# how to l2tp (strongVPN)

## nivw

here is a brain dump of how to connect to a usa l2tp server and get yourself a us IP address:

 *Quote:*   

> 
> 
> echo "net-misc/openswan ~x86">>/etc/portage/package.keywords
> 
> emerge -av openswan net-dialup/xl2tpd net-dialup/ppp
> ...

 

you will need to have these details in hand to config the connection:

username , password , l2tp_password,

vpn host address (vpn_host) use ping the vpn name server you got ,

nic - device you use to connect to the internet (eth0) 

wan_IP nad wan_gw - which are the IP address your ISP provides and the gateway you use

last information is seen using the ifconfig and route commands.

nat - in this case the pc is connected stright to the modem , with no router involved so nat = no

etc/ipsec.conf:

```

# /etc/ipsec.conf - Openswan IPsec configuration file

version   2.0

config setup

   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

   nat_traversal=no

   protostack=netkey

   oe=no

   plutoopts="--interface=eth0"

conn L2TP-PSK

   authby=secret

   pfs=no

   auto=add

   keyingtries=3

   dpddelay=30

   dpdtimeout=120

   dpdaction=clear

   rekey=yes

   ikelifetime=8h

   keylife=1h

   type=transport

   left=wan_IP

   leftnexthop=%defaultroute

   leftprotoport=17/1701

   right=vpn_host

   rightprotoport=17/1701

```

/etc/ipsec.secrets:

```
wan_IP vpn_host : PSK "l2tp_password"
```

/etc/xl2tpd/xl2tpd.conf:

```

[lac username]

lns = vpn_host

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd.client

length bit = yes

```

/etc/ppp/options.l2tpd.client:

```
ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-mschap-v2

noauth

idle 1800

mtu 1410

mru 1410

defaultroute

usepeerdns

debug

lock

connect-delay 5000

name username

password password

```

/etc/ppp/options same as /etc/ppp/options.l2tpd.client

now to actually establish the connection do:

 *Quote:*   

> /etc/init.d/ipsec restart 
> 
> /etc/init.d/xl2tpd restart 
> 
> sleep 2
> ...

 

Firewall

I am using arno-firewall-scripts, so in the /etc/arno-iptables-firewall/custom-rules:

```

iptables -A INPUT -s wan_IP -d vpn_host  -p udp --dport 500 -j ACCEPT

iptables -A INPUT -s wan_IP -d vpn_host  -p udp --dport 4500 -j ACCEPT

iptables -A INPUT -s wan_IP -d vpn_host  -p 50 -j ACCEPT

iptables -A INPUT -s wan_IP -d vpn_host  -p 51 -j ACCEPT
```

Automatic it all

sed -i `s/auto.*/ auto=start/' /etc/ipsec.conf

good link I found later http://trinityhome.org/Home/index.php?wpid=167&front_id=18Last edited by nivw on Fri Dec 31, 2010 1:10 pm; edited 6 times in total

----------

## nivw

to automate this we need three files:

1. I am using dhcpcd, as my dhcpcd client , so add /lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf

2. /etc/init.d/strongVpn

3./etc/conf.d/strongVpn

/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf

```
#/lib/dhcpcd/dhcpcd-hooks/60-l2tp.conf

#use ISP default gateway as a route for l2tp server

#written by niv vaizer

[ -f /etc/conf.d/strongVpn ] && . /etc/conf.d/strongVpn

if [ "$interface" = "$WAN_DEV" -a "$if_up" = "true" ] ; then

   #if [ $if_up -a "$reason" = "BOUND" ] ; then

   [ -n "${new_routers}" ] &&ip ro | grep -q "${VPN_HOST} via ${new_routers}"

   if [ $? -ne 0 ] ; then

      line=$(ip ro | grep "${VPN_HOST} via")

      line=${line%%dev*}

      [ -n "${line}" ] && ip ro del ${line}

      ip ro add "$VPN_HOST" via "$new_routers" 

   fi

   grep -q $new_ip_address /etc/ipsec.conf

   if [ $? -ne 0 ] ; then

      sed -i "s/left=.*/left=$new_ip_address/" /etc/ipsec.conf

      sed -i "s/.*\ :/$new_ip_address $VPN_HOST \:/" /etc/ipsec.secrets

      #/usr/bin/rc-config restart ipsec

   fi

   #$old_routers is missing so no ip ro del

   #fi

fi

```

/etc/init.d/strongVpn

```

#!/sbin/runscript

#/etc/init.d/strongVpn: 

# written by: niv vaizer 

# load l2tp setting and connect to strongVpn

#depend() {

#   use net

#}

start() {

   ebegin "Starting strongVpn"

   WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}'|head -n1)

   WAN_GW_TEMP=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)

   [ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n |grep "^0.*eth"| awk '{ print $2 }')

   [ "$WAN_GW_TEMP" = "" ] && WAN_GW_TEMP=$(route -n|grep "UGH.*eth"|awk '{ print $2 }' )

   [ "$WAN_GW_TEMP" != "" ] && WAN_GW=$WAN_GW_TEMP

   /usr/bin/rc-config start ipsec

   /usr/bin/rc-config start xl2tpd

   sleep 3

   ipsec auto --up L2TP-PSK

   sleep 3

   echo "c $USERNAME" > /var/run/xl2tpd/l2tp-control

   sleep 2

   touch $PID

   sed -i "s/^EXT_IF=.*/EXT_IF=${IFACE}"/ /etc/arno-iptables-firewall/firewall.conf

   /etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall

   /usr/bin/rc-config restart noip

   let count=0

   while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do

      resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn

      let count++ 

      [ $count -ge 20 ] && break

      sleep 1

   done

   eend $?

}

stop() {

   ebegin "Stopping strongVpn"

   WAN_IP=$(ifconfig $WAN_DEV | sed -rn '/dr:/{;s/.*dr:([0-9.]+) .*/\1/;p;}')

   WAN_GW=$(ip ro |grep $VPN_HOST |sed s/.*via\ //|sed s/\ dev.*//)

   echo "d $USERNAME" > /var/run/xl2tpd/l2tp-control

   sleep 3

   ipsec auto --down L2TP-PSK

   sleep 2

   /usr/bin/rc-config stop xl2tpd

   /usr/bin/rc-config stop ipsec

   /sbin/resolvconf -u

   sed -i "s/^EXT_IF=.*/EXT_IF=$WAN_DEV"/ /etc/arno-iptables-firewall/firewall.conf

   /etc/init.d/arno-iptables-firewall status |grep -q started &&/usr/bin/rc-config restart arno-iptables-firewall

   /usr/bin/rc-config restart noip

   rm -f $PID

   eend $?

}

```

Last edited by nivw on Mon Jan 24, 2011 7:06 pm; edited 7 times in total

----------

## nivw

new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed?

----------

## Bircoph

 *nivw wrote:*   

> new issue: how to prevent eth0 dhcp from adding a default route when the dhcp is refrshed?

 

This depends on what dhcp client you are using. For dhcpcd use -G option:

```

dhcpcd_eth0="-G -C resolv.conf -h '' -L"

```

And I recommend you to use openl2tpd instead of xl2tpd, because the first in kernel-space solution and the second is user-space. CPU load differs by 10-20 times. For the very same reason I recommend you to use racoon instead of openswan.

----------

## nivw

init script fixed.

open issues:

main issue is how to get my ISP default gateway , using dhcp, but not use it as default route, but rather usu:

ip ro add $VPN_HOST via $WAN_GW 

other isuue is also mifrate to openl2tp as suggested.

I just can find any guide to setup l2tp CLIENT in getnoo, many guides for servers

----------

## nivw

dhcp issue fixed thanks to Roy Marples

----------

## nivw

Roy also suggested to change the strategy and use dhcpcd to setup ppp0 gw as a default with higher metric, and leave the eth0 default gw. also use openresolf to allow both the ISP and the l2tp dns to coexist.

0. use  openrc  dhcpcd newset , and openresolv newest

1. remove the wan net. links: unlink /etc/init.d/net.eth0 ;unlink /etc/init.d/net.ppp0

2. edit /etc/dhcpcd.conf:

allowinterfaces eth0,ppp0

----------

## nivw

I found a bug in ppp, that is related to openresolv: https://bugs.gentoo.org/show_bug.cgi?id=353045

this fixes the section:

```
let count=0

   while ! [ -f /var/lib/run/resolvconf/interfaces/$IFACE ] ; do

      resolvconf -u -a $IFACE= </etc/resolv.conf.strongvpn

      let count++

      [ $count -ge 20 ] && break

      sleep 1

   done 
```

and you can remove it

----------

