Skip to content

Instantly share code, notes, and snippets.

@clivetyphon
Created June 15, 2017 09:09
Show Gist options
  • Save clivetyphon/f112145ca9908e5a24df7e01630cbfe6 to your computer and use it in GitHub Desktop.
Save clivetyphon/f112145ca9908e5a24df7e01630cbfe6 to your computer and use it in GitHub Desktop.
Configuring Meraki Client VPN in Linux

Configuring Meraki Client VPN in Linux

You can try the official Meraki Configuring Client VPN in Linux article for GUI based setup. For terminal based configuration, see below.

Install packages

Install the following packages:

  • strongswan
  • xl2tpd

For Arch Linux:

$ sudo pacman -S xl2tpd

Install strongswan from the AUR.

Configure

4 configuration files need to be set up:

  1. /etc/ipsec.conf: This file contains the basic information to establish a secure IPsec tunnel to the VPN server.
  2. /etc/ipsec.secrets: This file contains the PSK secret.
  3. /etc/xl2tpd/xl2tpd.conf: This file configures xl2tpd with the connection name, server IP address.
  4. /etc/ppp/options.l2tpd.client: This file configures pppd.

ipsec.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address and my-unique-vpn-conn-name with a connection name of your choice.

$ sudo vim /etc/ipsec.conf

conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       keyexchange=ikev1
       authby=secret
       ike=aes128-sha1-modp1024,3des-sha1-modp1024!
       esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn my-unique-vpn-conn-name
    keyexchange=ikev1
    left=%defaultroute
    auto=add
    authby=secret
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/1701
    # set this to the outside IP address of your Meraki VPN node
    right=yyy.yyy.yyy.yyy

ipsec.secrets

 $ sudo vim /etc/ipsec.secrets

: PSK "IPsec PSK secret goes here including quotation marks."

xl2tpd.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address and my-unique-vpn-conn-name with a connection name of your choice.

$ sudo vim /etc/xl2tpd/xl2tpd.conf

[lac my-unique-vpn-conn-name]
# set this to the outside IP address of your Meraki VPN node
lns = yyy.yyy.yyy.yyy
ppp debug = yes 
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

Use the following config, replacing meraki-username and meraki-password with your client VPN username and password.

$ sudo vim /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-pap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name meraki-username
password meraki-password

Restart services

$ sudo systemctl restart strongswan
$ sudo systemctl restart xl2tpd

Connect

Start the IPsec connection:

$ sudo ipsec up my-unique-vpn-conn-name
initiating Main Mode IKE_SA my-unique-vpn-conn-name[1] to yyy.yyy.yyyy.yyy
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyyy.yyy[500] (212 bytes)
received packet: from yyy.yyy.yyyy.yyy[500] to xxx.xxx.xxx.xxx[500] (156 bytes)
...
connection 'my-unique-vpn-conn-name' established successfully

Start the L2TP connection:

$ su
# echo "c my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control

Add routes

Check the tunnel has been created as an interface:

$ ip link
...
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp

Add a route to the VPN inside network through the ppp tunnel.

$ ip route add zzz.zzz.zzz.zzz/zzz dev ppp0

You should now have access to the Meraki node inside LAN.

Disconnect

$ su
# echo "d my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
# exit
$ sudo ipsec down my-unique-vpn-conn-name
closing CHILD_SA my-unique-vpn-conn-name...
...
IKE_SA [...] closed successfully

References

@PatricioToledoCDS
Copy link

This doesn't return any output, What can I do?
$ sudo ipsec up my-unique-vpn-conn-name

@acro5piano
Copy link

Don't forget to run the following commands after you modify your configuration (along with service restarts):

sudo ipsec update
sudo ipsec reload 
sudo ipsec restart

@acro5piano
Copy link

For my case I should use the following protocol:

$ sudo vim /etc/ipsec.conf

# ...

  ike=3des-sha1-modp1024!
  esp=3des-sha1!

@acro5piano
Copy link

acro5piano commented Feb 4, 2023

If you use strongSwan version 5.9.8 or above, edit /etc/strongswan.d/charon.conf and specify them in the config file, by commenting out:

charon {
  # ...
  port = 0
  port_nat_t = 0
  # ...
}

I don’t know why but the random port enables Strongswan to connect to the VPN server.

Ref: strongswan/strongswan#1390 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment