So for work, we use an LT2P IPSEC vpn which works simple and easily with both Android and Windows 10. Unfortunately as many people likely know (after a few google searches it seems) the client for this is pretty crap in Ubuntu 16.04.
The two main packages for this is strongswan and xl2tpd. There is apparently some network manager plugins that will allow you to configure a VPN connection directly where you would Setup a Wi-Fi or LAN connection using a GUI, but unfortunately, these don’t allow me to enter the correct information to use the VPN the way we have it setup.
Our setup uses a shared PSK, and a username and password.
I’ve tried a bunch of the quick setup guides, but many were for older versions of Ubuntu and thus didn’t work very well. Finally I stumbled across this guide: https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c
which was used to connect with a meraki router over vpn. There were some minor tweaks in my case, but I managed to get it work. The biggest problem I was having with previous guides was that the L2TP tunnel request was not receiving any responses. I’m not sure if it was some kind of IP configuration problem or if I had the wrong settings somewhere else in the config file – I’ll try to narrow it down and report back. One of the tweaks I started doing was hardcoding the IP address of the Vpn Server instead of just using the domain name.
First thing is to install the required packages:sudo apt-get install -y strongswan xl2tpd
Next, there a few key files to create / edit.sudo nano /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn XXX-YOUR-CONNECTION-NAME-XXX
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
# set this to the ip address of your vpn server
right=XXX.XXX.XXX.XXX
Next is the secrets file which will store the shared PSK:sudo nano /etc/ipsec.secrets
: PSK "YOUR_PSK_GOES_HERE"
Next is the xl2tpd.conf file:sudo nano /etc/xl2tpd/xl2tpd.conf
[lac XXX-YOUR-CONNECTION-NAME-XXX]
# your vpn server goes here
lns = XXX.XXX.XXX.XXX
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
And finally the ppp configuration:sudo nano /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
Then we need to create a folder and file:
sudo mkdir -p /var/run/xl2tpd
sudo touch /var/run/xl2tpd/l2tp-control
And restart the services:
sudo service strongswan restart
sudo service xl2tpd restart
And bring up the l2tp tunnel interface:sudo ipsec up XXX-YOUR-CONNECTION-NAME-XXX
And authenticate using the username and passwordsudo echo "c XXX-YOUR-CONNECTION-NAME-XXX
Lastly, I had to add routing information into the routing table so that things are actually going through the VPN. To do this, first add a route to the Internet IP of the VPN Server, through your local gateway (ie: the ip of your local router).sudo route add
Then make the default route, the one which goes through the VPN (the local IP address of the VPN server, which you should be able to see with an ifconfig (it will be the P-t-P ip address):sudo route add -net default gw
You can now verify that you can reach devices within the local vpn network correctly.
This post first appeared on Jason’s Computer Science Blog - Turning A Netgear R7000 Into An Augmented Traffic Control Router, please read the originial post: here