ILD

Setup L2TP/IPSec Client Using OpenSwan and xl2tpd
作者:HerbertYuan 邮箱:yuanjp89@163.com
发布时间:2017-8-26 站点:Inside Linux Development

----

I setup a PPTP vpn server on my remote server using pptpd, I can connect to it using my mobile phone MEIZU MX5. but failed using ubuntu's VPN connection, the pptp binary crashed. so I decided to use openswan to connect my vpn server.


1 Install package

firstly, we should remove the pre-installed strongswan. 

1
sudo apt remove strongswan


then, we download the source code from the office site of openswan, ubuntu doesn't have a package for openswan, we need to build one by myself. we need install some dependency apps, such as libgmp and bison. then we can unstar the source and make and install the openswan. we should also need xl2tpd.

1
2
3
4
5
6
7
8
9
wget 
tar xf openswan-latest.tar.gz -C ../src
sudo apt-get install libgmp-dev
sudo apt-get install bison
sudo apt-get install flex
cd ../src
make programs
sudo make install
sudo apt install xl2tpd


2 Setup IPSec

now, we can setup the configuration. Firstly we setup ipsec, then l2tp. We use Preshared Key (PSK). there are two config files: ipsec.conf and ipsec.secrets. we should config both server and client. 


the ipsec.conf of server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
 
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
    protostack=netkey
    plutodebug=all
    plutostderrlog=/var/log/openswan.log   
 
conn l2tp-psk
        authby=secret
        pfs=no
        auto=add
        rekey=no
        type=transport
        left=172.31.129.70
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no


here is the ipsec.conf of client

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
version 2.0
 
config setup
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16
     protostack=netkey
 
conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
     left=%defaultroute
     leftprotoport=17/1701
     right=47.90.122.28
     rightprotoport=17/1701
     rightid=172.31.129.70


the ipsec.secrets hold the PSK, the server one is:

1
2
3
4
5
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
172.31.129.70 %any : PSK '123456'


the client one is:

1
2
3
4
5
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
%any %any : PSK '123456'


Let me explain ipsec.secrets firstly, the first one is left (local) ip, the second one is right(remote) ip. use %any match all ip. my client use both %any, because my pc get ip by DHCP, the ip may change, so i use %any for convenient. the most important thing must note is the key should be quoted by single quote as above.


now, explain ipsec.conf, that is very comprehensive for a newbie. we must know how to debug, because if we config incorrectly, we can get information what happen. to enable debug output. add 

1
2
plutodebug=all
plutostderrlog=/var/log/openswan.log   

 to config setup section. then we can use command `tail -f /var/log/openswan.log' to see the detailed negotiation progress.


Actually saying, I only know a little about the options of ipsec.conf. I use the above debug method to find a correct setting. if some error happens, I search the error string, and find a solution from the online site.


I met two problem when I config the ipsec.conf, I list here and hope this help, the other options are common, we can find them in the online site.


the first error is:

003 "L2TP-PSK" #1: we require peer to have ID 'xx.90.122.xx', but peer declares '172.31.129.70'

218 "L2TP-PSK" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

because the server is behind NAT, so the public ip is different from local ip, we should set the `rightid' option, add a line to ipsec.conf of client.

1
rightid=172.31.129.70

because if we don't specify it, the default is same as `right' option.


the second error is INVALID ID in server:

state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION whack_fd: 4294967295

the guess the reson is same as the previous error, my client is also behind NAT, so I try to add 

1
     nat_traversal=yes

to config section of client ipsec.conf, thanks god, thats works.


the connection can be launched by anyone, but often is by client. so we can change the `auto' option to 'setup'. that means when ipsec start auto start negotiate. if it is 'add', ipsec only record this connection, we need use following command to start negotiate.

1
sudo ipsec auto --up L2TP-PSK


3 Setup l2tp

the l2tp config is very sample. now let me show the xl2tpd client config file. the server config, you can refer my previous article.


there are two config file here, /etc/xl2tpd/xl2tpd.conf for xl2tpd

1
2
3
4
5
6
7
8
9
10
[global]
 
[lac vpn-connection]
lns = xx.90.122.xx
require authentication = yes
require chap = yes
refuse pap = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

the lac specify this is a l2tp client. the lns specify the server ip address.


/etc/ppp/options.l2tpd.client for ppp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name xxx
password xxx

you can also specify name and password in /etc/ppp/chap-secrets file.


we can also debug the l2tp by directly run `xl2tpd -D', all the log will output to console. this is very helpful when some error happens. now we can dial l2tp by run:

1
echo 'c vpn-connection' /var/run/xl2tpd/l2tp-control

Here, we should note the file access right. ensure the user has the right to write this pipe file. if no, use `sudo chmod` grant a right to the user.


4 set route

the last one is to set the default route to ppp0. we must firstly route VPN Server to non-vpn connection, or your network will down.

1
2
ip route add xx.90.122.xx/32 via 192.168.0.1
ip route change default via 10.0.0.1 dev ppp0


More read

https://linux.die.net/man/5/ipsec.conf

http://www.jacco2.dds.nl/networking/linux-l2tp.html

Copyright © insidelinuxdev.net 2017-2021. Some Rights Reserved.