Linux

Linux as a client is similar to Linux as a Server. I use racoon as a client, because configuring racoon is the same on Linux as it is on all BSDs. These instructions should be portable to BSD-OSes, which manage to get l2tpd to work.

The Kernel configuration has to meet the requirements in . Racoon and the ipsec-tools have to be installed. Furthermore l2tpd must be installed.

My racoon.conf on the client looks like the following:

path certificate "/etc/racoon/certs";

padding {

    maximum_length 20;

    randomize off;

    strict_check off;       

    exclusive_tail off;     

}

# Specification of default various timer. 

timer {     # These value can be changed per remote node.

    counter 5;

    interval 20 sec;

    persend 1;

    phase1 30 sec;

    phase2 30 sec; 

}

remote anonymous {

  exchange_mode main, aggressive;

  doi ipsec_doi;

  situation identity_only;

  certificate_type x509 "mycert" "mypriv";

  verify_cert off;

  my_identifier asn1dn;

  peers_identifier asn1dn;

  verify_identifier off;

  lifetime time 28800 seconds;

  initial_contact on;

  passive off;

  proposal_check obey;

  support_proxy on;

  generate_policy off;

  nonce_size 16;

  proposal {

    encryption_algorithm 3des;

    hash_algorithm md5;

    authentication_method rsasig;

    dh_group modp1024;

  }

}

sainfo anonymous {

  lifetime time 28800 seconds;

  encryption_algorithm 3des, aes 128;

  authentication_algorithm hmac_md5;

  compression_algorithm deflate;

}

listen {

  # isakmp ;

}

log notify;

My Policy for the connection looks like this:

spdadd <vpn-server>/32 <local>/32 any -P in ipsec esp/transport//require;

spdadd <local>/32 <vpn-server>/32 any -P out ipsec esp/transport//require;

Beyond that, l2tpd.conf looks like this:

[lns default]

exclusive = no 

ip range = 192.168.0.1-192.168.0.20

local ip = 192.168.1.2

name = myhostname

ppp debug = yes

pppoptfile = /etc/l2tpd/otions.l2tpd

call rws = 10

tunnel rws = 4 

flow bit = yes

[lac vpn]

lns = 192.168.0.1

pppoptfile = /etc/l2tpd/options.l2tpd

redial=yes

max redials = 5

ppp debug = yes

local ip = 192.168.0.100

remote ip = 192.168.0.1

And my options.l2tpd:

ipcp-accept-local 

ipcp-accept-remote 

user wogri 

password password 

noauth 

crtscts 

idle 1800 

defaultroute 

nodetach 

nodeflate 

nobsdcomp 

debug 

lock 

connect-delay 5000 

Connect to your VPN by telling l2tp to establish the connection:

echo ``c vpn'' > /var/run/l2tpd-control

Or use this script (which also adjusts routes):

#!/bin/bash

if [ -z $1 ]

then

        echo please specify an interface!

        exit

fi

IP=$(ifconfig $1 | grep "inet " | awk \

'{ print $2 }' | cut -f 2 -d ':')

ROUTE=$(ip route list | grep default | awk \

'{ print $3}')

setkey -c << EOF

flush;

spdflush;

spdadd 192.168.0.101/32 $IP/32 any -P in ipsec esp/transport//require;

spdadd $IP/32 192.168.0.1/32 any -P out ipsec esp/transport//require;

EOF

echo "c vpn" > /var/run/l2tp-control

sleep 10

route del -net default

route add -host 192.168.0.1 gw $ROUTE

route add -net default gw 192.168.0.1

The echo command will let L2TPD initiate a connection to the l2tpd on the server-side. The IPsec policy says, that IP traffic to this connection is encrypted, so the kernel will initiate an IPsec connection to the remote host, then l2tp shakes hands, and finally the ppp daemons shake hands and connects.