L2TP VPN Client setup on CentOS 7

l2tp_vpn_client

Go step-by-step through following instructions to set up L2TP/IPSec VPN on Centos 7.

To set up the VPN client on centos 7, first install the following packages:

yum -y install epel-release
yum -y install strongswan xl2tpd

Create VPN variables (replace with actual values): 
     VPN_SERVER_IP='your_vpn_server_ip' 
                
     VPN_IPSEC_PSK='your_ipsec_pre_shared_key' 
                
     VPN_USERNAME='your_vpn_username' 
                
     VPN_PASSWORD='your_vpn_password'
            



3.  Configure strongSwan:

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets



4. Configure xl2tpd:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client

The VPN client setup is now complete. Follow the steps below to connect.

Note:   You must repeat all steps below every time you try to connect to the VPN.



Create xl2tpd control file:

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control



Restart services:

service strongswan restart
service xl2tpd restart



Start the IPsec connection:

strongswan up myvpn



Start the L2TP connection:

echo "c myvpn" > /var/run/xl2tpd/l2tp-control


Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

ip route



Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server's IP from the new default route (replace with actual value):

route add YOUR_VPN_SERVER_IP gw X.X.X.X



If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X



Add a new default route to start routing traffic via the VPN server?

route add default dev ppp0



The VPN connection is now complete.



To stop routing traffic via the VPN server:

route del default dev ppp0



To disconnect:

echo "d myvpn" > /var/run/xl2tpd/l2tp-control

strongswan down myvpn

Nice, thank you.
I'll give it a try, though I am not sure this will work for a Fortinet IPSec VPN connection (got only trouble with this customer using Fortigate VPN :( )

It works for L2TP configuration, great help for reference.
One defect in line 93 : name $VPN_USER should be changed as name $VPN_USERNAME. FYI.

HI
IPSec strongswan "established successfully", but no ppp0