# VPN Connection from gentoo laptop to Cisco 3000 (ipsec&l2tp)

## msalerno

I need to connect into my office from my laptop via VPN, and I can do it just fine with Windows, but I cannot figure out how to do it with my gentoo laptop.  I was hoping that someone could point me in the right direction.  The VPN is a MS IPSEC with l2tp and cert based auth.  I have just about everything I need except the knowlegde of how to do it.  I even emerged kvpnc (oof kdelibs...) just to see if that would make life easier.  Unfortunately, I am still unable to connect.

I have openswan and xl2tpd installed on my system.

Does anyone have a link to a good howto?  Or better yet, does anyone have this working?

ThanksLast edited by msalerno on Wed Jun 17, 2009 11:18 pm; edited 2 times in total

----------

## alex.blackbit

i cannot really help you, because i never used l2tp myself.

but from doing "eix -cS l2tp" i can tell that "xl2tpd" seems to be the server side of the protocol,

and that there is a package named "rp-l2tp" that sounds promising.

maybe you want to give that a try.

----------

## msalerno

Thanks, I'll give it a try.  Upon further investigation, I discovered that we are using a Cisco 3000 vpn concentrator for the vpn.  So I am now searching for alternative docs.  But thanks for the l2tp tip.

----------

## alex.blackbit

that may make these 2 packages interesting:

```
net-misc/cisco-vpnclient-3des - Cisco VPN Client (3DES)

net-misc/vpnc - Free client for Cisco VPN routing software
```

----------

## msalerno

Agreed, but now I need to read up on how to make l2tp work with those client.

I was originally using this: http://www.jacco2.dds.nl/networking/linux-l2tp.html

No luck so far.

----------

## mrness

First you need to configure openswan connection like this:

```

conn MyConnection

        auto=add

        leftprotoport=17/1701

        rightprotoport=17/1701

        type=transport

        left=_Server_Address_

        leftcert=ServerCertificate.pem

        pfs=no

        compress=no

        right=%defaultroute

        rightnexthop=%defaultroute

        rightcert=YourCertificate.pem

```

You also have to enable NAT-Traversal in ipsec.conf and put something like this in the ipsec.secrets file:

```
: RSA _Your_Private_key.key
```

Then configure your xl2tpd daemon like this:

```

[global]

port = 1701

[lac ANameForTheConnection]

lns = _Server_Address_

redial = yes

redial timeout = 30

name = _Your_User_Name_

pppoptfile = /etc/xl2tpd/pppd.options

```

Here is my /etc/xl2tpd/pppd.options

```

ipcp-accept-local

ipcp-accept-remote

noipdefault

noccp

noauth

idle 1800

mtu 1400

mru 1400

nodefaultroute

lock

connect-delay 5000

lcp-echo-interval 15

lcp-echo-failure 3

debug

ipparam _A_name_that_identify_this_connection_

unit 5

```

As you can see, it doesn't contain anything fancy except for that ipparam and unit. I use the ipparam in a /etc/ppp/ip-up.d script to add a route to the Intranet and unit to force interface name to ppp5. 

You also need to add your password in the /etc/xl2tpd/l2tp-secrets file.

Now you need to start ipsec and xl2tp daemons and run the following commands (preferably saved as a script):

```

  ipsec auto --up MyConnection

  echo 'c ANameForTheConnection' > /var/run/xl2tpd/l2tp-control

```

Unfortunately you can do the last part only as root. If this bothers you, you can just add following command to your /etc/conf.d/local.start:

```
chown your-local-username /var/run/xl2tpd/l2tp-control /var/run/pluto/pluto.ctl
```

The stop connection script looks like:

```

  echo 'd ANameForTheConnection' > /var/run/xl2tpd/l2tp-control

  ipsec auto --down MyConnection

```

----------

