My L2TP VPN Setup

Hi, this is a summary of my L2TP VPN configuration, posted here for reference, and in the hope that it will be useful. The client is CL, and the server is Windows Server 2019.

Install the following bundles:
networkmanager-extras
cryptography

To prevent pluto from crashing remove --leak-detective from pluto options in:
/usr/lib/systemd/system/ipsec.service

Note: There has been a regression in release 33550 which causes pluto to crash due to an NSS ABI incompatibility, so for the moment 33540 is the latest release that works. However, a fix will be available soon (see https://github.com/clearlinux/distribution/issues/2087).
Update: This has now been fixed!

Touch /etc/ipsec.conf file and create an empty /etc/ipsec.d directory.

Create /etc/ipsec.secrets (mode 600) with the content:
# Libreswan ipsec secrets file

include ipsec.d/ipsec.nm-l2tp.secrets

touch /etc/ppp/resolv.conf

Use nm-connection-editor to create the VPN connection file: /etc/NetworkManager/system-connections/MyVPN with the contents:

[connection]
id=MyVPN
uuid=***
type=vpn
autoconnect=false
permissions=
[vpn]
domain=***redacted***
gateway=***redacted***
ipsec-enabled=yes
ipsec-esp=aes256-sha1
ipsec-ike=aes256-sha1;dh20
ipsec-psk=***redacted***
ipsec-remote-id=***redacted***
ipsec-pfs=no
mru=1400
mtu=1400
password-flags=1
require-mppe=yes
user=***redacted***
service-type=org.freedesktop.NetworkManager.l2tp

[ipv4]
dns-search=
method=auto
never-default=true
route1=192.168.0.0/21

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

It is preferable to let NetworkManager manage the DNS, particularly if never-default=true (which does not set the VPN as the default route and hence does not route all traffic through the VPN). In this case NM will not ask systemd-resolved to update the DNS setup, but we want this.

In order to achieve this, disable systemd-resolved using systemctl. Remove the /etc/resolv.conf symlink and touch an empty /etc/resolv.conf.

We also need to stop the /etc/resolv.conf symlink being automatically created on reboot:
sudo vim /usr/lib/tmpfiles.d/etc.conf
comment out the last line which creates the symlink.

Further notes:
The ipsec-ike (Phase1) and ipsec-esp (Phase 2) settings shown here work for a default Windows Server VPN. Once can use ike-scan to find out the supported ciphers, or else the IT staff should be able to advise on the best choice for these settings. Please DO NOT use 3DES which is supported by the default Windows configuration.

remote-id must match the id reported by the VPN server, which (due to NAT-D) might not be the same as the IP of the VPN server. Libreswan (used by CL) will not connect if these don’t match, but will helpfully report this in the journalctl output.

I was unable to get PFS to work with Windows Server, so it is disabled in the above config. It’s still quite secure (AES256). It seems more testing is needed for PFS. I’m not even sure if it actually works properly in Windows, even though it is “supported”. By default windows clients do not use PFS; one has to configure a group policy setting.

require-mppe might be unnecessary.

3 Likes