Meraki VPN on Manjaro

These instructions are assuming Arch or Manjaro Linux.

First Attempt - GUI

My first attempt was using the GUI in Manjaro. Multiple options are listed in the network settings but not all options are actually installed. I have setup OpenVPN connections through the GUI with no issues in the past but networkmanager-l2tp was not installed or available in the default Manjaro/Arch repositories. Without this plugin the GUI would pretend to work and fail silently.

Plugins: https://wiki.archlinux.org/index.php/NetworkManager#VPN_support

I installed the networkmanager-l2tp plugin and roughly follow the official Meraki VPN instructions for Linux.

It was a no go. Although I believe my settings were correct, NetworkManager was unable to complete the connection.

Manual VPN setup from command line

Source: https://seba-smart-services.github.io/smartnet/linux-ipsec-client.html
Source: https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c
Source: https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup

First install xl2tpd and strongswan:
sudo pacman -S xl2tpd strongswan

Now 4 configuration files need to be set up:

  • /etc/ipsec.conf: This file contains the basic information to establish a secure IPsec tunnel to the VPN server.
  • /etc/ipsec.secrets: This file contains the PSK secret.
  • /etc/xl2tpd/xl2tpd.conf: This file configures xl2tpd with the connection name, server IP address.
  • /etc/ppp/options.l2tpd.client: This file configures pppd.

ipsec.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address.
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn meraki-vpn
     keyexchange=ikev1
     left=%defaultroute
     auto=add
     authby=secret
     type=transport
     leftprotoport=17/1701
     rightprotoport=17/1701
     # set this to the ip address of your meraki vpn  
     right=yyy.yyy.yyy.yyy

ipsec.secrets

This file had a number of configuration options by default in addition to the NetworkManager attempt at a Meraki VPN, I backed up the file and started with a new empty file.
: PSK "Your Secret Here"

xl2tpd.conf

Use the following config, replacing yyy.yyy.yyy.yyy with the Meraki node outside address.
[lac meraki-vpn]
lns = yyy.yyy.yyy.yyy
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

Use the following config, replacing and with your client VPN username and password.
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-pap
noccp
noauth
idle 84600
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <meraki-username>
password <meraki-password>

Restart services
sudo systemctl restart strongswan
sudo systemctl restart xl2tpd

Connect

Start the IPsec connection:
sudo ipsec up meraki-vpn

Start the L2TP connection:
su
echo "c meraki-vpn" > /var/run/xl2tpd/l2tp-control

Add routes

Check the tunnel has been created as an interface:
ip link
...
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3
    link/ppp

Add a route to the VPN inside network through the ppp tunnel.
ip route add zzz.zzz.zzz.zzz/zzz dev ppp0

Make routes start automatically

Create /etc/ppp/ip-up.d/route.sh like the following with your appropriate routes:
#!/bin/sh -e
ip route add 10.199.30.0/24 dev ppp0
ip route add 67.220.127.0/24 dev ppp0

exit 0

Set proper permissions on route.sh
chmod ugo+x /etc/ppp/ip-up.d/route.sh

check your routes after starting the link:
ip route list

You should now have access to the Meraki node inside LAN.

Disconnect

su
echo "d meraki-vpn" > /var/run/xl2tpd/l2tp-control
exit
sudo ipsec down meraki-vpn

Once Everything Works, Script it!

vpnstart.sh script to start the VPN connection:
#!/bin/bash

echo "Starting StrongSwan..."
systemctl restart strongswan

#delay to ensure that IPsec is started before overlaying L2TP
sleep 2

echo "Starting xl2pd..."
systemctl restart xl2tpd

echo "Bring up connection..."
ipsec up meraki-vpn
echo "c meraki-vpn" > /var/run/xl2tpd/l2tp-control

#delay again to make that the PPP connection is up.
sleep 2

vpnstart.sh script to stop the VPN connection:
#!/bin/bash

echo "Stopping vpn connection..."
echo "d meraki-vpn" > /var/run/xl2tpd/l2tp-control
ipsec down meraki-vpn

echo "Stopping services..."
systemctl restart strongswan
systemctl restart xl2tpd
Topic revision: r2 - 09 Oct 2017, BobWicksall
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wickwiki? Send feedback