L2TP / IPSEC VPN on Ubuntu 16.04

  • Posted June 21, 2016. Last modified March 23, 2017 by

So for work, we use an LT2P IPSEC vpn which works simple and easily with both Android and Windows 10. Unfortunately as many people likely know (after a few google searches it seems) the client for this is pretty crap in Ubuntu 16.04.

The two main packages for this is strongswan and xl2tpd. There is apparently some network manager plugins that will allow you to configure a VPN connection directly where you would setup a Wi-Fi or LAN connection using a GUI, but unfortunately, these don’t allow me to enter the correct information to use the VPN the way we have it setup.

Our setup uses a shared PSK, and a username and password.

I’ve tried a bunch of the quick setup guides, but many were for older versions of Ubuntu and thus didn’t work very well. Finally I stumbled across this guide: https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c

which was used to connect with a meraki router over vpn. There were some minor tweaks in my case, but I managed to get it work. The biggest problem I was having with previous guides was that the L2TP tunnel request was not receiving any responses. I’m not sure if it was some kind of IP configuration problem or if I had the wrong settings somewhere else in the config file – I’ll try to narrow it down and report back. One of the tweaks I started doing was hardcoding the IP address of the VPN server instead of just using the domain name.

First thing is to install the required packages: 
sudo apt-get install -y strongswan xl2tpd

Next, there a few key files to create / edit.
sudo nano /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn XXX-YOUR-CONNECTION-NAME-XXX
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
# set this to the ip address of your vpn server
right=XXX.XXX.XXX.XXX

Next is the secrets file which will store the shared PSK:
sudo nano /etc/ipsec.secrets

: PSK "YOUR_PSK_GOES_HERE"

Next is the xl2tpd.conf file:
sudo nano /etc/xl2tpd/xl2tpd.conf

[lac XXX-YOUR-CONNECTION-NAME-XXX]
# your vpn server goes here
lns = XXX.XXX.XXX.XXX
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

And finally the ppp configuration:
sudo nano /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000

Then we need to create a folder and file:
sudo mkdir -p /var/run/xl2tpd
sudo touch /var/run/xl2tpd/l2tp-control

And restart the services:
sudo service strongswan restart
sudo service xl2tpd restart

And bring up the l2tp tunnel interface:
sudo ipsec up XXX-YOUR-CONNECTION-NAME-XXX

And authenticate using the username and password
sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX " > /var/run/xl2tpd/l2tp-control

Lastly, I had to add routing information into the routing table so that things are actually going through the VPN. To do this, first add a route to the Internet IP of the VPN server, through your local gateway (ie: the ip of your local router).
sudo route add gw

Then make the default route, the one which goes through the VPN (the local IP address of the VPN server, which you should be able to see with an ifconfig (it will be the P-t-P ip address):
sudo route add -net default gw

You can now verify that you can reach devices within the local vpn network correctly.

15 comments on “L2TP / IPSEC VPN on Ubuntu 16.04”

  1.  

    Great writeup, I got it to mostly work I think (virtually impossible to tell what is going on because Meraki doesn’t let you do anything). I get the IPsec connection established and also get the l2tp established (i think, it takes the “sudo echo “c XXX-YOUR-CONNECTION-NAME-XXX ” > /var/run/xl2tpd/l2tp-control” command and doesn’t spit out an error. However I still don’t have network connectivity, and ifconfig doesn’t show the VPN adapter at all. Any ideas that I can try?

    Thanks

  2.  

    “The biggest problem I was having with previous guides was that the L2TP tunnel request was not receiving any responses.” Were you ever able to source that issue? Facing the same thing; even following your guide.

  3.  

    Finally. Something that actually works.
    Now I just need to bundle the connection parts into a script so I can just one-click connect/disconnect… But that’s easy now that I have the rest set up.

Previous Comments

Leave a Reply

Your email address will not be published. Required fields are marked *