Follow the next steps to establish “road warrior” pre-shared secret L2TP VPN connection to remote VPN server (running RouterOS 5.24 in my case) from your Fedora system.
Install ipsec and l2tp packages.
$ yum install libreswan xl2tpd
Main IPSec configuration is located in /etc/ipsec.conf and /etc/ipsec.secrets. You can review it, but no changes are required to Fedora’s default that basically enables NAT traversal and includes /etc/ipsec.d/*.conf and /etc/ipsec.d/*.secrets files into the configuration.
Create new configuration file in /etc/ipsec.d/desired_vpn_name.conf with following content and replace connection name and local and remote IPs.
conn VPN_CONNECTION_NAME authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=yes ikelifetime=8h keylife=1h type=transport left=YOUR_LOCAL_IP_ADDRESS leftnexthop=%defaultroute leftprotoport=17/1701 right=REMOTE_VPN_SERVER_IP_ADDRESS rightprotoport=17/1701
Create new secrets file in /etc/ipsec.d/desired_vpn_name.secrets with following content and replace remote server IP and pre-shared secret.
%any REMOTE_VPN_SERVER_IP_ADDRESS : PSK "YOUR-PRE-SHARED-SECRET"
Start IPSec daemon in foreground to ensure IPSec stack is in your kernel and testing your configuration later.
$ ipsec pluto --stderrlog --config /etc/ipsec.conf --nofork
If you find out following section in the output:
No Kernel XFRM/NETKEY interface detected No Kernel KLIPS interface detected No Kernel MASTKLIPS interface detected Using 'no_kernel' interface code on 3.16.3-200.fc20.i686
it means there is no IPSec stack in your kernel and you have to load apropriate module into the kernel manually by:
$ modprobe af_key
If you have no IPSec stack in the kernel and continue you will get completely misleading error when trying to connect the tunnel.
022 "VPN_CONNECTION_NAME": We cannot identify ourselves with either end of this connection.
When everything is alright you should see just:
Using Linux XFRM/NETKEY IPsec interface code on 3.16.3-200.fc20.i686
Add your new connection by:
$ ipsec auto --add VPN_CONNECTION_NAME
Now configure L2TP part. Add a new section to /etc/xl2tpd/xl2tpd.conf and replace connection name and remote server IP.
[lac VPN_CONNECTION_NAME] lns = REMOTE_VPN_SERVER_IP_ADDRESS ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd.VPN_CONNECTION_NAME length bit = yes
And create new file /etc/ppp/options.xl2tpd.VPN_CONNECTION_NAME with your new PPP options and put there following configuration (replace username and password for authentication).
ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock connect-delay 5000 name AUTH_USERNAME password AUTH_PASSWORD
Start all daemons and connect the tunnel
$ systemctl start ipsec $ systemctl start xl2tpd $ echo "c VPN_CONNECTION_NAME" > /var/run/xl2tpd/l2tp-control
To disconnect do
$ echo "d VPN_CONNECTION_NAME" > /var/run/xl2tpd/l2tp-control
Remind: if you successfully reached this point you have the tunnel only and you need to add your routes manually to access the networks behind the tunnel!
Good walk-thru!
But there are some details – you’ve to make sudo
# ipsec auto –add VPN_CONNECTION_NAME
won’t be executed until systemctl start ipsec
I’ve followed the directions but it hangs on:
loading secrets from “/etc/ipsec.d/
Any ideas?
Got this error too, hanging at “loading secrets from …”
Did you went through this ?
Thanks !
Thanks for the tutorial!
The configuration files in /etc/ipsec.d/ are not automatically included in Fedora 22. Uncomment the following line in /etc/ipsec.conf:
include /etc/ipsec.d/*.conf
and run # ipsec auto –add VPN_CONNECTION_NAME
again.
Thank you for your tutorials.
I did all step by step and I can connect my router via l2tp. But as I see IPsec is not works.
I don’t see IPsec connections on my router, only l2tp.
And If I change YOUR-PRE-SHARED-SECRET to something WRONG (not correct secret key) in file /etc/ipsec.d/desired_vpn_name.secrets, I can connect VPS also.
As I see files /etc/ipsec.d/*.secrets included in /etc/ipsec.secrets. But why this parameters has not matter?
I used your tutorial – on Fedora 23 the necessary kernel modules aren’t in the kernel to fire up xl2tpd, had to `dnf install kernel-modules-extra`
Also you might mention that one can use:
“left=%any”
in /etc/ipsec.d/desired_vpn_name.conf to make their configuration more road-warrior friendly.
great JR,
`dnf install kernel-modules-extra` in Fedora 23 is needed
Nice tutorial.
I’d just like to add i get this error:
$ ipsec pluto –stderrlog –config /etc/ipsec.conf –nofork
Pluto initialized
Dec 31 10:25:19: NSS DB directory: sql:/etc/ipsec.d
Dec 31 10:25:19: NSS readonly initialization (“sql:/etc/ipsec.d”) failed (err -8174)
Dec 31 10:25:19: FATAL: NSS initialization failure
had to:
$ ipsec initnss
fedora 23,connect error follow:
handle_challenge: no secret found for us=’ns.mqcache.net’ and them=’LNS’
xl2tpd[30644]: xl2tpd[30644]: control_finish: No secret for authenticating to ‘LNS’
xl2tpd[30644]: xl2tpd[30644]: Connection 1 closed to x.x.x.x, port 1701 (No secret key on our end)
why?
I am getting an error :
“reapchild failed with errno=10 No child processes”
when running
“ipsec pluto –stderrlog –config /etc/ipsec.conf –nofork”
Any idea how I may go about fixing this issue?
I’m getting the same error
Same here.
Any one solved this ?
I am the fedora package maintainer of both libreswan and xl2tpd.
You should not start pluto using “ipsec pluto”, you should use the proper service command, so you can use “systemctl start ipsec.service” (or run “ipsec start” which detects initsystem for you)
That will automatically call ipsec _stackmanager start via the service file, so all kernel modules are loaded. It will also automatically create an NSS database if needed.