Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
L2TP VPN Client setup on CentOS 7
Go step-by-step through following instructions to set up L2TP/IPSec VPN on Centos 7.
To set up the VPN client on centos 7, first install the following packages:
yum -y install epel-release
yum -y install strongswan xl2tpd
Create VPN variables (replace with actual values):
VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USERNAME='your_vpn_username'
VPN_PASSWORD='your_vpn_password'
3. Configure strongSwan:
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
4. Configure xl2tpd:
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF
chmod 600 /etc/ppp/options.l2tpd.client
The VPN client setup is now complete. Follow the steps below to connect.
Note: You must repeat all steps below every time you try to connect to the VPN.
Create xl2tpd control file:
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
Restart services:
service strongswan restart
service xl2tpd restart
Start the IPsec connection:
strongswan up myvpn
Start the L2TP connection:
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
Run ifconfig and check the output. You should now see a new interface ppp0.
Check your existing default route:
ip route
Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.
Exclude your VPN server's IP from the new default route (replace with actual value):
route add YOUR_VPN_SERVER_IP gw X.X.X.X
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
Add a new default route to start routing traffic via the VPN server?
route add default dev ppp0
The VPN connection is now complete.
To stop routing traffic via the VPN server:
route del default dev ppp0
To disconnect:
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn
@ionescu77
Copy link

ionescu77 commented Mar 21, 2022

Nice, thank you.
I'll give it a try, though I am not sure this will work for a Fortinet IPSec VPN connection (got only trouble with this customer using Fortigate VPN :( )

@JeromeZhou7
Copy link

JeromeZhou7 commented Apr 11, 2022

It works for L2TP configuration, great help for reference.
One defect in line 93 : name $VPN_USER should be changed as name $VPN_USERNAME. FYI.

@HEXtoDEC
Copy link

HEXtoDEC commented Apr 25, 2022

HI
IPSec strongswan "established successfully", but no ppp0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment