Support for L2TP/IPsec

From: Vincent Bernat <bernat luffy cx>
To: networkmanager-list gnome org
Subject: Support for L2TP/IPsec
Date: Thu, 22 May 2008 13:37:13 +0200

Hi!

LT2P/IPsec becomes a popular choice for setting up VPN. Security is greater
than PPTP solutions and clients are included in Windows and Mac OS X.
Unfortunately, this is quite difficult to setup on Linux. Having a plugin
for network-manager will be great.

Here are the steps to configure an L2TP/IPsec connections (with OpenSWAN
rather than racoon, implementation of OpenSWAN is easier):
 - setup OpenSWAN for IPsec transport mode

version	2.0
config setup
	nat_traversal=yes
	nhelpers=0
conn L2TP
   right="roadwarrior.example.com"
   rightid= roadwarrior example com
   authby=rsasig
   pfs=no
   rekey=yes
   keyingtries=3
   type=transport
   left=%defaultroute
   leftcert=XXXXXX.pem
   leftrsasigkey=%cert
   leftprotoport=17/1701
   leftnexthop=%defaultroute
   rightrsasigkey=%cert
   rightca=%same
   rightprotoport=17/1701
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
include /etc/ipsec.d/examples/no_oe.conf

To avoid to modify /etc/ipsec.conf, NetworkManager could require that you
include /etc/ipsec.d/networkmanager which would be a symlink to some file
generated by NetworkManager. The example above is for authentication with
certificates. You should also setup private key with /etc/ipsec.secrets. I
am not sure if it is possible to tell OpenSWAN to use another file.

 - enable IPsec tunnel with ipsec auto --up L2TP (this command returns on
success)
 - setup L2TP part with xl2tpd (which needs ppp)

xl2tpd.conf is like this :

[lac l2tp]
lns = roadwarrior.example.com
require chap = yes
autodial = yes
pppoptfile = /etc/ppp/options.roadwarrior.l2tpd
length bit = yes
name = XXXXXX

/etc/ppp/options.roadwarrior.l2tpd is like this:

ipcp-accept-local
ipcp-accept-remote
idle 1800
debug
mtu 1410
mru 1410
nodefaultroute
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
noccp
noauth

And you need to setup /etc/ppp/chap-secrets (again, don't know if ppp is
able to use another file)

 - launch xl2tpd -D -c config-file
 - setup routes

The tricky part comparing with PPTP is that we need to handle two daemons
(one for IPsec, one for L2TP).

Does somebody already work on implementing this kind of VPN in
NetworkManager?

Thanks.

Follow-Ups:
- Re: Support for L2TP/IPsec
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]