L2TP VPN client on Linux Debian

l2tpclient.sh

# Requirements
# debian/ubuntu

apt-get -y update && apt-get -y upgrade
apt-get -y install strongswan xl2tpd libstrongswan-standard-plugins libstrongswan-extra-plugins

VPN_SERVER_IP=''
VPN_IPSEC_PSK='y'
VPN_USER=''
VPN_PASSWORD=''

cat > /etc/ipsec.conf <<EOF
config setup
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret

conn VPN1
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac VPN1]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client

service strongswan restart
service xl2tpd restart

cat > /usr/local/bin/start-vpn <<EOF
#!/bin/bash

(service strongswan start ;
sleep 2 ;
service xl2tpd start) && (

ipsec up VPN1
echo "c VPN1" > /var/run/xl2tpd/l2tp-control
sleep 5
#ip route add 10.0.0.0/24 dev ppp0
)
EOF
chmod +x /usr/local/bin/start-vpn

cat > /usr/local/bin/stop-vpn <<EOF
#!/bin/bash

(echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn) && (
service xl2tpd stop ;
service strongswan stop)
EOF
chmod +x /usr/local/bin/stop-vpn

echo "To start VPN type: start-vpn"
echo "To stop VPN type: stop-vpn"

There is a type in the stop-vpn command, it says stringswan (pun intended?) but should of course be strongswan

Thank for you sharing, but when running your script, I getting an error "strongswan: unrecognized service". Can you help me resolve it?

Thanks for the script!
For me it almost worked, I was just missing the IPSec proposal because my VPN server required it and I guess defaults didn't suit it. The error I was getting on the VPN server when I tried to connect was

no suitable proposal found

In order to fix it I have added the proposal as 2 options in ipsec.conf:

/etc/ipsec.conf

ike=aes128-sha1-modp2048
esp=aes128-sha1

and the problem was gone!

NB! And yes, as @amfasis said, there is a typo in instructions

service stringswan stop

which must be fixed.

Thanks @dimir. I fixed the typo.

Thanks!

ipsec down myvpn -- No
ipsec down VPN1 -- Yes

Hi, Greetings thanks, I was searching for a clean simple tool but I can't find it, this helps me a lot:

I need to add the following to lines (after line 20) to make it work with Mikrotik:

ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!

I find this on this page:

https://dev-qa.com/153425/how-to-connect-l2tp-ipsec-client-on-linux-to-mikrotik

I'v a https://...:4433 server how can i config this to work?

This script works great, and the microtik fixes were good but now you have to replace service strongswan start with service strongswap-starter start and the same for service strongswan-starter stop.

Thanks for the script!

After adding the fixes for Mikrotik suggested by agenovez and updated the start and stop script to use systemctl it works great!

New start script:

#!/bin/bash
(
  systemctl start strongswan-starter.service
  sleep 2
  systemctl start xl2tpd.service
) && (
  ipsec up VPN1
  echo "c VPN1" > /var/run/xl2tpd/l2tp-control
  sleep 5
  #ip route add 10.0.0.0/24 dev ppp0
)

New stop script:

#!/bin/bash
(
  echo "d VPN1" > /var/run/xl2tpd/l2tp-control
  ipsec down VPN1
) && (
  systemctl stop xl2tpd.service
  systemctl stop strongswan-starter.service
)

Thank you a ton for this gist.

I had to tweak it a bit to get it to work with my setup (Ubuntu client & Ubiquiti UDM server)
I've posted the gist here:
https://gist.github.com/btc100k/8a075e2855298aa359d14b1688aa2f04

The big diffs (IIRC) were in the pppoptfile, and in creating/removing the route when starting/stopping vpn.