assigned username and password for the VPN server in this file. A lot of these options are for interoperability with Windows Server L2TP servers. If your VPN server uses PAP authentication, replace require-mschap-v2 with require-pap .

This concludes the configuration of the applicable software suites to connect to a L2TP/IPsec server. To start the connection do the following:

At this point the tunnel is up and you should be able to see the interface for it if you type:

You should see a pppX device that represents the tunnel. Right now, nothing is going to get routed through it. You need to add some routing rules to make it work right:

Routing

Routing traffic to a single IP address or subnet through the tunnel

This is as easy as adding a routing rule to your kernel table:

Note xxx.xxx.xxx.xxx is the specific ip address (e.g. 192.168.3.10) or subnet (e.g. 192.168.3.0/24) that you wish to communicate with through the tunnel device (e.g. ppp0).

Note yyy.yyy.yyy.yyy is «peer ip» of your pppX device used to route traffic to tunnel destination xxx.xxx.xxx.xxx.

See example below for command to identify tunnel device name and peer ip and then add route. :

Routing all traffic through the tunnel

This is a lot more complex, but all your traffic will travel through the tunnel. Start by adding a special route for the actual VPN server through your current gateway:

This will ensure that once the default gateway is changed to the ppp interface that your network stack can still find the VPN server by routing around the tunnel. If you miss this step you will lose connectivity to the Internet and the tunnel will collapse. Now add a default route that routes to the PPP remote end:

The remote PPP end can be discovered by following the step in the previous section. Now to ensure that ALL traffic is routing through the tunnel, delete the original default route:

To restore your system to the previous state, you can reboot or reverse all of the above steps.

The route creation can also be automated by placing a script in /etc/ppp/ip-up.d.

Troubleshooting

Issue: journalctl logs VPN connection: failed to connect: ‘Could not restart the ipsec service.

Solution Make sure you have strongswan installed

Issue: I get a message from pppd saying «Failed to authenticate ourselves to peer» and I have verified my password is correct. What could be wrong?

Solution 1: If you see the following in your /var/log/daemon.log:

then you are authenticating against a SonicWALL LNS that does not know how to handle CHAP-style authentication correctly.

The solution to this is to add the following to your options.l2tp.client file:

This will cause the SonicWALL to default to the next authentication mechanism, namely MSCHAP-v2. This should authenticate successfully, and from this point xl2tpd should successfully construct a tunnel between you and the remote L2TP server.

Solution 2: If you see the following in your journal after running journalctl -ru xl2tpd as root:

Try adding domain name in front of username in your options.l2tpd.client file (note the double backslash), i.e:

Tips and tricks

Script start up and shut down

You can create some scripts either in your home directory or elsewhere(remember where you put them) to bring up the tunnel then shut it back down.

First, a utility script to automatically discover PPP distant ends:

Next, the script to bring the tunnel up. This will replace the default route, so all traffic will pass via the tunnel:

Finally, the shutdown script, it simply reverses the process:

A further script

Above script really help me work. And notice the script use fixed ip, and someone like me may change net vpn addr, i would like to put my further script below(not sure how to add attachment, so just raw ):

Script to resolve dns names and connect

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Very useful if you have dynamic IP for the server.

Источник

Arch Linux

You are not logged in.

#1 2017-12-13 21:41:02

L2TP Ipsec NetworkManager

I am trying to connect to a vpn l2tp server. In order to connect to it I am using the package networkmanager-libreswan. In the network manager I was able to configure a connection (server ip, username, key and PSK). Unfortunately it doesn’t work.

Here are some information:

Thank you very much in advance for any help.

Last edited by Scriptor (2017-12-14 17:50:38)

#2 2017-12-16 00:55:32

Re: L2TP Ipsec NetworkManager

NetworkManager-libreswan is an IPsec IKEv1 with Extended Authentication (XAUTH) VPN client, it doesn’t support L2TP or use xl2tpd.

If you need L2TP/IPsec, use NetworkManager-l2tp which uses xl2tpd for L2TP and libreswan or strongswan for IPsec IKEv1 (without XAUTH).

Last edited by dkosovic (2017-12-16 01:07:19)

#3 2017-12-16 01:06:14

Re: L2TP Ipsec NetworkManager

If you use NetworkManager-l2tp, don’t use kernel-4.14.x as it broke L2TP/IPsec, see:
https://bugs.archlinux.org/task/56605

If your VPN server is using weak and old IPsec IKEv1 algorithms, you might need to reconfigure the VPN server or specify the weak algorithms in the NetworkManager-l2tp IPsec options dialog box, see:
https://github.com/nm-l2tp/network-mana … algorithms

You can query the VPN server for what algorithms is supports by running the ike-scan.sh script on the following page:
https://github.com/nm-l2tp/network-mana … algorithms

#4 2017-12-16 11:33:39

Re: L2TP Ipsec NetworkManager

Thank you very very much for your answer

I’ll look into it. If it’s okay I’m not going to mark this post as «SOLVED»

Источник

Arch Linux

You are not logged in.

#1 2019-09-23 13:43:04

[SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Trying to get my arch connected to our company VPN using NetworkManager and Libreswan. I can get connected if I just configure the ipsec and xl2tpd from the command line, but somehow with the NetworkManager I never manage to get further than the ipsec part.

My steps are similar to the wiki, but the configuration is slightly different. The command line configuration is as follows.
ipsec:

And with the above I have no issues, the ipsec and xl2tpd play nice and I can access the VPN connection.

With NetworkManager, when creating the L2TP type connection I feed it basically the server IP, the shared key and my username and password. When I try to connect to the VPN, the ipsec connection actually gets established same as with the command line as I see this:

But 2 seconds after that the connection is torn down:

Now as ppp is the one that kicks off after ipsec connection, I started looking at those logs, and indeed I see following:

I can see the message which presumably kills the connection, but Im not really sure what to make of it..

I tried each of the authentication options in the «PPP settings» window — but none of these seem any good. Also I looked inside the /var/run/nm-l2tp-1d8fabed-2748-443e-a050-cc206af8162d/ppp-options file (which gets created and deleted on the fly, quite annoying), the content what NetworkManager generates looks like this:

The file seems to be missing the name and password fields that would enable it to authenticate.. could this be the problem ?
How does NetworkManager generate this file ? Any help would be greatly appreciated!

Last edited by jlumme (2019-09-30 13:19:46)

#2 2019-09-23 22:40:44

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

In the good connection I see this..

Which I don’t see in the networkmanager connection attempt.

Also this, in what presume to be the networkmanagers running config..

Is there a config item for mppe ?

Last edited by Zod (2019-09-23 22:53:09)

#3 2019-09-23 23:01:14

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Thanks for your reply!

I tried multiple authentication methods, including the mschap. Here is the ppp file which gets generated by NetworkManager with that authentication enabled:

The authentication information for ppp is still somewhere else (or nowehere) in the config file as you can see.

The log from that connection attempt says that authentication fails:

I presume by your question «is there a config option for mppe», you mean the «Use Point-To-Point encryption» option in the PPP options:

#4 2019-09-24 01:04:09

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Try unselecting mschap and leaving mschapv2 selected.

In that last log it failed on authenticating with mschap when we know from the good log that it wants mschapv2.

Edit: Check that the shared key is correct

Couldn’t you connect using the command line (nmcli?) and export/import into networkmanager?

Last edited by Zod (2019-09-24 02:56:31)

#5 2019-09-30 11:15:18

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Have a look at NetworkManager-l2tp’s README.md file on how to enable debugging which also stops the run-time generated files from being deleted:

It’ll then enable proper pppd debugging which should hopefully give a hint as to what is going wrong.

The following line in /var/run/nm-l2tp-UUID/ppp-options handles the username and password with a plugin that uses the Gnome or KDE Secret Service :

You shouldn’t need to enable MPPE which is using a weak encryption, it’s only really needed for L2TP users not using IPsec.

For the time being, I would stick with CHAP authentication as it seems to have succeeded for you, untick the other authentication methods.

You could also try stopping the xl2tpd service before starting NetworkManager-l2tp, see «Issue with not stopping system xl2tpd service» in the README.md file.

#6 2019-09-30 13:18:36

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Zod, dkosovic — thank you for your replies.

It was indeed helpful to see the debug messages from the pppd debugging. And I got it working when comparing the outputs of the console and GUI connections more carefully with the debug options on.

In the end it was just the case of selecting the right authentication (and not enabling MPPE). Leaving only MSCHAPv2 selected was the right choice it seems. In the Ipsec settings, I had to enter «Remote ID», same as manually the «rightid» in the config files
The other end HW is RTX830 from Yamaha, for future reference just in case anyone else runs into this.

Источник