LinuxQuestions.org - How to set up a IPsec L2TP VPN client in Slackware

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - How to set up a IPsec L2TP VPN client in Slackware (https://www.linuxquestions.org/questions/slackware-14/how-to-set-up-a-ipsec-l2tp-vpn-client-in-slackware-4175559495/)

How to set up a IPsec L2TP VPN client in Slackware

I live behind a firewall and use a VPN to tunnel through it to get to some web sites I need for work and non-work activities.

I subscribe to a VPN service that has servers in LA and elsewhere around the world. They provide software for Windows and Android that works quite well. Linux users who want to access the VPN are a small part of their market. They have provided me with a Ubuntu script by WernerJaeger that can be forced to install on Slackware. It doesnt work and it is a bear to get rid of. I decided at one point to completely reconfigure my system which was an opportunity to dump WernerJaeger's mess at the same time.

I have tried OpenSwan, LibreSwan, StrongSwan, FreeSwan, xl2pd, raccoon, pluto, a NetworkManager plugin and read and followed the notes provided by Jacco, and Arch, and Gentoo, and Elastichosts and Xlerance and a number of other sources. I have at one point been successful in establishing a partial connection but the xl2pd part is quite obtuse and opaque. Also it is quite unclear how to setup the iptables. The wernerjaeger script seemed to make some attempt at this but does not work.

The windows tool works quite well and the android tool works beautifully to establish the connection but i havent been able to find a way to make this work in Slackware. It's a real pain having to close slackware and reboot win7 to get to some web sites.

Is anyone out there using a VPN client and could provide some tips?

Hi,
I did it some time ago
http://www.linuxquestions.org/questi...9/#post5233188

-----
Maybe these could be useful

/etc/ipsec.conf

Code:

config setup

        charondebug="ike 3, knl 3, cfg 2"



conn my_vpn_conn

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        keyexchange=ikev1

        rekey=yes

        ikelifetime=8h

        keylife=1h

        type=transport

        left=%defaultroute

        leftprotoport=17/1701

        right=remote_ip_address

        rightprotoport=17/1701

/etc/ipsec.secrets

Code:

%any remote_ip_address : PSK "my_preshared_key"

/etc/xl2tpd/xl2tpd.conf

Code:

[global]

debug state = yes

debug tunnel = yes



[lac my_vpn]

lns = remote_ip_address

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd.client

length bit = yes

require chap = yes

refuse pap = yes

require authentication = yes

/etc/ppp/options.l2tpd.client

Code:

ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-mschap-v2

noccp

noauth

idle 1800

mtu 1410

mru 1410

nodefaultroute

usepeerdns

debug

lock

connect-delay 5000

name my_vpn_username

password my_vpn_password

script to start the vpn

Code:

#!/bin/bash



/usr/bin/echo "********** starting ipsec ..."

/usr/sbin/ipsec start

sleep 3

/usr/bin/echo "********** starting xl2tpd ..."

/usr/sbin/xl2tpd

/usr/bin/echo "********** Opening the IPsec connection ..."

/usr/sbin/ipsec up my_vpn_conn

sleep 3

/usr/bin/echo "********** Opening the L2TP tunnel ..."

echo "c my_vpn" > /var/run/xl2tpd/l2tp-control

sleep 3

REMADDR=`/usr/sbin/ip a | /usr/bin/grep ppp | /usr/bin/grep inet | /usr/bin/cut -d ' ' -f 6`

/usr/bin/echo "********** Setting $REMADDR as the gateway on the remote network"

/sbin/route add -net ip_of_the_remote_LAN netmask 255.255.255.0 gw $REMADDR

script to stop the vpn

Code:

#!/bin/bash



echo "********** Closing the L2TP tunnel ..."

echo "d my_vpn" > /var/run/xl2tpd/l2tp-control

sleep 1

killall xl2tpd

sleep 1

echo "********** Closing the IPsec connection ..."

/usr/sbin/ipsec down my_vpn_conn

sleep 1

/usr/sbin/ipsec stop

So you are using StrongSwan and xl2tp...?

Is there any special setup or compiling issues for StrongSwan?
StrongSwan gives a very complex and lengthy list of compile options
and I could not figure out which ones I needed from their documentation.

The startup script is especially useful!

I knew that what Arch was calling for was not going to work exactly in Slackware

Quote:

$ systemctl start openswan
$ systemctl start xl2tpd
$ ipsec auto --up L2TP-PSK
$ echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

And I had gotten past that and got as far as

Quote:

echo "c my_vpn" > /var/run/xl2tpd/l2tp-control

*
but was not able to make it give any indication that
I was connected. I had read your comments about route before but
was not able to figure out what to do about it.

these lines are extremely helpful

Quote:

REMADDR=`/usr/sbin/ip a | /usr/bin/grep ppp | /usr/bin/grep inet | /usr/bin/cut -d ' ' -f 6`
/usr/bin/echo "********** Setting $REMADDR as the gateway on the remote network"
/sbin/route add -net ip_of_the_remote_LAN netmask 255.255.255.0 gw $REMADDR

Thank you very much!

Quote:

So you are using StrongSwan and xl2tp...?

I had used it in the past, but last september things changed and I have moved to OpenVPN.

Quote:

Is there any special setup or compiling issues for StrongSwan?

No, I took the slackbuild from slackbuilds.org and had no issues with compilation

Quote:

Thank you very much!

You're welcome

Well, I am still having trouble.

The IPSEC part works, as before, but the xl2tpd and ppp part doesn't seem to be working

I got an error message at first from this but then created the
directory and the file l2tp-control but it doesnt seem to do anything.

Quote:

/usr/bin/echo "********** Opening the L2TP tunnel ..."
echo "c my_vpn" > /var/run/xl2tpd/l2tp-control

The "ip a | grep ppp" doesn't return anything because there isn't any ppp.

I'm sorry for not having a IPsec L2TP anymore.
When I managed to make it working, I had 3 terminal open: one with

Code:

# tail -f /var/log/syslog

another with

Code:

# tail -f /var/log/messages

and the third where I was writing the various commands.
This helped me very much (I do not remember of a specific log file where to look for debug messages), maybe you can try the same and post your logs.

Sorry :o
I found some mistakes on the ipsec.conf file:

Code:

# ipsec.conf - strongSwan IPsec configuration file



conn my_vpn_conn

        authby=secret

        auto=add

        keyingtries=3

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        keyexchange=ikev1

        rekey=yes

        ikelifetime=8h

        keylife=1h

        type=transport

        left=%defaultroute

        leftprotoport=17/1701

        right=remote_ip_address

        rightprotoport=17/1701

Maybe not so crucial but who knows

It seems that my problem is that the ppp daemon isnt started, and xl2tpd doesnt start it.

This is my log on /var/log/messages when I tried

Code:

/usr/sbin/ipsec start

Code:

/usr/sbin/xl2tpd

and

Code:

/usr/sbin/ipsec up my_vpn_conn

Code:

Nov 22 18:54:30 slackbook kernel: [ 2705.121247] NET: Registered protocol family 15

Nov 22 18:54:30 slackbook charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.18.11, x86_64) 

Nov 22 18:54:30 slackbook charon: 00[KNL] received netlink error: Address family not supported by protocol (97) 

Nov 22 18:54:30 slackbook charon: 00[KNL] unable to create IPv6 routing table rule 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' 

Nov 22 18:54:30 slackbook charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' 

Nov 22 18:54:30 slackbook charon: 00[CFG]  loaded IKE secret for any remote_ip_address 

Nov 22 18:54:30 slackbook charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic 

Nov 22 18:54:30 slackbook charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies) 

Nov 22 18:54:30 slackbook charon: 00[JOB] spawning 16 worker threads 

Nov 22 18:54:31 slackbook charon: 02[CFG] received stroke: add connection 'my_vpn_conn' 

Nov 22 18:54:31 slackbook charon: 02[CFG] left nor right host is our side, assuming left=local 

Nov 22 18:54:31 slackbook charon: 02[CFG] added configuration 'my_vpn_conn' 

Nov 22 18:55:15 slackbook kernel: [ 2749.526961] PPP generic driver version 2.4.2

Nov 22 18:55:15 slackbook kernel: [ 2749.528700] NET: Registered protocol family 24

Nov 22 18:55:15 slackbook kernel: [ 2749.536342] l2tp_core: L2TP core driver, V2.0

Nov 22 18:55:15 slackbook kernel: [ 2749.537154] l2tp_netlink: L2TP netlink interface

Nov 22 18:55:15 slackbook xl2tpd[2390]: Using l2tp kernel support. 

Nov 22 18:55:15 slackbook kernel: [ 2749.537989] l2tp_ppp: PPPoL2TP kernel driver, V2.0

Nov 22 18:55:15 slackbook xl2tpd[2396]: xl2tpd version xl2tpd-1.3.6 started on slackbook PID:2396 

Nov 22 18:55:15 slackbook xl2tpd[2396]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. 

Nov 22 18:55:15 slackbook xl2tpd[2396]: Forked by Scott Balmos and David Stipp, (C) 2001 

Nov 22 18:55:15 slackbook xl2tpd[2396]: Inherited by Jeff McAdams, (C) 2002 

Nov 22 18:55:15 slackbook xl2tpd[2396]: Forked again by Xelerance (www.xelerance.com) (C) 2006 

Nov 22 18:55:15 slackbook xl2tpd[2396]: Listening on IP address 0.0.0.0, port 1701 

Nov 22 18:56:13 slackbook charon: 08[CFG] received stroke: initiate 'my_vpn_conn' 

Nov 22 18:56:13 slackbook charon: 09[IKE] initiating Main Mode IKE_SA my_vpn_conn[1] to remote_ip_address 

Nov 22 18:56:13 slackbook charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V ]

As I previously mentioned I do not have the remote VPN peer available anymore, so the connection fails, but what about your logs?

Quote:

Originally Posted by Regnad Kcin (Post 5453675)

It seems that my problem is that the ppp daemon isnt started, and xl2tpd doesnt start it.

Did you ever manage to fix this? I have been trying to get a vpn/ipsec connection to a public server (found at the vpngate-site) for about a week now, and I'm experiencing the same problem, my ipsec tunnel is up (checked by ipsec status myvpn), however I can't seem to use it, as the ppp0 interface never gets created.

best regards and sorry for reviving this old thread

No, sorry , I did not get it working.

I wonder if we can try a different approach. Maybe using networkmanager to use certificates.
I don't understand the ones that needs to be listed for L2TP with certificates only. No IPsec.
https://developer.gnome.org/NetworkM...-settings.html
Someone give me a layout of what its suppose to look like, I'll go on a testing binge. TIA