Setting up a VPN client on Centos. L2TP + IPSec

Layer 2 Tunneling Protocol (L2TP) is a layer 2 tunneling protocol. It is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by Internet Service Providers (ISPs) to provide VPN over the Internet. L2TP combines the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems.

Initial data:

$VPN_SERVER_IP - Внешний IP адрес VPN-сервера
$VPN_IPSEC_PSK - IPSec Pre-Shared Key
$VPN_USER - VPN Username
$VPN_PASSWORD - VPN_password
$VPN_SERVER_ID - Серый IP адрес VPN. Если не знаете, то его можно увидеть в логах подключения к VPN

Installing the necessary software

$ sudo yum -y install strongswan xl2tpd

Configuring IPSec

$ sudo nano /etc/ipsec.conf
[...]
# basic configuration

config setup
  nat_traversal=yes
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1-modp1024!
  esp=aes128-sha1!

conn vpn01
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
  rightid=$VPN_SERVER_ID

We register IPSec Pre-Shared Key

$ sudo nano /etc/ipsec.secrets
: PSK "$VPN_IPSEC_PSK"

Change the rights to the ipsec.secrets file

$ sudo chmod 600 /etc/ipsec.secrets

Setting up strongswan

$ sudo mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
$ sudo mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
$ sudo ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
$ sudo ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets

Configuring xl2tpd

$ sudo nano /etc/xl2tpd/xl2tpd.conf
[...добавить в конец основного конфига...]
[lac vpn01]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
$ sudo nano /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1460
mru 1460
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD

Change the rights to the options.l2tpd.client file

$ sudo chmod 600 /etc/ppp/options.l2tpd.client

Create directory and file

$ sudo mkdir -p /var/run/xl2tpd
$ sudo touch /var/run/xl2tpd/l2tp-control

Restart the xl2tpd and strongswan services

$ sudo systemctl restart xl2tpd
$ sudo systemctl restart strongswan

Checking the status

$ systemctl status xl2tpd
$ systemctl status strongswan

Connecting to VPN Raising IPSec

$ sudo strongswan up vpn01

Then L2TP

$ echo "c vpn01" | sudo tee /var/run/xl2tpd/l2tp-control

Check if the ppp network interface should appear

$ ip a

To disconnect from VPN: first disable L2TP

$ echo "d vpn01" | sudo tee /var/run/xl2tpd/l2tp-control

Then IPSec

$ sudo strongswan down vpn01
Sidebar