StrongSwan / L2TP using xl2tpd

Part of my job are system administrative tasks at Accelerated IT Services, the company I work for. In case of emergencies I need a secure connection from home to the office. Our usual network equipment is from Juniper (awesome CLI really love that stuff!) though for testing/evaluation and our bureaus our network department bought an Ubiquiti EdgeRouter Pro (haven’t had time to take a closer look, yet) and configured IPsec/L2TP for me. This post is about setting a client connection up for that.

Our network department did send me the following information:

  • A server IP
  • A username
  • A password for that username
  • A (pre shared) key

StrongSwan

I am assuming that you do have configured and installed strongswan already. If not you might find my previous articles about strongswan/ipsec useful. On the other hand, a really simple configuration like this one is enough:
/etc/ipsec.conf

config setup
 
include /etc/ipsec.d/*.conf

Then you can create a configuration file for the client-to-server connection. We can just call it server.conf for now:

/etc/ipsec.d/server.conf

conn accelerated
    authby=secret
    auto=start
    keyexchange=ikev1
    type=transport
    left=%any
    right=X.X.X.X

Assume that left= local/client and right= remote/server. You should leave left= at the value %any where as right= should have the IP of the server you’re connecting to. authby= is set to secret because we use a pre-shared key. keyexchange= is set to ikev1 – with ikev2 you wouldn’t need l2tp. type= is set to transport because this isn’t a site-to-site configuration.

The provided pre-shared key belongs to your /etc/ipsec.secrets:

X.X.X.X : PSK "xxxxxxxxxxxxxx"

Just replace X.X.X.X with the server’s IP and enter the pre-shared key within the quotes. Verify that the connection is there:

christine ~ # ipsec status
Security Associations (1 up, 0 connecting):
 accelerated[1]: ESTABLISHED 1 second ago, 192.168.178.35[192.168.178.35]...X.X.X.X[X.X.X.X]
 accelerated{1}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c7446b3e_i cebf604a_o
 accelerated{1}:   192.168.178.35/32[udp] === X.X.X.X/32[udp/l2f]

xl2tpd

You can start with a pretty simple configuration here as well:

/etc/xl2tpd/xl2tpd.conf

[global]
access control = yes
debug tunnel = yes
 
[lac accelerated]
lns = X.X.X.X
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.accelerated
length bit = yes

This one should be pretty self-explanatory. Just define a pppoptfile (doesn’t matter how you name it) and set lns to the servers address.

/etc/ppp/options.xl2tpd.accelerated

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000
name "XX"
password "XXXX"

Okay, this one isn’t simple I guess but the options are very well documented in the man page of pppd. Test the connection by issuing:

echo "c vpnserver" > /var/run/xl2tpd/l2tp-control

Verify that it does work by checking if the tunnel exists:

christine ~ # ip l2tp show tunnel
Tunnel 56932, encap UDP
  From 192.168.178.35 to X.X.X.X
  Peer tunnel 37723
  UDP source / dest ports: 1701/1701

Routing

Now let’s assume that there is an IP you would like to reach through the tunnel. Let’s pick the IP of the accelerated.de website:

jean@christine ~ $ tracepath accelerated.de -n
 1?: [LOCALHOST]                                         pmtu 1500
 1:  192.168.178.1                                         2.255ms 
 1:  192.168.178.1                                         1.349ms 
 2:  80.132.177.167                                        1.346ms pmtu 1492
 2:  62.155.246.79                                         7.652ms 
 3:  217.239.45.234                                        7.943ms asymm  4 
 4:  80.156.160.162                                        8.334ms asymm  5 
 5:  84.200.230.5                                          7.952ms asymm  6 
 6:  84.201.15.5                                           8.822ms reached
     Resume: pmtu 1492 hops 6 back 6

6 Hops to the final destination 84.201.15.5.

christine ~ # ip route add 84.201.15.5/32 dev ppp1
 
jean@christine ~ $ tracepath accelerated.de -n
 1?: [LOCALHOST]                                         pmtu 1410
 1:  10.255.255.0                                          9.762ms 
 1:  10.255.255.0                                          9.310ms 
 2:  no reply
 3:  84.201.15.5                                          10.033ms reached
     Resume: pmtu 1410 hops 3 back 3

ppp1 should be the device your tunnel is using. You may automate that by using /etc/ppp/ip-up. The manpage of pppd will tell you more about that. Obviously there’s no need to define simple IPs, you might as well route whole ip networks.

Update / Improving

Assuming that your Transport-Endpoint-IP is 10.0.0.1 and you want to route 10.0.0.0/24 through ppp0. You should exclude the transport’s IP:

ip route add 10.0.0.1 via your-local-gateway-ip
ip route add 10.0.0.0/24 dev ppp0

The Gentoo Wiki (I was just searching for L2TP and that popped up) shows a few iptables rules because L2TP is an insecure protocol and you really want to make sure that L2TP only leaves your system encrypted/through the tunnel:

iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

I’ve just checked the minimum settings which would be required to get everything working:

ppp options

noauth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
name "xx"
password "xx"

ipsec conn

conn accelerated
    authby=secret
    auto=start
    keyexchange=ikev1
    type=transport
    right=x.x.x.x

And finally an example script to create the routes automatically (you need to chmod a+x it).

/etc/ppp/ip-up.d/routes

#!/bin/bash
 
INTERFACE="$1"
# your local gateway
GATEWAY="192.168.178.1"
# the server address you are connecting to, same as right= in ipsec
TRANSPORT="x.x.x.x"
# networks you want to have routed through the ppp device
NETWORKS="x.x.x.x/16 x.x.x.x/18 x.x.x.x/18 x.x.x.x/32 192.168.0.0/16"
 
/sbin/ip route add ${TRANSPORT} via ${GATEWAY}
 
for NETWORK in ${NETWORKS}; do
  /sbin/ip route add ${NETWORK} dev ${INTERFACE}
done

/etc/ppp/ip-down.d/routes

#!/bin/bash
 
INTERFACE="$1"
# your local gateway
GATEWAY="192.168.178.1"
# the server address you are connecting to, same as right= in ipsec
TRANSPORT="x.x.x.x"
# networks you want to have routed through the ppp device
NETWORKS="x.x.x.x/16 x.x.x.x/18 x.x.x.x/18 x.x.x.x/32 192.168.0.0/16"
 
for NETWORK in ${NETWORKS}; do
  /sbin/ip route del ${NETWORK} dev ${INTERFACE}
done
 
/sbin/ip route del ${TRANSPORT} via ${GATEWAY}

No Comments

Post a Comment