You are here: Foswiki>GeneralTech Web>MerakiVPNManjaro (26 Jun 2019, BobWicksall)Edit Attach

Meraki VPN on Manjaro

These instructions are assuming Arch or Manjaro Linux.

First Attempt - GUI

My first attempt was using the GUI in Manjaro. Multiple options are listed in the network settings but not all options are actually installed. I have setup OpenVPN connections through the GUI with no issues in the past but networkmanager-l2tp was not installed or available in the default Manjaro/Arch repositories. Without this plugin the GUI would pretend to work and fail silently.

Plugins: https://wiki.archlinux.org/index.php/NetworkManager#VPN_support

I installed the networkmanager-l2tp plugin and roughly follow the official Meraki VPN instructions for Linux.

It was a no go. Although I believe my settings were correct, NetworkManager was unable to complete the connection.

Setup in GUI take 2

Initially I couldn't get the GUI to work and resorted to the manual configuration in the section below. That stopped working on or around 6/24/2019.

This now works:

http://stuffjasondoes.com/2018/08/16/configuring-meraki-client-vpn-on-linux-mint-19-network-manager/
I just jacked the settings from the instructions at the link above and used the network config tool in Manjaro.
Settings for the connection are mostly saved in /etc/NetworkManager/system-connections

You will need the following installed:

yaourt -S networkmanager-l2tp

Additionally make sure xl2tpd is not running:

sudo systemctl stop xl2tpd

Also, the section Make routes start automatically below looks like it still works.

Manual VPN setup from command line

Source: https://seba-smart-services.github.io/smartnet/linux-ipsec-client.html
Source: https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c
Source: https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup

First install xl2tpd and strongswan:

sudo pacman -S xl2tpd strongswan

Now 4 configuration files need to be set up:

/etc/ipsec.conf: This file contains the basic information to establish a secure IPsec tunnel to the VPN server.
/etc/ipsec.secrets: This file contains the PSK secret.
/etc/xl2tpd/xl2tpd.conf: This file configures xl2tpd with the connection name, server IP address.
/etc/ppp/options.l2tpd.client: This file configures pppd.

ipsec.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address.

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn meraki-vpn
     keyexchange=ikev1
     left=%defaultroute
     auto=add
     authby=secret
     type=transport
     leftprotoport=17/1701
     rightprotoport=17/1701
     # set this to the ip address of your meraki vpn  
     right=yyy.yyy.yyy.yyy

ipsec.secrets

This file had a number of configuration options by default in addition to the NetworkManager attempt at a Meraki VPN, I backed up the file and started with a new empty file.

: PSK "Your Secret Here"

xl2tpd.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address.

[lac meraki-vpn]
lns = yyy.yyy.yyy.yyy
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

Use the following config, replacing and with your client VPN username and password.

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-pap
noccp
noauth
idle 84600
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <meraki-username>
password <meraki-password>

Restart services

sudo systemctl restart strongswan
sudo systemctl restart xl2tpd

Connect

Start the IPsec connection:

sudo ipsec up meraki-vpn

Start the L2TP connection:

su
echo "c meraki-vpn" > /var/run/xl2tpd/l2tp-control

Add routes

Check the tunnel has been created as an interface:

ip link
...
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3
    link/ppp

Add a route to the VPN inside network through the ppp tunnel.

ip route add zzz.zzz.zzz.zzz/zzz dev ppp0

Make routes start automatically

Create /etc/ppp/ip-up.d/route.sh like the following with your appropriate routes:

#!/bin/sh -e
ip route add 10.199.30.0/24 dev ppp0
ip route add 67.220.127.0/24 dev ppp0

exit 0

Set proper permissions on route.sh

chmod ugo+x /etc/ppp/ip-up.d/route.sh

check your routes after starting the link:

ip route list

You should now have access to the Meraki node inside LAN.

Disconnect

su
echo "d meraki-vpn" > /var/run/xl2tpd/l2tp-control
exit
sudo ipsec down meraki-vpn

Once Everything Works, Script it!

vpnstart.sh script to start the VPN connection:

#!/bin/bash

echo "Starting StrongSwan..."
systemctl restart strongswan

#delay to ensure that IPsec is started before overlaying L2TP
sleep 2

echo "Starting xl2pd..."
systemctl restart xl2tpd

echo "Bring up connection..."
ipsec up meraki-vpn
echo "c meraki-vpn" > /var/run/xl2tpd/l2tp-control

#delay again to make that the PPP connection is up.
sleep 2

vpnstop.sh script to stop the VPN connection:

#!/bin/bash

echo "Stopping vpn connection..."
echo "d meraki-vpn" > /var/run/xl2tpd/l2tp-control
ipsec down meraki-vpn

echo "Stopping services..."
systemctl restart strongswan
systemctl restart xl2tpd

Topic revision: r4 - 26 Jun 2019, BobWicksall

GeneralTech

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback