How to add IPSEC/L2TP support?

I need to try and connect my MT300A to an IPSEC/L2TP server so that I can access secure internet. I don’t have the option of using OpenVPN unfortunately (which would be nice and easy!).

I have had a look at existing tutorials for adding StrongSwan, but I can’t figure out how to configure it to work. Is anyone aware of an easy way to add IPSec/L2TP support?

You can do this in Luci. When you build a IPSec/L2TP connect, it will ask you to install the correct kernel modules. Then you could be able to set up.

Hi alzhao, I’m not sure where I can set this up in Luci - I had a look but couldn’t see anywhere in the GUI. Could you post a brief walkthough so I can try it out please?

Thank you for your help :).

First, go to Network->Interfaces, then create a new interface

After you click “Submit”, you will then be able to configure it. You can choose L2tp, you will be asked to switch protocol.

Now You have a switch protocol button, after you click, you will be asked to install xl2tpd package. Just click it and follow the guide to install it. You may met two problem, first, it will tell you this package is not found. You can just click “update list” and then research this package. Second, after install it may tell you that there are 255 errors, just omit it.

Now, type you server, username and password. Then click “Save & Apply”

 

 

Dear Alzhao,

thank you for the guide. I have exactly the same problem, but I need IPSEC Xauth PSK protocol to connect to a Fritzbox. Should that work as well or would I need openswan for that? And if, how should I ideally install the necessary openswan package?

Thanks in advance!

CV

for openswan, seems we didn’t compile this package in our repo. If you can compile by your own you can upload to the router and install it.

Ah, I see. So as far as I’ve learned, I’ll need strongswan-default (or -full), ip, djbdns-tools and maybe iptables-mod-nat-extra in case of overlapping IP subnets.

Could you give me some hint where to start with compilation of these for the MT300A? Will I have to build the whole system from scratch or can I somehow just build those 3-4 packages against your v2.20 as base. I’ve never set up an environment just to compile single packages later on, so I’m a bit lost on that…

 

Thanks,

 

CV

Oh, and btw strongswan should work as well what I’ve read, I only mentioned openswan before… My fault…

strongswan should already be available. Try install using opkg

Hi,

I just installed 2.23-5 on my brandnew AR300M. It seems, I can not install strongswan. It complains about a missing kernel requirement…

Collected errors: * satisfy_dependencies_for: Cannot satisfy the following dependencies for strongswan: * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * kernel (= 3.18.27-1-0097ffbd8ce60aa990fd5adb374c63e6) * * opkg_install_cmd: Cannot install package strongswan.

Dear Alzhao,

i just got a router and am so glad i have this. But there is just one issue, i am new in openwrt and i need IPSec/ssl tls, just like cisco any connect.

Is there any guide i can use, to configure my router to act as VPN client.

 

cheers

@nomad, 2.23-5 is not backed with full repo so you may not be able to install kernel modules. 2.23-6 is compiled with full software repo and you will do this

@Jyoti, I got some request to support IPSec, pptp, l2tp etc. I will install these protocols in the new firmware and hope to get a guide for you later. Thanks!

Great news, I will give it a try!

Thank you!

I also need support for L2TP with preshared key. Any help would be appreciated. I tried installing strongswan, but this didn’t present any new configuration options in the GUI, so perhaps this must be configured manually via CLI?

Echoing Tentious, I also need L2TP with ipsec. And pointers on how to enable this in the GUI?

 

Dear Alzaho,

I was wondering, is the support for Cisco anyconnect got inside new firmwares.

 

Currently my router is running 2.25. let me know if there are any noted down steps that can help me.

 

Cheers

Any update on L2TP with pre shared keys?

I am listening. Trying to add but still have some problems. Engineers is working on it.

Hi, just adding another voice for L2TP/IPsec with Pre Shared Key. No rush, but want you to know there is a need out there! :slight_smile:

Am I correct in assuming from the above that you cannot use a VPN that uses Pre Shared Keys with L2TP (IPsec) with the current firmware. Or, is it just difficult to configure?

Update: I’m not a networking guy, but I chatted with some VPN Providers. I am being told that the lack of a shared key option indicates that only L2TP (and not IPsec) is implemented in the router. Apparently, IPsec is the encryption protocol, without which L2TP is ineffective for a VPN, as everything in L2TP will be sent clear text. So, a little more understanding (in my head), but still the same questions: 1) Is my understanding as stated correct? 2) Is IPsec completely missing/unavailable, or just difficult for the end user (me) to implement?

@lstevens, in http://www.gl-inet.com/firmware/testing/ we have new firmware added UI for l2tp. As you said there is something related to iPsec and preshared keys so L2tp is not working now. Hope to solve it soon.