L3ECH's cable internet connection guide for Israeli Linux users
Part 2: L2TP VPN


Reverse Colors

Mission: Connect a Linux box to the internet via an L2TP VPN dialer!

There won't be any bullshit on this page. It is aimed at the VERY ADVANCED user.
This part of the manual deals with L2TP VPN dialers and is mostly based on the 1st part of the manual (PPTP VPN dialer).

Even though it really should work on most systems, there are NO GUARANTIES whatsoever that this will work with any other configuration (and even with a similar one)!

What I got it working with:
  • Debian GNU/Linux (unstable)
  • Aruzey Zahav cables
  • Barak 013 Internet Service Provider (L2TP)


    What you need is a cable modem, that is correctly set up and is able to get an ip address from dhcp (If your modem is connected to USB, you might find some useful info in Jess Portnoy's "Connecting a cable modem using USB interface under Linux" guide.),

    the following software packages*:
  • ifupdown
  • netbase
  • net-tools
  • netkit-ping
  • ppp (version 2.4.1 or better)
  • dhcp-client
  • gcc
  • binutils
  • libc6-dev
    (*package names on a Debian GNU/Linux system. If you're running another system... that's too bad :))

    And the rp-l2tp software package, which is a user-space L2TP implementation for Linux/Unix. Download it at http://sourceforge.net/projects/rp-l2tp/.

    rp-l2tp client installation:
    1. Download, unzip, untar and whatever.
    2. ./configure && make && make install
    3. Your kernel must have the following modules loaded or compiled in for the program to work:
           ppp_generic (kernel config --> Network device support --> PPP (point-to-point protocol) support)
           ppp_synctty (kernel config --> Network device support --> PPP support for sync tty ports)
           slhc (kernel config --> Network device support --> SLIP (serial line) support --> CSLIP compressed headers)
           n_hdlc (kernel config --> Character devices --> Non-standard serial port support --> HDLC line discipline support)


    Files needed to be edited/created:
  • /usr/bin/fixroute - little script to fix default route (needs to be created and made executable!)
  • /etc/l2tp/l2tp.conf - l2tp client configuration file
  • /etc/init.d/rp-l2tpd - l2tp client startup/shutdown file (needs to be created and made executable!)
  • /usr/bin/check_vpn - checks if connection is alive and reconnects if not (needs to be created and made executable!)
  • /etc/ppp/pap-secrets - file containing username and password for your ISP
  • /etc/cron.d/vpn - cron job file that checks if connection is alive (needs to be created)

    Note 1: Be root.
    Note 2: Make sure you read each file, and adjust things that need to be adjusted (like usernames, passwords and isp vpn addresses).

    /usr/bin/fixroute 
    #! /bin/sh
#
#    If our default route goes to some crappy 172.x.x.x
#    address, remove default gateway and enter a route
#    to our L2TP server over the same gateway address.
#    Replace "62.90.5.150" with your L2TP VPN address.
#    List of VPNs of all Israely ISPs is available at
#        http://www.cables.org.il/cable-vpn/vpn.html
#

L2TPGW=62.90.5.150

SEDEXPR='^0\.0\.0\.0 \+\(172\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*'
gw=`/sbin/route -n | sed -ne "s/$SEDEXPR$interface"'.*$/\1/p'`
if [ "$gw" != "" ]
then
        echo "Replacing shitty route..."
        route del default gw $gw
        route add -host $L2TPGW gw $gw
fi

    /etc/l2tp/l2tp.conf 
    # Global section
global

# Load handlers
load-handler "sync-pppd.so"
load-handler "cmd.so"

# Bind address
listen-port 1701

# Configure the sync-pppd handler. This actually sets the ppp options for your dialer.
# Replace YOURUSERNAME with your actual username that you use to connect to your ISP.
# YOURUSERNAME might need an ISP suffix. If you're not sure you need one - call your tech support.
# You can add more options in "lac-pppd-opts", but everything should work just fine with just these.
section sync-pppd
lac-pppd-opts "user YOURUSERNAME  noipdefault  usepeerdns  noauth  lcp-echo-interval 20  lcp-echo-failure 10"

# Peer section
#    Replace "62.90.5.150" with your L2TP VPN address.
#    List of VPNs of all Israely ISPs is available at
#        http://www.cables.org.il/cable-vpn/vpn.html
section peer
peer 62.90.5.150
port 1701
lac-handler sync-pppd
hide-avps no

# Configure the cmd handler.  You MUST have a "section cmd" line
# even if you don't set any options.
section cmd

    /etc/init.d/rp-l2tpd 
    #! /bin/sh
#    Init file. MAKE SURE you don't forget to replace all occurances
#    of "62.90.5.150" in this file with your L2TP VPN address.
#    List of VPNs of all Israely ISPs is available at
#        http://www.cables.org.il/cable-vpn/vpn.html

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/l2tpd
NAME=l2tpd
DESC="RP l2tpd"
CONTROL=/usr/local/sbin/l2tp-control

test -x $DAEMON || exit 0

set -e

case "$1" in
  start)
        echo -n "Starting $DESC: $NAME "
		touch /var/run/vpn_run
        fixroute
        start-stop-daemon --start --quiet --exec $DAEMON
        sleep 1
        $CONTROL "start-session 62.90.5.150"
        echo "."
        ;;
  stop)
        echo -n "Stopping $DESC: $NAME "
		rm /var/run/vpn_run
        $CONTROL exit
        echo "."
        ;;
  restart|force-reload)
        echo -n "Restarting $DESC: $NAME"
        $CONTROL exit
        sleep 1
        fixroute
        start-stop-daemon --start --quiet --exec $DAEMON
        sleep 1
        $CONTROL "start-session 62.90.5.150"
        echo "."
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

    /usr/bin/check_vpn 
    #!/bin/bash

# check if we're supposed to run, if not - exit
[ -e /var/run/vpn_run ] || exit 1

check=`cat /proc/net/dev | grep ppp | wc -l | awk '{ print $1 }'`
if [ "$check" == "0" ]
then
	echo "VPN is dead! Trying to reconnect..."

	# Try to terminate l2tpd, the easy way first:
	/etc/init.d/rp-l2tpd stop
	# To make sure they're dead, kill them.
	killall -9 pppd
	killall -9 l2tpd
	# Make sure we don't have any stale pids of pppd lying around
	rm /var/run/ppp?.pid

	# Wait 3 seconds
	sleep 3

	# Restart network adapter in order to make sure we have current dhcp settings on our eth
	# replace eth1 here with the eth adapter you have your cable modem connected to
	/sbin/ifdown eth1
	sleep 1
	/sbin/ifup eth1
	sleep 2

	# Start the connection again
	/etc/init.d/rp-l2tpd start
fi

    /etc/ppp/pap-secrets 
    # Syntax: username[@Suffix] * password
# Suffixes may vary with different ISPs. For some ISPs (Like Barak 013) - no Suffix is needed.
# If you're not sure, call your tech support for info about that.

username * password

    /etc/cron.d/vpn 
    # Executes the internet connection check every minute
# If you want it to be executed every 5 minutes for example, change the first "*" to "*/5"

* * * * * (/usr/bin/check_vpn)

    If you don't want your main syslog messages to be full of crontab calls for the check script and pppd LCP EchoReq/EchoRep messages, edit your syslog config file (usually /etc/syslog.conf)
    Modify the line of the main log (the one that starts with "*.*" and ends with "/var/log/syslog") to be something like:
    *.*;cron,local2,auth,authpriv.none     /var/log/syslog
    Then add the following lines below, to redirect the annoying messages to where they belong:
    cron.*      /var/log/cron.log
    local2.*    /var/log/daemon.log

    Make sure you use TABs and NOT spaces in the syslog config file! (apparently, it doesn't like spaces)

    Now you probably need to restart your cron daemon: killall -HUP crontab
    And your syslog daemon: killall -HUP syslogd

    That's pretty much it. Last thing you probably want to do is make your connection start automatically when you boot up your computer. Do that by running:
    update-rc.d rp-l2tpd defaults

    If you want to disconnect, run /etc/init.d/rp-l2tpd stop
    This guide is inspired by "Cable Modem Mini-Howto for Israeli Linux Users" by Amit Margalit.
    And here's a very detailed faithfull follower, Eyal Rozenberg's guide.
    Some parts in this manual were ripped from "Wanadoo EuroDocsis Cable en Debian HOWTO".


    For comments, suggestions, corrections, hate-mail, etc. - feel free to email me.

    See also:
        My cable internet connection guide for Israeli Linux users (Part 1: PPTP VPN)
        My Routing Guide
    Hits on this page: 0

    (C) L3ECH, 2004