OpenWrt Forum Archive

Topic: L2TP/IPSec client

The content of this topic has been archived on 9 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've tried to find some tutorials, but most of them is about setting up OpenWRT server, not client.
So, I just tried to install openswan and xl2tpd and copy good configuration from Linux PC.

Connection goes fine, pppd connects and gets IP address:

Apr 21 10:52:00 OpenWrt daemon.notice pppd[6566]: CHAP authentication succeeded
Apr 21 10:52:00 OpenWrt daemon.notice pppd[6566]: local  IP address 192.168.3.65
Apr 21 10:52:00 OpenWrt daemon.notice pppd[6566]: remote IP address 192.168.3.1

But connection does not work. I can't ping remote side (192.168.3.1) and remote side can't ping me. I can't understand where is the problem.

Firewall settings look fine for me:

config zone                         
        option name 'L2TP'      
        option input 'ACCEPT'       
        option forward 'REJECT'     
        option output 'ACCEPT'    
        option network 'L2TP'     
        option masq '1'           
        option mtu_fix '1'        
                                  
config forwarding                 
        option dest 'lan'         
        option src 'L2TP'       
                                        
config forwarding              
        option dest 'L2TP'           
        option src 'lan'

ipsec.conf:

version 2.0
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.3.0/24
        oe=off
        protostack=netkey


conn L2TP-PSK-CLIENT
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=transport

        auto=up
        dpddelay=20
        dpdtimeout=120
        dpdaction=clear
        ikelifetime=8h
        keylife=1h

        left=%eth0.3
        leftprotoport=17/1701
        right=x.x.x.x
        rightid=192.168.3.1
        rightprotoport=17/1701

xl2tpd.conf:

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no

[lac L2TPserver]
lns = x.x.x.x
refuse pap = yes
require authentication = yes
name = nap
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

ppp/options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
refuse-chap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
lock
#proxyarp
connect-delay 5000
noipdefault
ifname L2TP

Interface statistics look strange, it looks like system doesn't send packets to that interface at all:

L2TP     Link encap:Point-to-Point Protocol  
          inet addr:192.168.3.65  P-t-P:192.168.3.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:61 (61.0 B)  TX bytes:40 (40.0 B)

(Last edited by nap on 22 Apr 2013, 08:37)

I've seen this thread and it's not about l2tp/ipsec client, it's about l2tp/ipsec server.

(Last edited by nap on 21 Apr 2013, 15:43)

My configuration works now. VPN network traffic (192.168.3.x in my case) was routed via uplink, even when i had static rule for routing 192.168.3.0/24 to correct ppp interface.
I had to set metric>0 for WAN VPN and everything works fine now.

Now I have following script. It sets metrics and adds masquerade rule between local network and VPN network.

#!/bin/sh

# Uplink 1

if [ "`/sbin/route -n|grep ^0.0.0.0|grep pppoe-Uplink1`" == "" ]; then
        echo "Setting metric=1 for pppoe-Uplink1"
        /sbin/route add default metric 1 pppoe-Uplink1
fi

# Uplink 2

if [ "`/sbin/route -n|grep ^0.0.0.0|grep pptp-Uplink2`" == "" ]; then
        echo "Setting metric=2 for pptp-Uplink2."
        /sbin/route add default metric 2 pptp-Contact
fi

# L2TP/IPSec VPN

if [ "`/sbin/ifconfig|grep L2TP`" == "" ]; then
        echo "L2TP is down. Trying to wake."
        /etc/init.d/ipsec restart
        sleep 1
        echo "c L2TPserver" > /var/run/xl2tpd/l2tp-control
else
        if [ "`/sbin/route -n|grep 192.168.3.0`" == "" ]; then
                echo "Adding route to L2TP. "
                /sbin/route add -net 192.168.3.0/24 L2TP
        fi
        if [ "`/sbin/route -n|grep 192.168.3.22|grep UG|grep L2TP`" == "" ]; then
                echo "Setting metric=3 for L2TP."
                /sbin/route add default gw 192.168.3.22 metric 3 L2TP
        fi
        if [ "`/usr/sbin/iptables -t nat -L|/bin/grep MASQ|/bin/grep 192.168.3.0/24`" == "" ]; then
                echo "Adding masquerading for L2TP."
                /usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.3.0/24 -j MASQUERADE
        fi
fi

Any ideas about how to make those things OpenWRT-way? As far as i can see, Metric parameter set in /etc/config/network or via LuCI is ignored for PPP interfaces and Masquerading checkbox doesn't seem to work for firewall zone assigned to interface with protocol type set to unmanaged.

(Last edited by nap on 22 Apr 2013, 08:42)

Is this possible to configure via LUCI nowadays? I have L2TP/IPsec hardware accelerated server and I would like to opwnwrt box to be client (and share this connection over WLAN access point).

The discussion might have continued from here.