Skip to content

Instantly share code, notes, and snippets.

@terjesb

terjesb/meraki-client-vpn-linux.md

Forked from clivetyphon/meraki-client-vpn-linux.md
Created January 27, 2021 11:28
Show Gist options
  • Save terjesb/78e7f77317bb828fd54a356a9af28f8c to your computer and use it in GitHub Desktop.
Save terjesb/78e7f77317bb828fd54a356a9af28f8c to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @clivetyphon clivetyphon created this gist Jun 15, 2017.
    159 changes: 159 additions & 0 deletions meraki-client-vpn-linux.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,159 @@
    # Configuring Meraki Client VPN in Linux

    You can try the official [Meraki Configuring Client VPN in Linux](https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Client_VPN_in_Linux) article for GUI based setup.
    For terminal based configuration, see below.

    ## Install packages

    Install the following packages:
    * strongswan
    * xl2tpd

    For Arch Linux:
    ```
    $ sudo pacman -S xl2tpd
    ```
    Install [strongswan from the AUR](https://aur.archlinux.org/packages/strongswan/).

    ## Configure

    4 configuration files need to be set up:
    1. `/etc/ipsec.conf`: This file contains the basic information to establish a secure IPsec tunnel to the VPN server.
    2. `/etc/ipsec.secrets`: This file contains the PSK secret.
    3. `/etc/xl2tpd/xl2tpd.conf`: This file configures `xl2tpd` with the connection name, server IP address.
    4. `/etc/ppp/options.l2tpd.client`: This file configures `pppd`.

    ### ipsec.conf

    Use the following config, replacing `yyy.yyy.yyy.yyy` with the Meraki node outside address and `my-unique-vpn-conn-name` with a connection name of your choice.

    ```
    $ sudo vim /etc/ipsec.conf
    conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret
    ike=aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes128-sha1-modp1024,3des-sha1-modp1024!
    conn my-unique-vpn-conn-name
    keyexchange=ikev1
    left=%defaultroute
    auto=add
    authby=secret
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/1701
    # set this to the outside IP address of your Meraki VPN node
    right=yyy.yyy.yyy.yyy
    ```

    ### ipsec.secrets

    ```
    $ sudo vim /etc/ipsec.secrets
    : PSK "IPsec PSK secret goes here including quotation marks."
    ```

    ### xl2tpd.conf

    Use the following config, replacing `yyy.yyy.yyy.yyy` with the Meraki node outside address and `my-unique-vpn-conn-name` with a connection name of your choice.

    ```
    $ sudo vim /etc/xl2tpd/xl2tpd.conf
    [lac my-unique-vpn-conn-name]
    # set this to the outside IP address of your Meraki VPN node
    lns = yyy.yyy.yyy.yyy
    ppp debug = yes
    pppoptfile = /etc/ppp/options.l2tpd.client
    length bit = yes
    ```

    ### options.l2tpd.client

    Use the following config, replacing `meraki-username` and `meraki-password` with your client VPN username and password.

    ```
    $ sudo vim /etc/ppp/options.l2tpd.client
    ipcp-accept-local
    ipcp-accept-remote
    refuse-eap
    require-pap
    noccp
    noauth
    idle 1800
    mtu 1410
    mru 1410
    defaultroute
    usepeerdns
    debug
    connect-delay 5000
    name meraki-username
    password meraki-password
    ```

    ## Restart services

    ```
    $ sudo systemctl restart strongswan
    $ sudo systemctl restart xl2tpd
    ```

    ## Connect

    Start the IPsec connection:

    ```
    $ sudo ipsec up my-unique-vpn-conn-name
    initiating Main Mode IKE_SA my-unique-vpn-conn-name[1] to yyy.yyy.yyyy.yyy
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyyy.yyy[500] (212 bytes)
    received packet: from yyy.yyy.yyyy.yyy[500] to xxx.xxx.xxx.xxx[500] (156 bytes)
    ...
    connection 'my-unique-vpn-conn-name' established successfully
    ```

    Start the L2TP connection:
    ```
    $ su
    # echo "c my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
    ```

    ## Add routes

    Check the tunnel has been created as an interface:
    ```
    $ ip link
    ...
    4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp
    ```

    Add a route to the VPN inside network through the ppp tunnel.
    ```
    $ ip route add zzz.zzz.zzz.zzz/zzz dev ppp0
    ```

    You should now have access to the Meraki node inside LAN.

    ## Disconnect
    ```
    $ su
    # echo "d my-unique-vpn-conn-name" > /var/run/xl2tpd/l2tp-control
    # exit
    $ sudo ipsec down my-unique-vpn-conn-name
    closing CHILD_SA my-unique-vpn-conn-name...
    ...
    IKE_SA [...] closed successfully
    ```

    ## References

    * [meraki_strongswan_notes](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c) by @psanford.
    * [Openswan L2TP/IPsec VPN client setup](https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup) on the Arch Linux Wiki.