Home / ubuntu / Questions / 1146861
In Process
Michal B.
Asked: 2019-05-29 06:28:30 +0800 CST

How to set up L2TP client on Ubuntu 18.04?

  • 772

I set up my system according to a tutorial I found on the Internet.

I basically installed the necessary dependencies:

sudo apt install network-manager 
sudo apt install network-manager-l2tp
sudo apt install network-manager-strongswan

And configured them by applying changes on the following files (VPN_SERVER_IP, VPN_IPSEC_PSK, VPN_USERNAME, VPN_PASSWORD are replaced by the real values; XXX.XXX.XXX.XXX in the logs down below is the IP address of the VPN server)

/etc/ipsec.conf:

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP

/etc/ipsec.secrets:

: PSK "$VPN_IPSEC_PSK"

/etc/xl2tpd/xl2tpd.conf:

[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name $VPN_USERNAME
password $VPN_PASSWORD

/etc/NetworkManager/NetworkManager.conf (default, nothing changed):

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

When I want to connect to VPN I do /etc/init.d/network-manager start, nothing extraordinary shows up in the logs:

ifupdown configuration found.
<info>  [1559053123.4216] devices added (path: /sys/devices/virtual/net/lo, iface: lo)
<info>  [1559053123.4216] device added (path: /sys/devices/virtual/net/lo, iface: lo): no ifupdown configuration found.
<info>  [1559053123.4216] end _init.
<info>  [1559053123.4216] settings: loaded plugin ifupdown: (C) 2008 Canonical Ltd.  To report bugs please use the NetworkManager mailing list. (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-settings-plugin-ifupdown.so)
<info>  [1559053123.4217] settings: loaded plugin keyfile: (c) 2007 - 2016 Red Hat, Inc.  To report bugs please use the NetworkManager mailing list.
May 28 16:18:43 phenom nm-dispatcher: req:1 'hostname': new request (1 scripts)
<info>  [1559053123.4217] (735157440) ... get_connections.
May 28 16:18:43 phenom nm-dispatcher: req:1 'hostname': start running ordered scripts...
<info>  [1559053123.4217] (735157440) ... get_connections (managed=false): return empty list.
<info>  [1559053123.4218] get unmanaged devices count: 0
<info>  [1559053123.4218] manager: rfkill: WiFi enabled by radio killswitch; enabled by state file
<info>  [1559053123.4218] manager: rfkill: WWAN enabled by radio killswitch; enabled by state file
<info>  [1559053123.4218] manager: Networking is enabled by state file
<info>  [1559053123.4219] dhcp-init: Using DHCP client 'dhclient'
<info>  [1559053123.4220] Loaded device plugin: NMBondDeviceFactory (internal)
<info>  [1559053123.4220] Loaded device plugin: NMBridgeDeviceFactory (internal)
<info>  [1559053123.4220] Loaded device plugin: NMDummyDeviceFactory (internal)
<info>  [1559053123.4220] Loaded device plugin: NMEthernetDeviceFactory (internal)
<info>  [1559053123.4220] Loaded device plugin: NMInfinibandDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMIPTunnelDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMMacsecDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMMacvlanDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMPppDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMTunDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMVethDeviceFactory (internal)
<info>  [1559053123.4221] Loaded device plugin: NMVlanDeviceFactory (internal)
<info>  [1559053123.4222] Loaded device plugin: NMVxlanDeviceFactory (internal)
<info>  [1559053123.4229] Loaded device plugin: NMWwanFactory (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-device-plugin-wwan.so)
<info>  [1559053123.4234] Loaded device plugin: NMBluezManager (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-device-plugin-bluetooth.so)
<info>  [1559053123.4236] Loaded device plugin: NMWifiFactory (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-device-plugin-wifi.so)
<info>  [1559053123.4242] Loaded device plugin: NMTeamFactory (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-device-plugin-team.so)
<info>  [1559053123.4244] Loaded device plugin: NMAtmManager (/usr/lib/x86_64-linux-gnu/NetworkManager/libnm-device-plugin-adsl.so)
<info>  [1559053123.4252] device (lo): carrier: link connected
<info>  [1559053123.4258] manager: (lo): new Generic device (/org/freedesktop/NetworkManager/Devices/1)
<info>  [1559053123.4262] device (enp5s0): carrier: link connected
<info>  [1559053123.4285] manager: (enp5s0): new Ethernet device (/org/freedesktop/NetworkManager/Devices/2)
<info>  [1559053123.4335] modem-manager: ModemManager available
<info>  [1559053123.4336] manager: startup complete

ipsec up myvpn also seems successful:

initiating Main Mode IKE_SA myvpn[1] to 82.161.237.247
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.10.56[500] to 82.161.237.247[500] (212 bytes)
received packet: from 82.161.237.247[500] to 192.168.10.56[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.10.56[500] to 82.161.237.247[500] (244 bytes)
received packet: from 82.161.237.247[500] to 192.168.10.56[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.10.56[4500] to 82.161.237.247[4500] (108 bytes)
received packet: from 82.161.237.247[4500] to 192.168.10.56[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myvpn[1] established between 192.168.10.56[192.168.10.56]...82.161.237.247[82.161.237.247]
scheduling reauthentication in 3420s
maximum IKE_SA lifetime 3600s
generating QUICK_MODE request 1511457566 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.10.56[4500] to 82.161.237.247[4500] (364 bytes)
received packet: from 82.161.237.247[4500] to 192.168.10.56[4500] (332 bytes)
parsed QUICK_MODE response 1511457566 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
CHILD_SA myvpn{1} established with SPIs c970ab39_i cf32f312_o and TS 192.168.10.56/32[udp/l2f] === 82.161.237.247/32[udp/l2f]
generating QUICK_MODE request 1511457566 [ HASH ]
sending packet: from 192.168.10.56[4500] to 82.161.237.247[4500] (60 bytes)
connection 'myvpn' established successfully

So in general it looks like there are no errors, but I am unable to verify whether I actually made the connection or not. The biggest issue is that no ppp0 device shows up when I execute ip link:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 6c:f0:49:70:55:16 brd ff:ff:ff:ff:ff:ff

Because of that I am unable do define which traffic should go through the VPN server. How can I ensure that ppp0 device shows up and the IP address is assigned to it by the DHCP/VPN server?

vpn 18.04 ipsec

2 Answers

  1. echo "c myvpn" > /var/run/xl2tpd/l2tp-control executed as root should create ppp0 interface. I did some changes to config files and when I issued this command I found out logs complaining about lock option in /etc/ppp/options.l2tpd.client being unknown (in /var/log/syslog). I removed lock from the config file and now it works.

    My current configuration is pasted below.

    /etc/ipsec.conf:

    config setup

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  rekey=no
  type=transport
  left=%any
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=VPN_SERVER
  rightid=%any
  dpdaction=clear

    /etc/xl2tpd/xl2tpd.conf:

    [lac myvpn]
lns = VPN_SERVER
require chap = yes
refuse pap = yes
require authentication = yes
name = VPN_USER
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

    /etc/ppp/options.l2tpd.client:

    ipcp-accept-local
ipcp-accept-remote
require-chap
#refuse-chap
refuse-eap
refuse-pap
require-mschap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
nodefaultroute
usepeerdns
debug
connect-delay 5000
name VPN_USER
password VPN_USER_PASSWORD
remotename myvpn
ipparam myvpn

    /etc/network/interfaces:

    iface tunnel inet ppp
provider myvpn

    Result:

    ~# ifconfig
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.56  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::6ef0:49ff:fe70:5516  prefixlen 64  scopeid 0x20<link>
        ether 6c:f0:49:70:55:16  txqueuelen 1000  (Ethernet)
        RX packets 822593  bytes 135972174 (135.9 MB)
        RX errors 0  dropped 31185  overruns 0  frame 0
        TX packets 854688  bytes 150862324 (150.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 70050  bytes 5703649 (5.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 70050  bytes 5703649 (5.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1410
        inet 192.168.60.1  netmask 255.255.255.255  destination 10.255.255.0
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 3  bytes 54 (54.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 54 (54.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    • 0

  2. For Ubuntu 18.04 LTS for a Meraki router I basically followed https://help.vpntunnel.com/support/solutions/articles/5000782608-vpntunnel-l2tp-installation-guide-for-ubuntu-18-04-

    Update and clean up the machine first

    sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot
# Wait for reboot, log back in
sudo apt autoremove

    Install VPN Software

    sudo apt-get install strongswan xl2tpd net-tools
sudo apt-get install network-manager-l2tp network-manager-l2tp-gnome
sudo apt-get install network-manager-strongswan
sudo reboot

    After reboot, Turn off the L2TP Server, we only want the client

    sudo service xl2tpd stop
sudo systemctl disable xl2tpd

    Setup the VPN instructions:

    Settings -> Network -> VPN - > "+"
Details:
Make available to other users, check (if desired)
Identity:
Name: Make a description
Gateway: the IP address (or dyn dns name from the meraki page)
User Name:  [email protected]
Password: Leave blank, will prompt
NT Domain: <blank>
IPSec Settings:
Enable IpSec tunnel to L2TP host: check
Pre-Shared Key:  Get from the meraki setup page
Phase1 Algorithms: 3des-sha1-modp1024
Phase2 Algorithms: aes128-sha1
Enforce UDP encap: <un checked>
PPP Settings:  Default

    And then connect in the GUI.

    • 0