SETUP DEBIAN JESSIE L2TP IPsec

for VPNKI with L2TP and IPsec encryption

Before we should check Raspbian (Debain) version on your computer. Some items in this instruction depend upon version used.

1. Run this command
sudo cat /etc/os-release

In a first line you see version. For example:
PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"

If you have Jessie  then run items 1 till 24

If you have Wheezy then go to the end. There are some extra points for you.

Some theory

First we create IPsec tunnel that encypted by AES256, after we start L2TP inside of IPsec tunnel for authorization by username and password of VPNKI system.

Debian Jessie

*** First IPSEC

2. Let's install strongswan for IPsec tunnel
sudo apt-get install -y strongswan

3. Add in /etc/ipsec.secrets common key for connection
sudo nano /etc/ipsec.secrets

just put this

: PSK "vpnki"

Save Ctrl+X

4. Open file /etc/ipsec.conf
sudo nano /etc/ipsec.conf

and append

conn %default
   ikelifetime=16h
   keylife=12h
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev1
   authby=secret
   aggressive = no

conn vpnki-l2tp
   authby=secret
   auto=add
   rekey=no
   type=transport
   right=ams.vpnki.com
   rightid=%any
   rightprotoport=17/1701
   ike=aes256-sha1-modp2048
   esp=aes256-null
   left=%any
   leftprotoport=17/%any
   dpdaction=clear

Save Ctrl+X

5. Restart strongswan
sudo ipsec restart

6. Check IPsec connection, run
sudo ipsec up vpnki-l2tp

7. Check security association
sudo ipsec statusall

 

*** Next xl2tpd

8. Install xl2tpd package for L2TP communication
sudo apt-get install -y xl2tpd


9. Setup xl2tpd, for this add to file /etc/xl2tpd/xl2tpd.conf new connection with vpnki name

sudo nano /etc/xl2tpd/xl2tpd.conf

and append

[lac vpnki]
lns = ams.vpnki.com
require chap = yes
refuse pap = yes
require authentication = yes
name = <vpnki username in format userXXXX>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes


10. Make a new file
sudo nano /etc/ppp/options.l2tpd.client

and add there

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
#proxyarp
connect-delay 5000
name <username from vpnki site like: userXXXX>
password <password for vpnki userXXXX>
remotename vpnki
ipparam vpnki

Save Ctrl+X

11. Make a new management file for xl2tpd daemon
sudo mkdir -p /var/run/xl2tpd
sudo touch /var/run/xl2tpd/l2tp-control

12. Restart xl2tpd
sudo service xl2tpd restart

13. Start L2TP connection by send "c vpnki" to management file
sudo echo "c vpnki" > /var/run/xl2tpd/l2tp-control

14. Check that connection is successful. Run
sudo ifconfig -s

in command output you should find new running interface named ppp0

15. Run ping to check VPNKI server availability
ping 172.16.0.1

16. Disconnect L2TP connection and restart xl2tpd
sudo echo "d vpnki" > /var/run/xl2tpd/l2tp-control
Unfortunately at the time of writing of this guide this command used to cause xl2tpd daemon to crash on one of our test systems due to bug reported at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838998
Therefore after connection terminations it is advised to issue the daemon reload command
sudo service xl2tpd restart

*** Autorun at startup

17. Add auto start IPsec connection on boot.  For this run:
sudo nano /etc/ipsec.conf
find auto=add and replace it with auto=start

18. Now add L2TP connection setup on system boot
Open
sudo nano /etc/rc.local

and append:
 
#!/bin/sh -e
sudo service xl2tpd restart
sudo echo "c vpnki" > /var/run/xl2tpd/l2tp-control
exit 0

Save Ctrl+X
Please take note that the script contains a command to reload xl2tpd daemon. It's needed because of the bug described above.

19. Let's test rc.local without restarting
sudo /etc/rc.local

20. The connection should be in up state, to check please run
sudo ifconfig -s

in command output you should find new interface ppp0
If everything is ok this means that script in /etc/rc.local has running configuration

*** Routes

21. At last we should add routes to our configuration. Here we have two possibility - to create this routes manually or receive them by DHCP from vpnki server
For automatic receiving routes to VPNKI networks and your other tunnels (DHCP Option 249) you should download, extract and put this file (named splitp) в /etc/ppp/ip-up.d

The option of receiving routes via DHCP is NOT the preferred one as it failed to produce positive results on a number of our installations. The thing is the script we use (splitp) fails to properly process routes with /32 prefix causing possible routing issues.


It's best to proceed to section 23.

 

22. Change rights to run this file when ppp interface is going up

sudo chmod 755 /etc/ppp/ip-up.d/splitp

23. If you want to use manual method do this:
In case of disconnect and connect again we should add routes automatically. For this make a new file

sudo nano -B /etc/ppp/ip-up.d/routeadd

And put this lines

#!/bin/sh -e
route add -net "172.16.0.0/16" dev "ppp0" #Routes to VPNKI network
route add -net "192.168.100.0/24" dev "ppp0" #Example route to your other network (192.168.100.0/24)
 
Save Ctrl+X

24. Change rights to run this file when ppp0 is going up

chmod 755 /etc/ppp/ip-up.d/routeadd

-------------------------------------------------

If you have Debian Wheezy

Unluckily for Wheezy users, the repository provides strongswan package at version 4.x.x and even that doesn't install and function properly. Our configuration requires strongswan version 5.2.1 or higher that is readily available for Jessie. Still it is possible to install 5.2.1 on Wheezy. But we must warn you that you are doing that at your own risk and remind you to make backups.

For that you must add new repositories to your list of sources:

1. Run sudo nano /etc/apt/sources.list and make your Raspberry receive packages for two OS types:

deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi
deb http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi
# Source repository to add
deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
deb http://archive.raspbian.org/raspbian jessie main contrib non-free rpi
# Source repository to add
deb-src http://archive.raspbian.org/raspbian jessie main contrib non-free rpi

Save Ctrl-X

2. Add new word to select OS version then update system. To do this make a new file

sudo nano /etc/apt/preferences

and put there

Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: *
Pin: release n=wheezy
Pin-Priority: 300

Package: *
Pin: release o=Raspbian
Pin-Priority: -10

Or, if you want to stick to wheezy
Package: *
Pin: release n=wheezy
Pin-Priority: 900

Package: *
Pin: release n=jessie
Pin-Priority: 300

Package: *
Pin: release o=Raspbian
Pin-Priority: -10

Save Ctrl-X

3. Run apt-get update to load new version of application

4. Install strongswan 5.2.1 from Jessie repo

sudo apt-get install -t jessie strongswan

Now you have Strongswan 5.2.1 and then you can move to start of this manual to setup ipsec and xl2tpd, that described in items 1 - 24