Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

how to l2tp (strongVPN)
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Thu Dec 23, 2010 7:04 pm    Post subject: how to l2tp (strongVPN) Reply with quote
here is a brain dump of how to connect to a usa l2tp server and get yourself a us IP address:
Quote:

echo "net-misc/openswan ~x86">>/etc/portage/package.keywords
emerge -av openswan net-dialup/xl2tpd net-dialup/ppp


you will need to have these details in hand to config the connection:
username , password , l2tp_password,
vpn host address (vpn_host) use ping the vpn name server you got ,
nic - device you use to connect to the internet (eth0)
wan_IP nad wan_gw - which are the IP address your ISP provides and the gateway you use
last information is seen using the ifconfig and route commands.
nat - in this case the pc is connected stright to the modem , with no router involved so nat = no

etc/ipsec.conf:
Code:

# /etc/ipsec.conf - Openswan IPsec configuration file
version   2.0
config setup
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   nat_traversal=no
   protostack=netkey
   oe=no
   plutoopts="--interface=eth0"
conn L2TP-PSK
   authby=secret
   pfs=no
   auto=add
   keyingtries=3
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   rekey=yes
   ikelifetime=8h
   keylife=1h
   type=transport
   left=wan_IP
   leftnexthop=%defaultroute
   leftprotoport=17/1701
   right=vpn_host
   rightprotoport=17/1701


/etc/ipsec.secrets:
Code:
wan_IP vpn_host : PSK "l2tp_password"


/etc/xl2tpd/xl2tpd.conf:
Code:

[lac username]
lns = vpn_host
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client:
Code:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name username
password password



/etc/ppp/options same as /etc/ppp/options.l2tpd.client

now to actually establish the connection do:
Quote:
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
sleep 2
ipsec auto --up L2TP-PSK
sleep 3
echo "c username" > /var/run/xl2tpd/l2tp-control
ip ro add vpn_host via wan_gw
route del -net 0.0.0.0 netmask 0.0.0.0 gw wan_gw


Firewall
I am using arno-firewall-scripts, so in the /etc/arno-iptables-firewall/custom-rules:
Code:

iptables -A INPUT -s wan_IP -d vpn_host  -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host  -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host  -p 50 -j ACCEPT
iptables -A INPUT -s wan_IP -d vpn_host  -p 51 -j ACCEPT


Automatic it all

sed -i `s/auto.*/ auto=start/' /etc/ipsec.conf

good link I found later http://trinityhome.org/Home/index.php?wpid=167&front_id=18

Last edited by nivw on Fri Dec 31, 2010 1:10 pm; edited 6 times in total
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Sat Dec 25, 2010 12:03 pm    Post subject: Reply with quote
to automate this we need three files:
1. I am using dhcpcd, as my dhcpcd client , so add /lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf
2. /etc/init.d/strongVpn
3./etc/conf.d/strongVpn

/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf

Code:
#/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf
#use ISP default gateway as a route for l2tp server
#written by niv vaizer
[ -f /etc/conf.d/strongVpn ] && . /etc/conf.d/strongVpn
if [ "$interface" = "$WAN_DEV" -a "$if_up" = "true" ] ; then
   #if [ $if_up -a "$reason" = "BOUND" ] ; then
   [ -n "${new_routers}" ] &&ip ro | grep -q "${VPN_HOST} via ${new_routers}"
   if [ $? -ne 0 ] ; then
      line=$(ip ro | grep "${VPN_HOST} via")
      line=${line%%dev*}
      [ -n "${line}" ] && ip ro del ${line}
      ip ro add "$VPN_HOST" via "$new_routers"
   fi
   grep -q $new_ip_address /etc/ipsec.conf
   if [ $? -ne 0 ] ; then
      sed -i "s/left=.*/left=$new_ip_address/" /etc/ipsec.conf
      sed -i "s/.*\ :/$new_ip_address $VPN_HOST \:/" /etc/ipsec.secrets
      #/usr/bin/rc-config restart ipsec
   fi
   #$old_routers is missing so no ip ro del
   #fi
fi


/etc/init.d/strongVpn

Code:


#!/sbin/runscript
#/etc/init.d/strongVpn:
# written by: niv vaizer
# load l2tp setting and connect to strongVpn

#depend() {
#   use net
#}

start() {
   ebegin "Starting strongVpn"
   WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}'|head -n1)
   WAN_GW_TEMP=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)
   [ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n |grep "^0.*eth"| awk '{ print $2 }')
   [ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n|grep "UGH.*eth"|awk '{ print $2 }' )
   [ "$WAN_GW_TEMP" != "" ] && WAN_GW=$WAN_GW_TEMP
   /usr/bin/rc-config start ipsec
   /usr/bin/rc-config start xl2tpd
   sleep 3
   ipsec auto --up L2TP-PSK
   sleep 3
   echo "c $USERNAME" > /var/run/xl2tpd/l2tp-control
   sleep 2
   touch $PID
   sed -i "s/^EXT_IF=.*/EXT_IF=${IFACE}"/ /etc/arno-iptables-firewall/firewall.conf
   /etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall
   /usr/bin/rc-config restart noip
   let count=0
   while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do
      resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn
      let count++
      [ $count -ge 20 ] && break
      sleep 1
   done
   eend $?
}

stop() {
   ebegin "Stopping strongVpn"
   WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}')
   WAN_GW=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)
   echo "d $USERNAME" > /var/run/xl2tpd/l2tp-control
   sleep 3
   ipsec auto --down L2TP-PSK
   sleep 2
   /usr/bin/rc-config stop xl2tpd
   /usr/bin/rc-config stop ipsec
   /sbin/resolvconf -u
   sed -i "s/^EXT_IF=.*/EXT_IF=$WAN_DEV"/ /etc/arno-iptables-firewall/firewall.conf
   /etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall
   /usr/bin/rc-config restart noip
   rm -f $PID
   eend $?
}



Last edited by nivw on Mon Jan 24, 2011 7:06 pm; edited 7 times in total
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Sun Dec 26, 2010 8:48 pm    Post subject: Reply with quote
new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed?
Back to top
View user's profile Send private message
Bircoph
Developer
Developer


Joined: 27 Jun 2008
Posts: 261
Location: Moscow
PostPosted: Mon Dec 27, 2010 9:06 am    Post subject: Reply with quote
nivw wrote:
new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed?

This depends on what dhcp client you are using. For dhcpcd use -G option:
Code:

dhcpcd_eth0="-G -C resolv.conf -h '' -L"


And I recommend you to use openl2tpd instead of xl2tpd, because the first in kernel-space solution and the second is user-space. CPU load differs by 10-20 times. For the very same reason I recommend you to use racoon instead of openswan.
_________________
Per aspera ad astra!
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Wed Dec 29, 2010 8:42 am    Post subject: Reply with quote
init script fixed.
open issues:
main issue is how to get my ISP default gateway , using dhcp, but not use it as default route, but rather usu:
ip ro add $VPN_HOST via $WAN_GW

other isuue is also mifrate to openl2tp as suggested.
I just can find any guide to setup l2tp CLIENT in getnoo, many guides for servers
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Wed Dec 29, 2010 9:33 pm    Post subject: Reply with quote
dhcp issue fixed thanks to Roy Marples
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Sat Jan 01, 2011 8:20 pm    Post subject: Reply with quote
Roy also suggested to change the strategy and use dhcpcd to setup ppp0 gw as a default with higher metric, and leave the eth0 default gw. also use openresolf to allow both the ISP and the l2tp dns to coexist.

0. use openrc dhcpcd newset , and openresolv newest
1. remove the wan net. links: unlink /etc/init.d/net.eth0 ;unlink /etc/init.d/net.ppp0
2. edit /etc/dhcpcd.conf:
allowinterfaces eth0,ppp0
Back to top
View user's profile Send private message
nivw
Apprentice
Apprentice


Joined: 09 Nov 2005
Posts: 261
PostPosted: Thu Feb 10, 2011 5:43 pm    Post subject: openresolv fix Reply with quote
I found a bug in ppp, that is related to openresolv: https://bugs.gentoo.org/show_bug.cgi?id=353045
this fixes the section:
Code:
let count=0
   while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do
      resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn
      let count++
      [ $count -ge 20 ] && break
      sleep 1
   done

and you can remove it
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy