L3ECH's cable internet connection guide for Israeli Linux users
Part 2: L2TP VPN


Reverse Colors

Mission: Connect a Linux box to the internet via an L2TP VPN dialer!

There won't be any bullshit on this page. It is aimed at the VERY ADVANCED user.
This part of the manual deals with L2TP VPN dialers and is mostly based on the 1st part of the manual (PPTP VPN dialer).

Even though it really should work on most systems, there are NO GUARANTIES whatsoever that this will work with any other configuration (and even with a similar one)!

What I got it working with:
  • Debian GNU/Linux (unstable)
  • Aruzey Zahav cables
  • Barak 013 Internet Service Provider (L2TP)


    What you need is a cable modem, that is correctly set up and is able to get an ip address from dhcp (If your modem is connected to USB, you might find some useful info in Jess Portnoy's "Connecting a cable modem using USB interface under Linux" guide.),

    the following software packages*:
  • ifupdown
  • netbase
  • net-tools
  • netkit-ping
  • ppp (version 2.4.1 or better)
  • dhcp-client
  • gcc
  • binutils
  • libc6-dev
    (*package names on a Debian GNU/Linux system. If you're running another system... that's too bad :))

    And the rp-l2tp software package, which is a user-space L2TP implementation for Linux/Unix. Download it at http://sourceforge.net/projects/rp-l2tp/.

    rp-l2tp client installation:
    1. Download, unzip, untar and whatever.
    2. ./configure && make && make install
    3. Your kernel must have the following modules loaded or compiled in for the program to work:
           ppp_generic (kernel config --> Network device support --> PPP (point-to-point protocol) support)
           ppp_synctty (kernel config --> Network device support --> PPP support for sync tty ports)
           slhc (kernel config --> Network device support --> SLIP (serial line) support --> CSLIP compressed headers)
           n_hdlc (kernel config --> Character devices --> Non-standard serial port support --> HDLC line discipline support)


    Files needed to be edited/created:
  • /usr/bin/fixroute - little script to fix default route (needs to be created and made executable!)
  • /etc/l2tp/l2tp.conf - l2tp client configuration file
  • /etc/init.d/rp-l2tpd - l2tp client startup/shutdown file (needs to be created and made executable!)
  • /usr/bin/check_vpn - checks if connection is alive and reconnects if not (needs to be created and made executable!)
  • /etc/ppp/pap-secrets - file containing username and password for your ISP
  • /etc/cron.d/vpn - cron job file that checks if connection is alive (needs to be created)

    Note 1: Be root.
    Note 2: Make sure you read each file, and adjust things that need to be adjusted (like usernames, passwords and isp vpn addresses).


    /usr/bin/fixroute
    #! /bin/sh
    #
    #    If our default route goes to some crappy 172.x.x.x
    #    address, remove default gateway and enter a route
    #    to our L2TP server over the same gateway address.
    #    Replace "62.90.5.150" with your L2TP VPN address.
    #    List of VPNs of all Israely ISPs is available at
    #        http://www.cables.org.il/cable-vpn/vpn.html
    #
    
    L2TPGW=62.90.5.150
    
    SEDEXPR='^0\.0\.0\.0 \+\(172\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*'
    gw=`/sbin/route -n | sed -ne "s/$SEDEXPR$interface"'.*$/\1/p'`
    if [ "$gw" != "" ]
    then
            echo "Replacing shitty route..."
            route del default gw $gw
            route add -host $L2TPGW gw $gw
    fi


    /etc/l2tp/l2tp.conf
    # Global section
    global
    
    # Load handlers
    load-handler "sync-pppd.so"
    load-handler "cmd.so"
    
    # Bind address
    listen-port 1701
    
    # Configure the sync-pppd handler. This actually sets the ppp options for your dialer.
    # Replace YOURUSERNAME with your actual username that you use to connect to your ISP.
    # YOURUSERNAME might need an ISP suffix. If you're not sure you need one - call your tech support.
    # You can add more options in "lac-pppd-opts", but everything should work just fine with just these.
    section sync-pppd
    lac-pppd-opts "user YOURUSERNAME  noipdefault  usepeerdns  noauth  lcp-echo-interval 20  lcp-echo-failure 10"
    
    # Peer section
    #    Replace "62.90.5.150" with your L2TP VPN address.
    #    List of VPNs of all Israely ISPs is available at
    #        http://www.cables.org.il/cable-vpn/vpn.html
    section peer
    peer 62.90.5.150
    port 1701
    lac-handler sync-pppd
    hide-avps no
    
    # Configure the cmd handler.  You MUST have a "section cmd" line
    # even if you don't set any options.
    section cmd
    


    /etc/init.d/rp-l2tpd
    #! /bin/sh
    #    Init file. MAKE SURE you don't forget to replace all occurances
    #    of "62.90.5.150" in this file with your L2TP VPN address.
    #    List of VPNs of all Israely ISPs is available at
    #        http://www.cables.org.il/cable-vpn/vpn.html
    
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/local/sbin/l2tpd
    NAME=l2tpd
    DESC="RP l2tpd"
    CONTROL=/usr/local/sbin/l2tp-control
    
    test -x $DAEMON || exit 0
    
    set -e
    
    case "$1" in
      start)
            echo -n "Starting $DESC: $NAME "
    		touch /var/run/vpn_run
            fixroute
            start-stop-daemon --start --quiet --exec $DAEMON
            sleep 1
            $CONTROL "start-session 62.90.5.150"
            echo "."
            ;;
      stop)
            echo -n "Stopping $DESC: $NAME "
    		rm /var/run/vpn_run
            $CONTROL exit
            echo "."
            ;;
      restart|force-reload)
            echo -n "Restarting $DESC: $NAME"
            $CONTROL exit
            sleep 1
            fixroute
            start-stop-daemon --start --quiet --exec $DAEMON
            sleep 1
            $CONTROL "start-session 62.90.5.150"
            echo "."
            ;;
      *)
            N=/etc/init.d/$NAME
            echo "Usage: $N {start|stop|restart|force-reload}" >&2
            exit 1
            ;;
    esac
    
    exit 0
    


    /usr/bin/check_vpn
    #!/bin/bash
    
    # check if we're supposed to run, if not - exit
    [ -e /var/run/vpn_run ] || exit 1
    
    check=`cat /proc/net/dev | grep ppp | wc -l | awk '{ print $1 }'`
    if [ "$check" == "0" ]
    then
    	echo "VPN is dead! Trying to reconnect..."
    
    	# Try to terminate l2tpd, the easy way first:
    	/etc/init.d/rp-l2tpd stop
    	# To make sure they're dead, kill them.
    	killall -9 pppd
    	killall -9 l2tpd
    	# Make sure we don't have any stale pids of pppd lying around
    	rm /var/run/ppp?.pid
    
    	# Wait 3 seconds
    	sleep 3
    
    	# Restart network adapter in order to make sure we have current dhcp settings on our eth
    	# replace eth1 here with the eth adapter you have your cable modem connected to
    	/sbin/ifdown eth1
    	sleep 1
    	/sbin/ifup eth1
    	sleep 2
    
    	# Start the connection again
    	/etc/init.d/rp-l2tpd start
    fi


    /etc/ppp/pap-secrets
    # Syntax: username[@Suffix] * password
    # Suffixes may vary with different ISPs. For some ISPs (Like Barak 013) - no Suffix is needed.
    # If you're not sure, call your tech support for info about that.
    
    username * password


    /etc/cron.d/vpn
    # Executes the internet connection check every minute
    # If you want it to be executed every 5 minutes for example, change the first "*" to "*/5"
    
    * * * * * (/usr/bin/check_vpn)


    If you don't want your main syslog messages to be full of crontab calls for the check script and pppd LCP EchoReq/EchoRep messages, edit your syslog config file (usually /etc/syslog.conf)
    Modify the line of the main log (the one that starts with "*.*" and ends with "/var/log/syslog") to be something like:
    *.*;cron,local2,auth,authpriv.none     /var/log/syslog
    Then add the following lines below, to redirect the annoying messages to where they belong:
    cron.*      /var/log/cron.log
    local2.*    /var/log/daemon.log

    Make sure you use TABs and NOT spaces in the syslog config file! (apparently, it doesn't like spaces)

    Now you probably need to restart your cron daemon: killall -HUP crontab
    And your syslog daemon: killall -HUP syslogd

    That's pretty much it. Last thing you probably want to do is make your connection start automatically when you boot up your computer. Do that by running:
    update-rc.d rp-l2tpd defaults

    If you want to disconnect, run /etc/init.d/rp-l2tpd stop
    This guide is inspired by "Cable Modem Mini-Howto for Israeli Linux Users" by Amit Margalit.
    And here's a very detailed faithfull follower, Eyal Rozenberg's guide.
    Some parts in this manual were ripped from "Wanadoo EuroDocsis Cable en Debian HOWTO".


    For comments, suggestions, corrections, hate-mail, etc. - feel free to email me.

    See also:
        My cable internet connection guide for Israeli Linux users (Part 1: PPTP VPN)
        My Routing Guide
    Hits on this page: 0

    (C) L3ECH, 2004