Set up VPN connection through L2TP/IPsec on Gentoo Linux

As an alternative to PPTP, L2TP/IPsec provide more security for making VPN connection to CUHK network. There is already a guide on ITSC webpage showing the process to set up the connection on Windows XP. This page describe my configuration on Gentoo box to set up the connection.

First, you need to enable the following kernel options.

• Networking options
• IPsec user configuration interface
• PF_KEY sockets
• TCP/IP networking
• IP: AH transformation
• IP: ESP transformation
• IP: IPComp transformation
• IP: tunnel transformation
• Cryptographic options
• HAMC support
• MD5 digest algorithm
• SHA1 digest algorithm
• DES and Triple DES EDE cipher algorithms

Next you need two packages, ipsec-tools and l2tpd, installed on your system. For Gentoo since both are already in Portage, it is quite easy to install them using 'emerge' command.

The following are my configuration files for IPsec and L2TP.

# cat /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}
remote anonymous {
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        generate_policy on;
        proposal_check obey;
        proposal {
                encryption_algorithm des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 1;
        }
}
sainfo anonymous {
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
        

#cat /etc/racoon/psk.txt
10.0.255.248    ipsec-vpn
10.0.255.249    ipsec-vpn
10.0.255.250    ipsec-vpn
10.0.255.251    ipsec-vpn
10.0.255.252    ipsec-vpn
10.0.255.253    ipsec-vpn
10.0.255.254    ipsec-vpn
        

# cat /etc/ipsec.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.219.121/18[1701] 0.0.0.0/0[0] any
           -P out ipsec esp/transport//require;
        

# cat /etc/l2tpd/l2tpd.conf
[global]
port = 1701
auth file = /etc/l2tpd/l2tp-secrets

[lac connect]
lns = ipsec-vpn.resnet.cuhk.edu.hk
redial = yes
require pap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tp
        

Alter stars in last line to your username.

# cat /etc/ppp/options.l2tp
lock
debug
mtu 1000
nobsdcomp
nodeflate
noaccomp
nopcomp
novj
defaultroute
name *******
        

Fill your username and password in the following two files. For the column 'them', enter the remote address, i.e. ipsec-vpn.resnet.cuhk.edu.hk for CUHK ResNet.

# cat /etc/l2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels
# us    them    secret

# cat /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client        server  secret
        

Now you can fireup the processes for making connection.

/etc/init.d/racoon start
/etc/init.d/l2tpd start
echo "c connect" > /var/run/l2tp-control
        

At this stage, you should have the connection up. You can modify the init script for l2tpd to include the last 'echo' line and add the two processes to default run level. In this way, you will automatically have the connection up after reboot.

A great thanks hereby to Yin Chaoyi who helped me a lot during setting up the connection.

Update: As stated on ITSC webpage, PPTP was phased out on 1 Aug 2006. Therefore you had to use L2TP/IPsec to make connection to CUHK network now.

Last updated Nov 30, 2006