Create a Post
Showing results for 
Search instead for 
Did you mean: 

C2S - L2TP over IPSEC Linux VPN with R80.30 - working

The easiest way to configure L2TP over IPSEC in Linux is to use the Network Manager with the L2TP gnome Plugin as described here. Use at least Network Manager L2TP Plugin Version 1.7.2, otherwise you can't configure IKE Lifetime (8h) and SA Lifetime (1h) which is very important for a stable connection.

This guide show every step how L2TP over IPSEC works in Linux. There are three binaries involved: libreswan, xl2tpd and ppp. At the end you should be able to connect to your Check Point Firewall using the L2TP Pre-shared Key and Username + Password.


Check Point
Before you begin, please make sure you have a working Remote Access environment with Office Mode using one of the Check Point Endpoint Clients (Windows / MacOS). For Authentication use username and password. 

In R80.x, when the L2TP Client is behind a NAT device, the connection won't work, see sk145895. Without this hotfix the L2TP connection won't be establish.

My Setup:
Standalone with Jumbo Take 76 and Hotfix: fw1_wrapper_HOTFIX_R80_30_T71_JHF_470_MAIN_GA_FULL.tgz 

Requirements Check Point:

- Global Properties - Remote Access - VPN - Authentication - Support Authentication - Support Legacy Authentication for SC
- Global Properties - Remote Access - VPN - Authentication - Support Authentication - Support L2TP with Pre-Shared Key


- Gateway Object - Properties - VPN Clients - Remote Access - Support L2TP



This guide is based on Linux Mint 19.2 which uses Libreswan 3.23 and xl2tpd 1.3.10. 

The L2TP over IPSEC connections depends on libreswan, xl2tpd, ppp and changing the routes manually. 

1) libreswan
Is used to establish the IPSEC connection, the transport layer. Install the latest binary by running:



# sudo apt install libreswan


2) xl2tpd 
Is used to handle the L2TP authentication with PPP. Install the latest binary by running:


# sudo apt install xl2tpd


3) ppp
Is used for User authentication (Username + Password). Install the latest binary by running:


# sudo apt install ppp   # usually pre-installed


4) Routes
After the L2TP over IPSEC connection was established, routing have to be changed manually. 


Libreswan Configuration

Libreswan uses files located in /etc/ipsec.d and the main configuration file /etc/ipsec.conf. 

Edit the main configuration file /etc/ipsec.conf and add only the logging option. Leave the rest like it is.


config setup
	# Normally, pluto logs via syslog. If you want to log to a file,
	# specify below or to disable logging, eg for embedded systems, use
	# the file name /dev/null
	# Note: SElinux policies might prevent pluto writing to a log file at
	#       an unusual location.


2) Create a new file called "ra.conf" and "ra.secrets" in /etc/ipsec.d/


#sudo touch /etc/ipsec.d/ra.conf
#sudo touch /etc/ipsec.d/ra.secrets


3) edit the /etc/ipsec.d/ra.conf file


# sudo vi /etc/ipsec.d/ra.conf
conn Company-IPSEC
  type=transport           # IPSEC transport layer
  left=%defaultroute       # Client IP Address or use the Defaultroute Interface        # put here your Gateway IP Address
  rightid=      # Check Point responds with the Main IP Address from the FW Object
  rightprotoport=udp/l2tp  # Use L2TP
  pfs=no                   # no PFS is IKE Phase 2
  ike=aes256-sha1;modp1024 # IKE Phase 1; AES256, SHA1, DH Group2
  phase2alg=aes128-sha1    # IKE Phase 2; AES128, SHA1
  salifetime=1h            # A Lifetime 1h for IKE Phase P2
  ikelifetime=8h           # IKE Lifetime 8h for IKE Phase P1 
  ikev2=no                 # do not use IKEv2


In this example the libreswan connection name is: Company-IPSEC


4) edit the /etc/ipsec.d/ra.secrets file

Put in the Pre-Shared Secret from SmartConsole.  

Global Properties - Remote Access - VPN - Authentication - Support Authentication - Support L2TP with Pre-Shared Key


# sudo vi /etc/ipsec.d/ra.secrets
: PSK "L2TP-Pre-Shared Key"


XL2TPD Configuration

The xl2tpd configuration file is located in /etc/xl2tpd. 

1) edit the main configuration file /etc/xl2tpd/xl2tpd.conf


# sudo vi /etc/xl2tpd/xl2tpd.conf
access control = yes
port = 1701
[lac Company-L2TP]
lns =                            ; put here your Gateway IP Address 
pppoptfile = /etc/ppp/options.l2tpd.client   ; File for User Authentication
autodial = yes
tunnel rws = 8
tx bps = 100000000
rx bps = 100000000


In this example the L2TP connection name is: "Company-L2TP".


PPP Configuration
The configuration files are stored under /etc/ppp/

1) create the file /etc/ppp/options.l2tpd.client


# sudo vi /etc/ppp/options.l2tpd.client



#show-password            # enable for debugging 
#debug                    # enable for debugging
refuse-eap                # no EAP
refuse-chap               # no CHAP
refuse-mschap             # no MSCHAP
refuse-mschap-v2          # no MSCHAPv2
lcp-echo-failure 0
lcp-echo-interval 0
mru 1400
mtu 1400
user macbook              # Username - Check Point User
password PUTUSERPASSWORD  # Password - Check Point User


Check Point supports only PAP for PPP Authentication. I checked the iPhone L2TP debugs in vpnd.elg and also the Windows L2TP over IPSEC guide uses only PAP. 


Initiate the Connection

It is very important to start the L2TP over IPSEC connection with all the mentioned commands above. First we need to start libreswan and the xl2tpd. The we bring up the VPN connection. 


# systemctl start libreswan
# systemctl start xl2tpd
# sudo ipsec auto --up Company-IPSEC
# sudo echo "c Company-L2TP" |sudo tee /var/run/xl2tpd/l2tp-control


 If everything works well, it should look like this:



002 "Company-IPSEC" #1: initiating Main Mode
104 "Company-IPSEC" #1: STATE_MAIN_I1: initiate
106 "Company-IPSEC" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "Company-IPSEC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "Company-IPSEC" #1: Peer ID is ID_IPV4_ADDR: ''
004 "Company-IPSEC" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
002 "Company-IPSEC" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:4e756e62 proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=no-pfs}
117 "Company-IPSEC" #2: STATE_QUICK_I1: initiate
003 "Company-IPSEC" #2: our client peer returned protocol id does not match my proposal - us0 vs them: 17
003 "Company-IPSEC" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
004 "Company-IPSEC" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xb8685cf2 <0x3dcf0898 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none DPD=passive}




soren@mint-laptop:~/Desktop$ systemctl restart xl2tpd
soren@mint-laptop:~/Desktop$ sudo echo "c Comapny-L2TP" |sudo tee /var/run/xl2tpd/l2tp-control 
c Comapny-L2TP


Interface ppp0 was created:


        inet  netmask  destination
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 52 (52.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 64 (64.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Disconnect the Connection
The followings commands are used to terminate the L2TP VPN connection. 


# sudo echo "d Company-L2TP" |sudo tee /var/run/xl2tpd/l2tp-control
# sudo ipsec auto --down Company-IPSEC
# systemctl stop libreswan
# systemctl stop xl2tpd


*for troubleshooting use "restart" instead of "stop".

After the VPN connection is established, the traffic won't be routed through the VPN Tunnel. 

1) Example Route table using an iPhone Hotspot



soren@mint-laptop:~/Desktop$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 ens33     U         0 0          0 ens33 U         0 0          0 ens33 UH        0 0          0 ppp0


2) Route Only the Encryption Domain

First try to route only your Encryption Domain through the VPN Tunnel, for example The next hop is the IP Address of the ppp0 Interface, in this example


# sudo ip route add via dev ppp0


Routing Table:


soren@mint-laptop:~/Desktop$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 ens33     U         0 0          0 ens33 U         0 0          0 ens33   UG        0 0          0 ppp0 UH        0 0          0 ppp0


Try to reach any host in the Encryption Domain



For troubleshooting and configuration changes always restart both services! 


# systemctl restart ipsec
# systemctl restart xl2tpd


Logfiles are in /var/log/pluto.log (libreswan) and /var/log/syslog (xl2tpd)



It is very useful to use a script to do all the mentioned steps above. The mentioned script is from the Arch Wiki. This script starts libreswan, xl2tpd and changes the routing to route all traffic through the tunnel. 


if [ $# != 1 ] ; then
	echo "Usage: (sudo) sh $0 {start|stop}" 
	exit 1;
fi  # put here your Firewall IP
IFACE=ens33           # LAN /Wifi Interface

function getIP(){
	ip addr show $1 | grep "inet " | awk '{print $2}' | sed 's:/.*::'       

function getGateWay(){
	route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $2}'
function getVPNGateWay(){
	route -n | grep -m 1 "$VPN_ADDR" | awk '{print $2}'


function start(){
	systemctl restart ipsec
	sleep 1    #delay to ensure that IPsec is started before overlaying L2TP
	systemctl restart xl2tpd
	ipsec auto --up Company-IPSEC                       
        sleep 1	
	echo "c Company-L2TP" | sudo tee /var/run/xl2tpd/l2tp-control     
	sleep 4    #delay again to make that the PPP connection is up.

	route add $VPN_ADDR gw $GW_ADDR $IFACE
	route add default gw $(getIP ppp0)
	route delete default gw $GW_ADDR

function stop(){
	ipsec auto --down Company-IPSEC
	echo "d Company-L2TP" | sudo tee /var/run/xl2tpd/l2tp-control
	route delete $VPN_ADDR gw $VPN_GW $IFACE
	route add default gw $VPN_GW

exit 0


Save the script under the name and use it like this:



# sudo ./ start
# sudo ./ stop


If any error comes up running the script, run "# sudo ./vpn stop" to change the routing back to normal.  

3 Replies

Sounds nice, but where to get the fw1_wrapper_HOTFIX_R80_30_T71_JHF_470_MAIN_GA_FULL.tgz ?

0 Kudos

You have to open a chat or case with Check Point support. 

0 Kudos

Write that inside your post and all is fine 😎

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events