L2TP over IPsec VPN Manager User Guide
Installing L2TP over IPsec VPN Manager
The L2TP/IPSec applet builds on a variety of Unix and Unix-like operating systems including Linux and Solaris.
- A compiler is required and fortunately almost all modern Unix systems have one
- Following libraries must be available at compile time:
Download the latest versions of l2tp-ipsec-vpn-daemon_n.n.n.tar.gz and l2tp-ipsec-vpn_n.n.n.tar.gz from launchpad.net and verify its message digest.
Unpack the distributions with this commands:
$> tar xvfz l2tp-ipsec-vpn-daemon_n.n.n.tar.gz $> tar xvfz l2tp-ipsec-vpn_n.n.n.tar.gz
Next compile l2tp-ipsec-vpn-daemon and l2tp-ipsec-vpn:
$> cd l2tp-ipsec-vpn-daemon $> make $> cd ../l2tp-ipsec-vpn $> make $> cd ..
If both sources compiled without complaint, you are ready to install it on your system. Administrator privileges are required to install. To install, type
$> cd l2tp-ipsec-vpn-daemon $> sudo make install $> cd ../l2tp-ipsec-vpn $> sudo make install
If you need PPP EAP-TLS (certificate) authentication you additionally have to install the ppp-2.4.5-eaptls-mppe package.
Download the latest versions of ppp-2.4.5-eaptls-mppe_n.n.tar.gz from launchpad.net and verify its message digest.
Unpack the distribution with this commands:
$> tar xvfz ppp-2.4.5-eaptls-mppe_n.n.tar.gz
Next compile ppp-2.4.5-eaptls-mppe:
$> cd ppp-2.4.5-eaptls-mppe-n.n $> ./configure $> make
The ./configure command creates all make files configured for installation in /usr. If you want it to be installed e.g. in /usr local type
$> ./configure --prefix /usr/local
If it compiled without complaint, you are ready to install it on your system. Administrator privileges are required to install. To install, type
$> sudo make install
This installs four programs and their man pages: pppd, chat, pppstats and pppdump.
If the /etc/ppp configuration directory doesn't exist, the `sudo make install' step will create it and install some default configuration files.
You'll find the l2tp-ipsec-vpn binary packages at wheezy
You'll find the l2tp-ipsec-vpn binary package in my PPA.
First install l2tp-ipsec-vpn from a terminal window:
$> sudo apt-add-repository ppa:werner-jaeger/ppa-werner-vpn $> sudo apt-get update $> sudo apt-get install l2tp-ipsec-vpn
If you need PPP EAP-TLS (certificate) authentication you additionally have to install the ppp-2.4.5-eaptls-mppe package:
$> sudo apt-get install ppp-2.4.5-eaptls-mppe
If you use the default Ubuntu Natty Narwhal desktop manager Unity, enter the following in a terminal window:
$> gsettings set com.canonical.Unity.Panel systray-whitelist "['all']"
The gsettings line is to allow the L2TP/IPSec applet icon to appear on System Tray. You'll find more information here.
Run the following as root:
cd /etc/yum.repos.d/ wget http://download.opensuse.org/repositories/home:wejaeger/Fedora_16/home:wejaeger.repo yum install l2tp-ipsec-vpn
Run the following as root:
zypper addrepo http://download.opensuse.org/repositories/home:BuHTOKPbIJI/openSUSE_12.1/home:BuHTOKPbIJI.repo zypper addrepo http://download.opensuse.org/repositories/home:wejaeger/openSUSE_12.1/home:wejaeger.repo zypper refresh zypper install l2tp-ipsec-vpn
After you have successfully installed it reboot the computer so all changes are applied:
$> sudo shutdown -r now
Right click the system tray icon and select Edit Connections .... If you are asked to authenticate as system administrator enter the system administrator password.
Now you shall see the following dialog:
From here you can administrate (create, edit and delete) VPN connections. Notice, that all changes take effect only after you clicked the Close button. It is only when this button is pressed (or the dialog is closed by other means), that the configuration files are written.
If something changed you will see the following message box:
Click the Preferences button to configure connection independent options.
Currently the only things you can configure here are related to OpenSSL.
You only need to configure these options if you are going to use PPP EAP-TLS (certificate) authentication.
A common implementation of OpenSSL engine for PKCS#11 modules can be found here http://www.opensc-project.org/opensc/wiki/engine_pkcs11
Creating a new connection
In the picture of the VPN Connections dialog you can see four connections, because I have created those ones, your dialog is probably empty.
To create a new connection click the Add ... button. In the pop-up dialog box enter the name you wanna call the connection and click the OK button.
Configuring a connection
From the list of connections in the in the VPN Connections dialog select the connection you want to configure and click the Edit ... button. The Connection Settings dialog appears.
If you want this connection to be established automatically tick the Connect automatically check box.
Configure IPsec options
In the Connection Settings dialog select the IPsec tab.
In the Remote Server edit box enter the IPv4 address or the host name of the remote access server that you want to connect to. If you use an IP address and the remote server is NAT'ed use the remote's public (not NAT'ed) IP address. If you use a host name, make sure that a DNS server is in place who can resolve it.
Leave Server Identity edit box empty unless you want to verify the remote server's identity. In that case you have to know how the peer identifies itself. It often is a distinguished name like CN=cisco-fcs-ber.
If you enter the identity and it does not match, connection attempt will fail with time out and there will be a syslog message in auth.log like this:
003 "test" #1: we require peer to have ID 'CN=ciscoasa-fsc-ber', but peer declares 'CN=ciscoasa-fsc-bmbg'
This line is telling you that you have entered CN=ciscoasa-fsc-ber as identity but peer identifies itself as CN=ciscoasa-fsc-bmbg.
If your provider gave you a secret or so called pre-shared key tick the Use pre-shared key for authentication radio button and enter the secret in the edit box below. You are done with IPsec configuration. Jump to the L2TP configuration.
Configure for certificate (rsasig) authentication
If your provider delivered you a machine certificate tick the Use Certificate for authentication radio button. Look if you can find the certificate in the list below.
Hint: When you move your mouse pointer over a list entry a tool tip opens and you can see the serial number and the common name of the certificate.
If the list is empty or your machine certificate is not listed you have to install it:
- if you have a PKCS#12 (*.p12 or *.pfx) certificate bundle file click on the Import ... button and continue with Import PKCS12 certificate bundle
- otherwise see http://www.jacco2.dds.nl/networking/linux-l2tp.html#ImportingCertificates how to obtain and install the certificate.
If you have manually installed the certificate close the Connection Settings dialog and re-open it again. Now you should see your certificate in the list.
Tick the appropriate certificate in the certificate list and you are done with IPsec configuration. Jump to the L2TP configuration.
Import PKCS12 certificate bundle
If you have got a PKCS12 certificate bundle file (*.p12, *.pfx) you can import it from here.
Such a file should contain
- 1 certificate used to authenticate to the IPsec security gateway
- 1 private key for the authentication certificate
- optionally a chain of root and trusted certificates necessary to validate the authentication certificate
To import, hit the browse button right to the PKCS12 File: edit box, search and select the file to import. If the file was encrypted a password entry dialog appears. Enter the password that was used to encrypt the certificate and click the OK button.
Now the content of the file is shown below the Use this certificate for IPsec authentication check box.
If you want to use this certificate for IPsec authentication mark the Use this certificate for IPsec authentication check box. If marked all fields in the underlying Connection Settings dialog are filled appropriately for you.
Finally enter a passphrase used to encrypt the imported private key for storage on this computer. Enter the passphrase for verification again and hit the OK button.
Note: the OK button is only enabled if all your input is valid.
Configure L2TP options
Here you can configure L2TP specific options.
Tick the Redial check box if you want the l2tp daemon to attempt to redial if the call get disconnected. In the Timeout edit box enter the time in seconds that the daemon should wait before it attempts to redial. In the Attempts edit box enter the number of tries before giving up to redial.
Tick the Length bit check box if you want the length bit to be used in the l2tp packet payload.
Configure PPP options
The first thing you have to decide here is which kind of authentication you are going to use.
- If your ISP provided you a user name and a passport continue with Configure user name and password authentication.
- If you have got a certificate, possibly on a smart-card, make sure you have installed the ppp-2.4.5-eaptls-mppe package from my PPA and you have configured the OpenSSL settings properly.
Continue with Configure EAP TLS (certificate) authentication
Configure user name and password authentication
Tick the Allow these protocols radio button.
In the list box below tick all protocols you want to be allowed. If you are not sure about this try to enable the last three protocols. Normally you won't allow Unencrypted password (PAP) because this involves the client sending its name and a clear text password to the server.
Enter your user name in the User name edit box.
If you enter your password in the Password edit box it will be stored encrypted and used for checking your identity. If, for security reasons, you don't want your password to be stored encrypted leave it empty. In this case you are prompted for the password each time you try to establish a connection. Continue with Configure Peer authentication.
Configure EAP TLS (certificate) authentication
Tick the Use Extensible Authentication Protocol (EAP) radio button and click the Properties ... button. The following dialog appears:
If your certificate and your private key is on a smart-card tick the Use my smart card radio button otherwise tick the Use a certificate on this computer radio button.
- To select the certificate to use click the User certificate browse button, highlight the desired certificate and click the OK button.
- To select the private key to use click the Private key browse button, highlight the desired key and click the OK button.
- Enter the PIN (smart-card) or pass-phrase (file) for your private key in the Passphrase edit box. If you don't want your PIN or pass-phrase to be stored encrypted on your local machine, leave the Passphrase edit box empty. In this case you'll be ask for the PIN or pass-phrase each time you try to establish a connection.
- To select the PEM encoded file containing the certificate authority (CA) certificates click the CA Certificate browse button and select the desired file.
Configure Peer authentication
This is optional. Configure it only if you want to check the peer's name.
To set the assumed name of the remote system for authentication purposes click the Peer authentication ... button, enter the name in the Remote name edit box and click the OK button.
If the remote name is not empty, the name reported by the peer is checked against this name and connection will be refused if the reported name is different.
If you don't know what name is reported by the peer you can learn the name by entering an arbitrary name. Then try to establish the connection. After it failed right click the system tray icon and from the menu select the Connection Information entry. The Connection Information dialog is shown. Look for log entries similar to the following;
pppd: Certificate verification error: CN (ReportedName) != peer_name (EnteredName) pppd: -> Alert: unknown CA [ERROR 404] Authentication failed: closing connection to 'test'
You can now see the name reported by the peer as ReportedName.
Configure IP settings
DNS is an Internet service that translates domain names into IP addresses. On the Internet, whenever you use a domain name a DNS service needs to translate the name into the corresponding IP address. For example, the domain name www.wikipedia.org might translate to 220.127.116.11.
- If you want to obtain DNS server addresses from a DHCP server, tick the Obtain DNS server address automatically check box.
- If you want to manually configure DNS server addresses, untick the Obtain DNS server address automatically check box and in Preferred DNS server and Alternate DNS server type the preferred DNS server and alternate DNS server IP addresses as IPv4 addresses, example 18.104.22.168. To modify the resolution behavior for unqualified DNS names enter search domains as space separated list.
In case you leave everything empty (Obtain DNS server address automatically check box unchecked, no preferred and alternate DNS and no search domains) the DNS settings for your physical network interface are used (/etc/resolv.conf will not be changed). This is useful for users who are managing their /etc/resolv.conf by some other means, like with dnsmasq for example.
In general terms, routing is the process of forwarding packets between connected networks. For TCP/IP-based networks, routing is part of Internet Protocol (IP) and is used in combination with other network protocol services to provide forwarding capabilities between hosts that are located on separate network segments within a larger TCP/IP-based network.
Based on the Use default gateway on remote network setting, one of the following occurs when the VPN connection is active:
- When the Use default gateway on remote network check box is cleared, Internet locations are reachable and intranet locations are not reachable, except for those matching the network ID of the Internet address class of the assigned IP address.
- When the Use default gateway on remote network check box is selected (the default setting), all intranet locations are reachable and Internet locations are not reachable, except for the address of the VPN server and locations available through other routes.
If you want to setup your VPN connection for Split tunnelling tick the Use following explicit routes to intranet locations radio button and add routes accordingly.
Configure advanced settings
Left click on the "VPN" system tray icon and click on a connection name (test in the example picture above). A balloon message will pop up showing that the connection is being established. After the connection is established, you will see another balloon message notification. If error is encountered, you will also be notified. If you click in the balloon message or select Connection Information in the menu, a dialog appears that shows detailed log entries.
Left click on the "VPN" system tray icon and click on Disconnect.
Delete a connection
Highlight a connection in the connection list of the VPN Connections dialog.
Click the Delete ... button and click the Yes button to confirm deletion.
This section contains information about troubleshooting tools and common problems.
System tray status icons
Hover the mouse pointer over the icon to see a descriptive text.
No route to the remote network
If you are using a version less than 1.0.6 of l2tp-ipsec-vpn and xl2tpd version 1.2.8 or higher you'll see the following issue:
Due to a bug introduced in xl2tpd-1.2.8, which is used in Ubuntu 11.10, no route to the remote network gets added after PPPD established the connection.
Workarounds are discussed in this question, comment #3. Thanks to Nicholas Taylor.
This problem is solved in version 1.0.6 of l2tp-ipsec-vpn.
Finding the cause of an connection error
First of all, inspect the /var/log/debug, /var/log/auth.log and /var/log/syslog files for error entries.
To further diagnose the problem either click into the balloon message or right click the system tray icon and select Connection Information from the menu.
The Connection Information dialog pops up and you see a series of log entries. Errors are displayed in red. You can learn the error number if you hover your mouse pointer over the system tray icon.
There are a 3 key log entries that can help to narrow down the problem
. . . 004 "test" #1: STATE_MAIN_I4: ISAKMP SA established ... . . . 004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established ... . . . pppd: Plugin passprompt.so loaded.
If the error occurs after the third key line above, there is most likely a PPPD problem. Continue with Diagnose PPPD problems.
Diagnose IPsec problems
Check any Internet device that might be blocking the connection or changing the packets. Typically, this will be a firewall or a NAT server but can also include a faulty switch that is occasionally corrupting packets or a router that isn’t forwarding Protocol ID 50.
IPsec security negotiation failure also happens because the remote peer does not agree with suggestions made by the client.
To figure out what went wrong, you can uncomment the first 'plutodebug' line in /etc/ipsec.conf. Also comment the second 'plutodebug' in the line below. It should then look like this:
config setup plutodebug="parsing emitting controlmore" # plutodebug=none
(for possible values and the meaning please invoke 'man ipsec_pluto' line 930 and the following)
Normally debugging output is written to the /var/log/auth.log file. Inspect this file to find hints of what could have caused the problem.
The corresponding OpenSwan configuration file is /etc/ipsec.conf.
Diagnose PPPD problems
PPP logging is the primary troubleshooting tool used to obtain information about the PPP connection negotiation.
To enable PPP logging manually uncomment the debug, dump and record lines in /etc/ppp/<ConnectionName>.options.xl2tpd.
- The debug option enables connection debugging facilities. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. Then packets are logged through syslog with facility daemon and level debug.
- With the dump option, pppd will print out all the option values which have been set.
- The record option specifies that pppd should record all characters sent and received to a file named filename.
A very good PPPD diagnosis HOWTO can be found at http://pptpclient.sourceforge.net/howto-diagnosis.phtml#running_pppd_during_connection
The following configuration files are written by the applet:
|/etc/ipsec.conf||Openswan IPsec configuration file|
|/etc/ipsec.secrets||Secrets for IKE/IPsec authentication|
|/etc/xl2tpd/xl2tpd.conf||Xl2tp configuration file|
|/etc/ppp/openssl.cnf||Openssl configuration file|
|/etc/ppp/<ConnectionName>.options.xl2tpd||Options used by PPP when a connection is made by an L2TP daemon|
|/etc/ppp/ip-up.d/L2tpIPsecVpn-up||This script is called by /etc/ppp/ip-up after pppd has established the link to add routes for given connections|
|/etc/ppp/ip-down.d/L2tpIPsecVpn-down||This script is called by /etc/ppp/ip-down after pppd has brought down the link to delete connection specific routes|
|/etc/ppp/resolv/L2tpIPsecVpn-<ConnectionName>||PPP provider specific static DNS configuration file containing the name servers and search list for host-name lookup. Optional, only written if something is configured in the PPP Ip settings dialog|
Note: <ConnectionName> is replaced by the actual name of the connection
Report a bug
Please submit any bug you find to https://bugs.launchpad.net/l2tp-ipsec-vpn/+filebug