L2TP/IPsec client on Debian

Packages needed: strongswan, xl2tpd
VPN server is Mikrotik RouterBoard 2011UiAS-2HnD. I’m creating a VPN to make it easier to connect GNS3 server running on home laptop to servers running on lab PCs.

root@laptop:/home/lorcan# cat /etc/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn bblab
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=VPN_SERVER_IP

ipsec.secrets

root@laptop:/home/lorcan# cat /etc/ipsec.secrets
: PSK "mypassword"

xl2tpd.conf

root@laptop:/home/lorcan# cat /etc/xl2tpd/xl2tpd.conf
[lac bblab]
lns = 86.43.53.22
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

root@laptop:/home/lorcan# cat /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "myusername"
password "mypassword"

Restart services:

service strongswan restart
service xl2tpd restart

Start IPsec tunnel:
ipsec up bblab

Start L2TP tunnel:
echo "c bblab" > /var/run/xl2tpd/l2tp-control

Add route:

route add -net 192.168.88.0/24 dev ppp0

Outputs:

Restart StrongSWAN IPsec daemon:

root@laptop:/home/lorcan# service strongswan restart

Start XL2TPD in debug mode:

root@laptop:/home/lorcan# service xl2tpd stop
root@laptop:/home/lorcan# xl2tpd -D

Start IPsec tunnel:

root@laptop:/home/lorcan# ipsec up bblab
initiating Main Mode IKE_SA bblab[1] to my_server_ip
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.11.87[500] to my_server_ip[500] (208 bytes)
received packet: from my_vpn_server_ip[500] to 192.168.11.87[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.11.87[500] to my_vpn_server_ip[500] (244 bytes)
received packet: from my_vpn_server_ip[500] to 192.168.11.87[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.11.87[4500] to my_vpn_server_ip[4500] (68 bytes)
received packet: from my_vpn_server_ip[4500] to 192.168.11.87[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA bblab[1] established between 192.168.11.87[192.168.11.87]...my_vpn_server_ip[my_vpn_server_ip]
scheduling reauthentication in 3293s
maximum IKE_SA lifetime 3473s
generating QUICK_MODE request 3538013880 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.11.87[4500] to my_vpn_server_ip[4500] (356 bytes)
received packet: from my_vpn_server_ip[4500] to 192.168.11.87[4500] (316 bytes)
parsed QUICK_MODE response 3538013880 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
CHILD_SA bblab{1} established with SPIs c22c6072_i 05f74f62_o and TS 192.168.11.87/32[udp/l2f] === my_vpn_server_ip/32[udp/l2f]
connection 'bblab' established successfully

Start L2TP tunnel:

root@laptop:/home/lorcan# echo "c bblab" > /var/run/xl2tpd/l2tp-control

xl2tp debug output to follow…

View interface:

root@laptop:/home/lorcan# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.88.197 P-t-P:192.168.88.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:80 (80.0 B) TX bytes:82 (82.0 B)

Add route:

root@laptop:/home/lorcan# route add -net 192.168.88.0/24 dev ppp0

View routing table:

root@laptop:/home/lorcan# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.11.254 0.0.0.0 UG 0 0 0 wlan0
10.200.200.0 0.0.0.0 255.255.255.252 U 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tap0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
192.168.88.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s