You can try the official Meraki Configuring Client VPN in Linux article for GUI based setup. For terminal based configuration, see below.
Install the following packages:
- strongswan
- xl2tpd
For Arch Linux:
$ sudo pacman -S xl2tpd
Install strongswan from the AUR.
4 configuration files need to be set up:
/etc/ipsec.conf
: This file contains the basic information to establish a secure IPsec tunnel to the VPN server./etc/ipsec.secrets
: This file contains the PSK secret./etc/xl2tpd/xl2tpd.conf
: This file configuresxl2tpd
with the connection name, server IP address./etc/ppp/options.l2tpd.client
: This file configurespppd
.
Use the following config, replacing yyy.yyy.yyy.yyy
with the Meraki node outside address and my-unique-vpn-conn-name
with a connection name of your choice.
$ sudo vim /etc/ipsec.conf
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn my-unique-vpn-conn-name
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
# set this to the outside IP address of your Meraki VPN node
right=yyy.yyy.yyy.yyy
$ sudo vim /etc/ipsec.secrets
: PSK "IPsec PSK secret goes here including quotation marks."
Use the following config, replacing yyy.yyy.yyy.yyy
with the Meraki node outside address and my-unique-vpn-conn-name
with a connection name of your choice.
$ sudo vim /etc/xl2tpd/xl2tpd.conf
[lac my-unique-vpn-conn-name]
# set this to the outside IP address of your Meraki VPN node
lns = yyy.yyy.yyy.yyy
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
Use the following config, replacing meraki-username
and meraki-password
with your client VPN username and password.
$ sudo vim /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-pap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name meraki-username
password meraki-password
$ sudo systemctl restart strongswan
$ sudo systemctl restart xl2tpd
Start the IPsec connection:
$ sudo ipsec up my-unique-vpn-conn-name
initiating Main Mode IKE_SA my-unique-vpn-conn-name[1] to yyy.yyy.yyyy.yyy
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyyy.yyy[500] (212 bytes)
received packet: from yyy.yyy.yyyy.yyy[500] to xxx.xxx.xxx.xxx[500] (156 bytes)
...
connection 'my-unique-vpn-conn-name' established successfully
Start the L2TP connection:
$ su
# echo "c my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
Check the tunnel has been created as an interface:
$ ip link
...
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp
Add a route to the VPN inside network through the ppp tunnel.
$ ip route add zzz.zzz.zzz.zzz/zzz dev ppp0
You should now have access to the Meraki node inside LAN.
$ su
# echo "d my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
# exit
$ sudo ipsec down my-unique-vpn-conn-name
closing CHILD_SA my-unique-vpn-conn-name...
...
IKE_SA [...] closed successfully
- meraki_strongswan_notes by @psanford.
- Openswan L2TP/IPsec VPN client setup on the Arch Linux Wiki.
Instead of having to
su
to connect you can use:echo "c my-unique-vpn-conn-name" | sudo tee /var/run/xl2tpd/l2tp-control
This will run the second part as sudo and remove one step
credit: hwdsl2/setup-ipsec-vpn#48