L2TP/IPSec VPN client on Fedora

Standard

Follow the next steps to establish “road warrior” pre-shared secret L2TP VPN connection to remote VPN server (running RouterOS 5.24 in my case) from your Fedora system.

Install ipsec and l2tp packages.

$ yum install libreswan xl2tpd

Main IPSec configuration is located in /etc/ipsec.conf and /etc/ipsec.secrets. You can review it, but no changes are required to Fedora’s default that basically enables NAT traversal and includes /etc/ipsec.d/*.conf and /etc/ipsec.d/*.secrets files into the configuration.

Create new configuration file in /etc/ipsec.d/desired_vpn_name.conf with following content and replace connection name and local and remote IPs.

conn VPN_CONNECTION_NAME
 authby=secret
 pfs=no
 auto=add
 keyingtries=3
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
 rekey=yes
 ikelifetime=8h
 keylife=1h
 type=transport
 left=YOUR_LOCAL_IP_ADDRESS
 leftnexthop=%defaultroute
 leftprotoport=17/1701
 right=REMOTE_VPN_SERVER_IP_ADDRESS
 rightprotoport=17/1701

Create new secrets file in /etc/ipsec.d/desired_vpn_name.secrets with following content and replace remote server IP and pre-shared secret.

%any REMOTE_VPN_SERVER_IP_ADDRESS : PSK "YOUR-PRE-SHARED-SECRET"

Start IPSec daemon in foreground to ensure IPSec stack is in your kernel and testing your configuration later.

$ ipsec pluto --stderrlog --config /etc/ipsec.conf --nofork

If you find out following section in the output:

No Kernel XFRM/NETKEY interface detected
No Kernel KLIPS interface detected
No Kernel MASTKLIPS interface detected
Using 'no_kernel' interface code on 3.16.3-200.fc20.i686

it means there is no IPSec stack in your kernel and you have to load apropriate module into the kernel manually by:

$ modprobe af_key

If you have no IPSec stack in the kernel and continue you will get completely misleading error when trying to connect the tunnel.

022 "VPN_CONNECTION_NAME": We cannot identify ourselves with either end of this connection.

When everything is alright you should see just:

Using Linux XFRM/NETKEY IPsec interface code on 3.16.3-200.fc20.i686

Add your new connection by:

$ ipsec auto --add VPN_CONNECTION_NAME

Now configure L2TP part. Add a new section to /etc/xl2tpd/xl2tpd.conf and replace connection name and remote server IP.

[lac VPN_CONNECTION_NAME]
lns = REMOTE_VPN_SERVER_IP_ADDRESS
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.VPN_CONNECTION_NAME
length bit = yes

And create new file /etc/ppp/options.xl2tpd.VPN_CONNECTION_NAME with your new PPP options and put there following configuration (replace username and password for authentication).

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name AUTH_USERNAME
password AUTH_PASSWORD

Start all daemons and connect the tunnel

$ systemctl start ipsec
$ systemctl start xl2tpd
$ echo "c VPN_CONNECTION_NAME" > /var/run/xl2tpd/l2tp-control

To disconnect do

$ echo "d VPN_CONNECTION_NAME" > /var/run/xl2tpd/l2tp-control

Remind: if you successfully reached this point you have the tunnel only and you need to add your routes manually to access the networks behind the tunnel!