Configuring Meraki Client VPN in Linux

meraki-client-vpn-linux.md

Configuring Meraki Client VPN in Linux

You can try the official Meraki Configuring Client VPN in Linux article for GUI based setup. For terminal based configuration, see below.

Install packages

Install the following packages:

• strongswan
• xl2tpd

For Arch Linux:

$ sudo pacman -S xl2tpd

Install strongswan from the AUR.

Configure

4 configuration files need to be set up:

1. /etc/ipsec.conf: This file contains the basic information to establish a secure IPsec tunnel to the VPN server.
2. /etc/ipsec.secrets: This file contains the PSK secret.
3. /etc/xl2tpd/xl2tpd.conf: This file configures xl2tpd with the connection name, server IP address.
4. /etc/ppp/options.l2tpd.client: This file configures pppd.

ipsec.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address and my-unique-vpn-conn-name with a connection name of your choice.

$ sudo vim /etc/ipsec.conf

conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       keyexchange=ikev1
       authby=secret
       ike=aes128-sha1-modp1024,3des-sha1-modp1024!
       esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn my-unique-vpn-conn-name
    keyexchange=ikev1
    left=%defaultroute
    auto=add
    authby=secret
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/1701
    # set this to the outside IP address of your Meraki VPN node
    right=yyy.yyy.yyy.yyy

ipsec.secrets

 $ sudo vim /etc/ipsec.secrets

: PSK "IPsec PSK secret goes here including quotation marks."

xl2tpd.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address and my-unique-vpn-conn-name with a connection name of your choice.

$ sudo vim /etc/xl2tpd/xl2tpd.conf

[lac my-unique-vpn-conn-name]
# set this to the outside IP address of your Meraki VPN node
lns = yyy.yyy.yyy.yyy
ppp debug = yes 
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

Use the following config, replacing meraki-username and meraki-password with your client VPN username and password.

$ sudo vim /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-pap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name meraki-username
password meraki-password

Restart services

$ sudo systemctl restart strongswan
$ sudo systemctl restart xl2tpd

Connect

Start the IPsec connection:

$ sudo ipsec up my-unique-vpn-conn-name
initiating Main Mode IKE_SA my-unique-vpn-conn-name[1] to yyy.yyy.yyyy.yyy
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyyy.yyy[500] (212 bytes)
received packet: from yyy.yyy.yyyy.yyy[500] to xxx.xxx.xxx.xxx[500] (156 bytes)
...
connection 'my-unique-vpn-conn-name' established successfully

Start the L2TP connection:

$ su
# echo "c my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control

Add routes

Check the tunnel has been created as an interface:

$ ip link
...
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp

Add a route to the VPN inside network through the ppp tunnel.

$ ip route add zzz.zzz.zzz.zzz/zzz dev ppp0

You should now have access to the Meraki node inside LAN.

Disconnect

$ su
# echo "d my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
# exit
$ sudo ipsec down my-unique-vpn-conn-name
closing CHILD_SA my-unique-vpn-conn-name...
...
IKE_SA [...] closed successfully

References

• meraki_strongswan_notes by @psanford.
• Openswan L2TP/IPsec VPN client setup on the Arch Linux Wiki.