Instantly share code, notes, and snippets.

Embed
What would you like to do?
connect to meraki client vpn from strongswan (ubuntu 16.04 edition)

These are my notes for connecting to a meraki client vpn from ubuntu 16.04. This configuration assumes you are using a psk for the ipsec auth.

Install the following packages:

apt-get install -y strongswan xl2tpd

Configure strong swan

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn meraki-vpn
     keyexchange=ikev1
     left=%defaultroute
     auto=add
     authby=secret
     type=transport
     leftprotoport=17/1701
     rightprotoport=17/1701
     # set this to the ip address of your meraki vpn  
     right=XXX.XXX.XXX.XXX
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "YOUR_PSK_GOES_HERE"
EOF

Configure xl2tp:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac meraki]
# your meraki vpn ip goes here
lns = XXX.XXX.XXX.XXX
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
EOF

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Restart your services:

service strongswan restart
service xl2tpd restart

Start the ipsec connection:

ipsec auto --up meraki

Start the l2tp connection (with your username and password)

echo "c meraki <user> <pass>" > /var/run/xl2tpd/l2tp-control

Add a route for your internal network:

ip route add 10.0.0.1/24 dev ppp0

To disconnect:

echo "d meraki" > /var/run/xl2tpd/l2tp-control
ipsec down meraki
@pmoncadaisla

This comment has been minimized.

pmoncadaisla commented Sep 18, 2016

Hi @psanford,

I'm getting this error:

root@thinkpad:~# ipsec auto --up meraki
/usr/sbin/ipsec: unknown IPsec command `auto' (`ipsec --help' for list)

I've must installed a different ipsec package before, but now I cannot get rid of it:

This is the versioncode of my package:

root@thinkpad:~# ipsec --versioncode
U5.3.5/K4.6.0-040600-generic

Do you have any idea on how to proceed?

Thanks!

@thuannvn

This comment has been minimized.

thuannvn commented Sep 20, 2016

Hi, How dig "ppp0" come from?

@franciscoruiz

This comment has been minimized.

franciscoruiz commented Dec 14, 2016

@pmoncadaisla try with ipsec up meraki or ipsec up meraki-vpn

@nmeheus

This comment has been minimized.

nmeheus commented Dec 14, 2016

I have some problems with "ipsec up ips-tunnel"
I want to use a public vpn service (found at vpngate), and i named my connection "ips-tunnel".

When i execute the command I get several errors/warnings:

  1. no files found matching '/usr/local/etc/strongswan.conf'

  2. IDir 'some ip address in my subnet (which is unreachable)' does not match to '118.111.250.74' <- the public vpn server
    deleting IKE_SA ips-tunnel[1] between 'my IP'[my IP]...118.111.250.74[%any]
    sending DELETE for IKE_SA ips-tunnel[1]

At the end, it still says: "connection 'ips-tunnel' established successfully"

If I try "ip route add 10.0.0.1/24 dev ppp0" afterwards, i get this: "Cannot find device "ppp0" "

Do you have any idea what i could do to resolve this?

@StevenChorkley

This comment has been minimized.

StevenChorkley commented Mar 29, 2017

Is there a way to do this at startup?

@StevenChorkley

This comment has been minimized.

StevenChorkley commented Mar 29, 2017

Btw @nmeheus, this may help:
echo "c meraki-vpn " | sudo tee /var/run/xl2tpd/l2tp-control

@Niemi

This comment has been minimized.

Niemi commented Apr 5, 2017

If I try "ip route add 10.0.0.1/24 dev ppp0" afterwards, i get this: "Cannot find device "ppp0" "<

in directory /etc/ppp/
control ip-up script
and ...


cat > /etc/ppp/ip-up.d/route <<EOF
#!/bin/sh -e
ip route add 192.168.1.0/24 dev $PPP_IFACE
ip route add 176.16.0.0/24 dev $PPP_IFACE

exit 0
EOF

don't forget to add execute bit on file

chmod ugo+x /etc/ppp/ip-up.d/route

@clivegross

This comment has been minimized.

clivegross commented May 29, 2017

@nmeheus Im using pppd version 2.4.7 on Arch Linux and got the same error:

Cannot find device "ppp0"

Sure enough, ip link had no ppp0 device

I found the following entries in journalctl:

pppd[11903]: In file /etc/ppp/options.l2tpd.client: unrecognized option 'lock'
xl2tpd[11758]: /usr/sbin/pppd: In file /etc/ppp/options.l2tpd.client: unrecognized option 'lock'

I removed the lock row from /etc/ppp/options.l2tpd.client and tried again and worked straight away:

$ ip link
...
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp 

Not sure what lock does but VPN works fine now.

@clivegross

This comment has been minimized.

clivegross commented May 29, 2017

Further to my last comment, I've written a short guide for Arch Linux users here, based on these notes by @psanford.

@dragon788

This comment has been minimized.

dragon788 commented Jun 7, 2017

Check to see what your server supports for protocols as the newer StrongSwan will disable/ignore "insecure" protocols by default.

To discover the algorithms supported by your server you can use ike-scan which may be in the package repository.

sudo apt-get install ike-scan
sudo ike-scan <address.of.server>

There is also a nice GUI option available now.

http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

@jersam

This comment has been minimized.

jersam commented Dec 8, 2017

on centos, installing strongswan doesnt give 'ipsec' command. do you install openwan and strongswan? I am having big issues getting this to work on a centos machine.

@langyxxl

This comment has been minimized.

langyxxl commented Dec 9, 2017

is it possible to create a docker vpn client? the config is so complicated...

@gghandsome

This comment has been minimized.

gghandsome commented Nov 20, 2018

conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn usa
left=xxx.xxx.xxx.xxx
leftsubnet=0.0.0.0/0
right=xxx.xxx.xxx.xxx
rightsubnet=10.201.21.0/20
keyexchange=ikev1
auto=route
authby=secret

here is my setting.but I can't connect successfully.It show me this message :

initiating Main Mode IKE_SA usa[1] to B
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from A[500] to B[500] (220 bytes)
received packet: from B[500] to A[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from A[500] to B[500] (244 bytes)
received packet: from B[500] to A[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from A[500] to B[500] (100 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA usa[1] established between A[A]...B[B]
scheduling reauthentication in 86173s
maximum IKE_SA lifetime 86353s
generating QUICK_MODE request 2161754081 [ HASH SA No KE ID ID ]
sending packet: from A[500] to B[500] (340 bytes)
sending retransmit 1 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2262587242 [ HASH N(DPD) ]
sending retransmit 2 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2583933086 [ HASH N(DPD) ]
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3182138456 [ HASH N(DPD) ]
sending retransmit 3 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2987448349 [ HASH N(DPD) ]
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2818422143 [ HASH N(DPD) ]
sending retransmit 4 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
sending retransmit 5 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
giving up after 5 retransmits
initiating Main Mode IKE_SA usa[2] to B
establishing connection 'usa' failed

it's anything wrong?

@gghandsome

This comment has been minimized.

gghandsome commented Nov 20, 2018

on centos, installing strongswan doesnt give 'ipsec' command. do you install openwan and strongswan? I am having big issues getting this to work on a centos machine.

use strongswan start

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment