Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
connect to meraki client vpn from strongswan (ubuntu 16.04 edition)

These are my notes for connecting to a meraki client vpn from ubuntu 16.04. This configuration assumes you are using a psk for the ipsec auth.

Install the following packages:

apt-get install -y strongswan xl2tpd

Configure strong swan

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn meraki-vpn
     keyexchange=ikev1
     left=%defaultroute
     auto=add
     authby=secret
     type=transport
     leftprotoport=17/1701
     rightprotoport=17/1701
     # set this to the ip address of your meraki vpn  
     right=XXX.XXX.XXX.XXX
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "YOUR_PSK_GOES_HERE"
EOF

Configure xl2tp:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac meraki]
# your meraki vpn ip goes here
lns = XXX.XXX.XXX.XXX
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
EOF

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Restart your services:

service strongswan restart
service xl2tpd restart

Start the ipsec connection:

ipsec auto --up meraki

Start the l2tp connection (with your username and password)

echo "c meraki <user> <pass>" > /var/run/xl2tpd/l2tp-control

Add a route for your internal network:

ip route add 10.0.0.1/24 dev ppp0

To disconnect:

echo "d meraki" > /var/run/xl2tpd/l2tp-control
ipsec down meraki
@pmoncadaisla

This comment has been minimized.

Copy link

pmoncadaisla commented Sep 18, 2016

Hi @psanford,

I'm getting this error:

root@thinkpad:~# ipsec auto --up meraki
/usr/sbin/ipsec: unknown IPsec command `auto' (`ipsec --help' for list)

I've must installed a different ipsec package before, but now I cannot get rid of it:

This is the versioncode of my package:

root@thinkpad:~# ipsec --versioncode
U5.3.5/K4.6.0-040600-generic

Do you have any idea on how to proceed?

Thanks!

@thuannvn

This comment has been minimized.

Copy link

thuannvn commented Sep 20, 2016

Hi, How dig "ppp0" come from?

@franciscoruiz

This comment has been minimized.

Copy link

franciscoruiz commented Dec 14, 2016

@pmoncadaisla try with ipsec up meraki or ipsec up meraki-vpn

@nmeheus

This comment has been minimized.

Copy link

nmeheus commented Dec 14, 2016

I have some problems with "ipsec up ips-tunnel"
I want to use a public vpn service (found at vpngate), and i named my connection "ips-tunnel".

When i execute the command I get several errors/warnings:

  1. no files found matching '/usr/local/etc/strongswan.conf'

  2. IDir 'some ip address in my subnet (which is unreachable)' does not match to '118.111.250.74' <- the public vpn server
    deleting IKE_SA ips-tunnel[1] between 'my IP'[my IP]...118.111.250.74[%any]
    sending DELETE for IKE_SA ips-tunnel[1]

At the end, it still says: "connection 'ips-tunnel' established successfully"

If I try "ip route add 10.0.0.1/24 dev ppp0" afterwards, i get this: "Cannot find device "ppp0" "

Do you have any idea what i could do to resolve this?

@StevenChorkley

This comment has been minimized.

Copy link

StevenChorkley commented Mar 29, 2017

Is there a way to do this at startup?

@StevenChorkley

This comment has been minimized.

Copy link

StevenChorkley commented Mar 29, 2017

Btw @nmeheus, this may help:
echo "c meraki-vpn " | sudo tee /var/run/xl2tpd/l2tp-control

@Niemi

This comment has been minimized.

Copy link

Niemi commented Apr 5, 2017

If I try "ip route add 10.0.0.1/24 dev ppp0" afterwards, i get this: "Cannot find device "ppp0" "<

in directory /etc/ppp/
control ip-up script
and ...


cat > /etc/ppp/ip-up.d/route <<EOF
#!/bin/sh -e
ip route add 192.168.1.0/24 dev $PPP_IFACE
ip route add 176.16.0.0/24 dev $PPP_IFACE

exit 0
EOF

don't forget to add execute bit on file

chmod ugo+x /etc/ppp/ip-up.d/route

@clivegross

This comment has been minimized.

Copy link

clivegross commented May 29, 2017

@nmeheus Im using pppd version 2.4.7 on Arch Linux and got the same error:

Cannot find device "ppp0"

Sure enough, ip link had no ppp0 device

I found the following entries in journalctl:

pppd[11903]: In file /etc/ppp/options.l2tpd.client: unrecognized option 'lock'
xl2tpd[11758]: /usr/sbin/pppd: In file /etc/ppp/options.l2tpd.client: unrecognized option 'lock'

I removed the lock row from /etc/ppp/options.l2tpd.client and tried again and worked straight away:

$ ip link
...
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp 

Not sure what lock does but VPN works fine now.

@clivegross

This comment has been minimized.

Copy link

clivegross commented May 29, 2017

Further to my last comment, I've written a short guide for Arch Linux users here, based on these notes by @psanford.

@dragon788

This comment has been minimized.

Copy link

dragon788 commented Jun 7, 2017

Check to see what your server supports for protocols as the newer StrongSwan will disable/ignore "insecure" protocols by default.

To discover the algorithms supported by your server you can use ike-scan which may be in the package repository.

sudo apt-get install ike-scan
sudo ike-scan <address.of.server>

There is also a nice GUI option available now.

http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

@jersam

This comment has been minimized.

Copy link

jersam commented Dec 8, 2017

on centos, installing strongswan doesnt give 'ipsec' command. do you install openwan and strongswan? I am having big issues getting this to work on a centos machine.

@langyxxl

This comment has been minimized.

Copy link

langyxxl commented Dec 9, 2017

is it possible to create a docker vpn client? the config is so complicated...

@gghandsome

This comment has been minimized.

Copy link

gghandsome commented Nov 20, 2018

conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn usa
left=xxx.xxx.xxx.xxx
leftsubnet=0.0.0.0/0
right=xxx.xxx.xxx.xxx
rightsubnet=10.201.21.0/20
keyexchange=ikev1
auto=route
authby=secret

here is my setting.but I can't connect successfully.It show me this message :

initiating Main Mode IKE_SA usa[1] to B
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from A[500] to B[500] (220 bytes)
received packet: from B[500] to A[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from A[500] to B[500] (244 bytes)
received packet: from B[500] to A[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from A[500] to B[500] (100 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA usa[1] established between A[A]...B[B]
scheduling reauthentication in 86173s
maximum IKE_SA lifetime 86353s
generating QUICK_MODE request 2161754081 [ HASH SA No KE ID ID ]
sending packet: from A[500] to B[500] (340 bytes)
sending retransmit 1 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2262587242 [ HASH N(DPD) ]
sending retransmit 2 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2583933086 [ HASH N(DPD) ]
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3182138456 [ HASH N(DPD) ]
sending retransmit 3 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2987448349 [ HASH N(DPD) ]
received packet: from B[500] to A[500] (92 bytes)
parsed INFORMATIONAL_V1 request 2818422143 [ HASH N(DPD) ]
sending retransmit 4 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
sending retransmit 5 of request message ID 2161754081, seq 4
sending packet: from A[500] to B[500] (340 bytes)
giving up after 5 retransmits
initiating Main Mode IKE_SA usa[2] to B
establishing connection 'usa' failed

it's anything wrong?

@gghandsome

This comment has been minimized.

Copy link

gghandsome commented Nov 20, 2018

on centos, installing strongswan doesnt give 'ipsec' command. do you install openwan and strongswan? I am having big issues getting this to work on a centos machine.

use strongswan start

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.