Настройка L2TP IPsec VPN в операционной системе openSUSE 13.2

  1. Устанавливаем strongSwan и xl2tpd из официальных репозиториев openSUSE.
    opensuse-13.2:~ # zypper install strongswan xl2tpd
  2. В файле /usr/lib/systemd/system/strongswan.service добавляем network-online.target в список зависимостей After.
    opensuse-13.2:~ # cat /usr/lib/systemd/system/strongswan.service
    [Unit]
    Description=strongSwan IPsec
    After=syslog.target network-online.target
    
    [Service]
    ExecStart=/usr/sbin/ipsec start --nofork
    StandardOutput=syslog
    
    [Install]
    WantedBy=multi-user.target
    Alias=ipsec.service
    
    opensuse-13.2:~ #
  3. Добавляем службы strongswan и xl2tpd в автозагрузку.
    opensuse-13.2:~ # systemctl enable strongswan
    opensuse-13.2:~ # 
    opensuse-13.2:~ # systemctl enable xl2tpd
  4. Перезагружаем операционную систему.
    opensuse-13.2:~ # reboot
  5. Проверяем состояние служб strongswan и xl2tpd.
    opensuse-13.2:~ # systemctl status strongswan
    strongswan.service - strongSwan IPsec
       Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled)
       Active: active (running) since Sun 2015-05-24 17:13:45 EEST; 7s ago
     Main PID: 426 (starter)
       CGroup: /system.slice/strongswan.service
               ├─426 /usr/lib/ipsec/starter --daemon charon --nofork
               └─468 /usr/lib/ipsec/charon
    
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[TNC] loading IMCs from '/etc/tnc_config'
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[CFG] coupling file path unspecified
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha...ket-def
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[LIB] unable to load 15 plugin features (12 due to unmet dependencies)
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[LIB] dropped capabilities, running as uid 0, gid 0
    May 24 17:13:45 opensuse-13.2 charon[468]: 00[JOB] spawning 16 worker threads
    May 24 17:13:45 opensuse-13.2 ipsec_starter[426]: charon (468) started after 2780 ms
    May 24 17:13:45 opensuse-13.2 ipsec[426]: charon (468) started after 2780 ms
    May 24 17:13:45 opensuse-13.2 charon[468]: 08[KNL] 10.0.2.15 appeared on enp0s3
    Hint: Some lines were ellipsized, use -l to show in full.
    opensuse-13.2:~ # 
    opensuse-13.2:~ # systemctl status xl2tpd
    xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
       Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled)
       Active: active (running) since Sun 2015-05-24 17:26:34 EEST; 16s ago
     Main PID: 1529 (xl2tpd)
       CGroup: /system.slice/xl2tpd.service
               └─1529 /usr/sbin/xl2tpd -D
    
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: setsockopt recvref[22]: Protocol not available
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Using l2tp kernel support.
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: xl2tpd version xl2tpd-1.3.0 started on opensuse-13.2 PID:1529
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Forked by Scott Balmos and David Stipp, (C) 2001
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Inherited by Jeff McAdams, (C) 2002
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    May 24 17:26:34 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Listening on IP address 0.0.0.0, port 1701
    opensuse-13.2:~ #
    Обе службы должны быть в состоянии active (running).
  6. Проверяем, есть ли в списке загруженных плагинов демона charon плагин unity.
    opensuse-13.2:~ # ipsec listplugins | grep unity
    unity:
        CUSTOM:unity
    opensuse-13.2:~ #
    Если он есть в списке, то в файле /etc/strongswan.d/charon/unity.conf заменяем "load = yes" на "load = no" и перезапускаем charon.
    opensuse-13.2:~ # cat /etc/strongswan.d/charon/unity.conf
    unity {
    
        # Whether to load the plugin. Can also be an integer to increase the
        # priority of this plugin.
        load = no
    
    }
    
    opensuse-13.2:~ #
    opensuse-13.2:~ # ipsec restart
    Stopping strongSwan IPsec...
    Starting strongSwan 5.1.3 IPsec [starter]...
    opensuse-13.2:~ #
    Повторяем проверку.
    opensuse-13.2:~ # ipsec listplugins | grep unity
    opensuse-13.2:~ #
  7. Открываем два дополнительных окна терминала. Первое - для отображения записей в системном журнале.
    opensuse-13.2:~ # journalctl -f
    Второе - для наблюдения за трафиком между локальным хостом и сервером vpn.uz.gov.ua (195.149.70.70).
    opensuse-13.2:~ # tcpdump -n host 195.149.70.70
  8. В файл /etc/ipsec.secrets добавляем предварительный ключ для сервера 195.149.70.70 (vpn.uz.gov.ua).
    opensuse-13.2:~ # cat /etc/ipsec.secrets
    #
    # ipsec.secrets
    #
    # This file holds the RSA private keys or the PSK preshared secrets for
    # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
    #
    
    195.149.70.70 : PSK "preshared key"
    
    opensuse-13.2:~ #
    Перечитываем содержимое файла /etc/ipsec.secrets командой ipsec rereadsecrets.
    opensuse-13.2:~ # ipsec rereadsecrets
    Вывод journalctl:
    May 24 17:20:11 opensuse-13.2 charon[1419]: 12[CFG] rereading secrets
    May 24 17:20:11 opensuse-13.2 charon[1419]: 12[CFG] loading secrets from '/etc/ipsec.secrets'
    May 24 17:20:11 opensuse-13.2 charon[1419]: 12[CFG]   loaded IKE secret for 195.149.70.70
  9. Файл /etc/strongswan.conf оставляем без изменений.
    opensuse-13.2:~ # cat /etc/strongswan.conf
    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files
    
    charon {
    	load_modular = yes
    	plugins {
    		include strongswan.d/charon/*.conf
    	}
    }
    
    include strongswan.d/*.conf
    
    opensuse-13.2:~ #
  10. В файл /etc/ipsec.conf добавляем соединениe с именем vpn-uz и перезагружаем конфигурацию.
    opensuse-13.2:~ # cat /etc/ipsec.conf
    # ipsec.conf - strongSwan IPsec configuration file
    
    # basic configuration
    
    config setup
    	# strictcrlpolicy=yes
    	# uniqueids = no
    
    # Add connections here.
    
    # Sample VPN connections
    
    #conn sample-self-signed
    #      leftsubnet=10.1.0.0/16
    #      leftcert=selfCert.der
    #      leftsendcert=never
    #      right=192.168.0.2
    #      rightsubnet=10.2.0.0/16
    #      rightcert=peerCert.der
    #      auto=start
    
    #conn sample-with-ca-cert
    #      leftsubnet=10.1.0.0/16
    #      leftcert=myCert.pem
    #      right=192.168.0.2
    #      rightsubnet=10.2.0.0/16
    #      rightid="C=CH, O=Linux strongSwan CN=peer name"
    #      auto=start
    
    conn vpn-uz
    	keyexchange=ikev1
    	type=transport
    	authby=secret
    	ike=aes128-sha1-modp1024
    	esp=aes128-sha1
    	left=%defaultroute
    	leftsubnet=%dynamic[udp]
    	right=195.149.70.70
    	rightsubnet=195.149.70.70[udp/1701]
    	auto=route
    
    opensuse-13.2:~ #
    opensuse-13.2:~ # ipsec reload
    Reloading strongSwan IPsec configuration...
    opensuse-13.2:~ #
    Вывод journalctl:
    May 24 17:21:47 opensuse-13.2 charon[1419]: 05[CFG] received stroke: add connection 'vpn-uz'
    May 24 17:21:47 opensuse-13.2 charon[1419]: 05[CFG] left nor right host is our side, assuming left=local
    May 24 17:21:48 opensuse-13.2 charon[1419]: 05[CFG] added configuration 'vpn-uz'
  11. Проверяем, прочёл ли charon конфигурацию соединения vpn-uz.
    opensuse-13.2:~ # ipsec statusall
    Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.6-2-default, x86_64):
      uptime: 3 minutes, since May 24 17:18:29 2015
      malloc: sbrk 1757184, mmap 0, used 618816, free 1138368
      worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
      loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubke
    y pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-net
    link resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-
    simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pa
    m tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock
    Listening IP addresses:
      10.0.2.15
    Connections:
          vpn-uz:  %any...195.149.70.70  IKEv1
          vpn-uz:   local:  uses pre-shared key authentication
          vpn-uz:   remote: [195.149.70.70] uses pre-shared key authentication
          vpn-uz:   child:  dynamic[udp] === 195.149.70.70/32[udp/l2f] TRANSPORT
    Security Associations (0 up, 0 connecting):
      none
    opensuse-13.2:~ #
  12. Устанавливаем соединение vpn-uz.
    opensuse-13.2:~ # ipsec up vpn-uz
    initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
    generating ID_PROT request 0 [ SA V V V V ]
    sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (188 bytes)
    received packet: from 195.149.70.70[500] to 10.0.2.15[500] (124 bytes)
    parsed ID_PROT response 0 [ SA V V ]
    received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    received FRAGMENTATION vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (244 bytes)
    received packet: from 195.149.70.70[500] to 10.0.2.15[500] (304 bytes)
    parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    received Cisco Unity vendor ID
    received XAuth vendor ID
    received unknown vendor ID: f1:a4:6a:a2:d7:7e:26:9f:8f:f5:71:7f:1a:d6:3a:6f
    received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    local host is behind NAT, sending keep alives
    generating ID_PROT request 0 [ ID HASH ]
    sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (68 bytes)
    received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (84 bytes)
    parsed ID_PROT response 0 [ ID HASH V ]
    received DPD vendor ID
    IKE_SA vpn-uz[1] established between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    scheduling reauthentication in 10098s
    maximum IKE_SA lifetime 10638s
    generating QUICK_MODE request 3886818537 [ HASH SA No ID ID NAT-OA NAT-OA ]
    sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (220 bytes)
    received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (164 bytes)
    parsed QUICK_MODE response 3886818537 [ HASH SA No ID ID NAT-OA ]
    connection 'vpn-uz' established successfully
    opensuse-13.2:~ #
    Вывод journalctl:
    May 24 17:22:40 opensuse-13.2 charon[1419]: 11[CFG] received stroke: initiate 'vpn-uz'
    May 24 17:22:40 opensuse-13.2 charon[1419]: 09[IKE] initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
    May 24 17:22:40 opensuse-13.2 charon[1419]: 09[IKE] initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
    May 24 17:22:40 opensuse-13.2 charon[1419]: 09[ENC] generating ID_PROT request 0 [ SA V V V V ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 09[NET] sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (188 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[NET] received packet: from 195.149.70.70[500] to 10.0.2.15[500] (124 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[ENC] parsed ID_PROT response 0 [ SA V V ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[IKE] received FRAGMENTATION vendor ID
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 13[NET] sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (244 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[NET] received packet: from 195.149.70.70[500] to 10.0.2.15[500] (304 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[IKE] received Cisco Unity vendor ID
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[IKE] received XAuth vendor ID
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[ENC] received unknown vendor ID: f1:a4:6a:a2:d7:7e:26:9f:8f:f5:71:7f:1a:d6:3a:6f
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[IKE] local host is behind NAT, sending keep alives
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[ENC] generating ID_PROT request 0 [ ID HASH ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 12[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (68 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (84 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[ENC] parsed ID_PROT response 0 [ ID HASH V ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[IKE] received DPD vendor ID
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[IKE] IKE_SA vpn-uz[1] established between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[IKE] IKE_SA vpn-uz[1] established between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[IKE] scheduling reauthentication in 10098s
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[IKE] maximum IKE_SA lifetime 10638s
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[ENC] generating QUICK_MODE request 3886818537 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 04[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (220 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (164 bytes)
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[ENC] parsed QUICK_MODE response 3886818537 [ HASH SA No ID ID NAT-OA ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[IKE] CHILD_SA vpn-uz{1} established with SPIs cc9dd895_i 9e989b3f_o and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[IKE] CHILD_SA vpn-uz{1} established with SPIs cc9dd895_i 9e989b3f_o and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[ENC] generating QUICK_MODE request 3886818537 [ HASH ]
    May 24 17:22:40 opensuse-13.2 charon[1419]: 05[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (60 bytes)
    Вывод tcpdump:
    17:22:40.549406 IP 10.0.2.15.500 > 195.149.70.70.500: isakmp: phase 1 I ident
    17:22:40.552716 IP 195.149.70.70.500 > 10.0.2.15.500: isakmp: phase 1 R ident
    17:22:40.555822 IP 10.0.2.15.500 > 195.149.70.70.500: isakmp: phase 1 I ident
    17:22:40.559157 IP 195.149.70.70.500 > 10.0.2.15.500: isakmp: phase 1 R ident
    17:22:40.563762 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    17:22:40.566679 IP 195.149.70.70.4500 > 10.0.2.15.4500: NONESP-encap: isakmp: phase 1 R ident[E]
    17:22:40.573315 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
    17:22:40.577417 IP 195.149.70.70.4500 > 10.0.2.15.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
    17:22:40.657175 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
  13. Проверям, находится ли соединение vpn-uz в состоянии ESTABLISHED.
    opensuse-13.2:~ # ipsec status vpn-uz
    Security Associations (1 up, 0 connecting):
          vpn-uz[1]: ESTABLISHED 78 seconds ago, 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
          vpn-uz{1}:  INSTALLED, TRANSPORT, ESP in UDP SPIs: cc9dd895_i 9e989b3f_o
          vpn-uz{1}:   10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f] 
    opensuse-13.2:~ #
  14. Разрываем соединение и переходим к настройке xl2tpd.
    opensuse-13.2:~ # ipsec down vpn-uz
    closing CHILD_SA vpn-uz{1} with SPIs cc9dd895_i (0 bytes) 9e989b3f_o (0 bytes) and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f] 
    sending DELETE for ESP CHILD_SA with SPI cc9dd895
    generating INFORMATIONAL_V1 request 1846513024 [ HASH D ]
    sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (76 bytes)
    IKE_SA [1] closed successfully
    opensuse-13.2:~ #
    Вывод journalctl:
    May 24 17:25:00 opensuse-13.2 charon[1419]: 12[CFG] received stroke: terminate 'vpn-uz'
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] closing CHILD_SA vpn-uz{1} with SPIs cc9dd895_i (0 bytes) 9e989b3f_o (0 bytes) and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] closing CHILD_SA vpn-uz{1} with SPIs cc9dd895_i (0 bytes) 9e989b3f_o (0 bytes) and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] sending DELETE for ESP CHILD_SA with SPI cc9dd895
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[ENC] generating INFORMATIONAL_V1 request 1846513024 [ HASH D ]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (76 bytes)
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] deleting IKE_SA vpn-uz[1] between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] deleting IKE_SA vpn-uz[1] between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[IKE] sending DELETE for IKE_SA vpn-uz[1]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[ENC] generating INFORMATIONAL_V1 request 3135315359 [ HASH D ]
    May 24 17:25:00 opensuse-13.2 charon[1419]: 04[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (84 bytes)
  15. Добавляем в файл /etc/xl2tpd/xl2tpd.conf соединение vpn-uz.
    opensuse-13.2:~ # cat /etc/xl2tpd/xl2tpd.conf
    ;
    ; This is a minimal sample xl2tpd configuration file for use
    ; with L2TP over IPsec.
    ;
    ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
    ; clients connect. In this example, the internal (protected) network 
    ; is 192.168.1.0/24.  A special IP range within this network is reserved
    ; for the remote clients: 192.168.1.128/25
    ; (i.e. 192.168.1.128 ... 192.168.1.254)
    ;
    ; The listen-addr parameter can be used if you want to bind the L2TP daemon
    ; to a specific IP address instead of to all interfaces. For instance,
    ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
    ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
    ; will be used by xl2tpd as its address on pppX interfaces.
    
    [global]
    ; listen-addr = 192.168.1.98
    ;
    ; requires openswan-2.5.18 or higher - Also does not yet work in combination
    ; with kernel mode l2tp as present in linux 2.6.23+
    ; ipsec saref = yes
    ; forceuserspace = yes
    ;
    ; debug tunnel = yes
    
    [lns default]
    ip range = 192.168.1.128-192.168.1.254
    local ip = 192.168.1.99
    require chap = yes
    refuse pap = yes
    require authentication = yes
    name = LinuxVPNserver
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
    
    [lac vpn-uz]
    lns = 195.149.70.70
    redial = yes
    require chap = yes
    require pap = no
    require authentication = no
    ppp debug = yes
    pppoptfile = /etc/ppp/options.vpn-uz
    autodial = no
    
    opensuse-13.2:~ #
  16. Добавляем в файл /etc/ppp/options.vpn-uz параметры протокола PPP для соединения vpn-uz.
    opensuse-13.2:~ # cat /etc/ppp/options.xl2tpd
    :10.0.0.1
    ipcp-accept-local
    noccp
    noauth
    crtscts
    idle 1800
    mtu 1410
    mru 1410
    nodefaultroute
    debug
    lock
    noproxyarp
    usepeerdns
    user username
    
    opensuse-13.2:~ #
    Параметр user необходим, если пароль для этого пользователя будет сохранён в файле /etc/ppp/chap-secrets.
  17. Добавляем в файл /etc/ppp/chap-secrets пароль для указанного в файле /etc/ppp/options.vpn-uz имени пользователя.
    opensuse-13.2:~ # cat /etc/ppp/chap-secrets
    # Secrets for authentication using CHAP
    # client        server          secret          IP addresses
    
    username        *               password        *
    
    opensuse-13.2:~ #
    Примечание: имя пользователя и пароль можно не сохранять в файлах, а указывать непосредственно при подключении.
  18. Перезапускаем службу xl2tpd и проверяем её состояние. При наличии ошибок в файле xl2tpd.conf служба не запустится!
    opensuse-13.2:~ # systemctl restart xl2tpd
    opensuse-13.2:~ #
    opensuse-13.2:~ # systemctl status xl2tpd
    xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
       Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled)
       Active: active (running) since Sun 2015-05-24 17:28:57 EEST; 5s ago
     Main PID: 1529 (xl2tpd)
       CGroup: /system.slice/xl2tpd.service
               └─1529 /usr/sbin/xl2tpd -D
    
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: setsockopt recvref[22]: Protocol not available
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Using l2tp kernel support.
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: xl2tpd version xl2tpd-1.3.0 started on opensuse-13.2 PID:1529
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Forked by Scott Balmos and David Stipp, (C) 2001
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Inherited by Jeff McAdams, (C) 2002
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    May 24 17:28:57 opensuse-13.2 xl2tpd[1529]: xl2tpd[1529]: Listening on IP address 0.0.0.0, port 1701
    opensuse-13.2:~ #
  19. Пробуем установить L2TP-соединение.
    opensuse-13.2:~ # echo "c vpn-uz" > /run/xl2tpd/l2tp-control
    Вывод journalctl:
    May 24 17:30:21 opensuse-13.2 xl2tpd[1548]: xl2tpd[1548]: Connecting to host 195.149.70.70, port 1701
    May 24 17:30:26 opensuse-13.2 xl2tpd[1548]: xl2tpd[1548]: Maximum retries exceeded for tunnel 59957.  Closing.
    May 24 17:30:26 opensuse-13.2 xl2tpd[1548]: xl2tpd[1548]: Connection 0 closed to 195.149.70.70, port 1701 (Timeout)
    May 24 17:30:31 opensuse-13.2 xl2tpd[1548]: xl2tpd[1548]: Unable to deliver closing message for tunnel 59957. Destroying anyway.
    May 24 17:30:31 opensuse-13.2 xl2tpd[1548]: xl2tpd[1548]: Will redial in 30 seconds
    Вывод tcpdump:
    17:30:21.700778 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(opensuse-13.2) ... 
    17:30:22.702276 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(opensuse-13.2) ...
    17:30:23.703769 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(opensuse-13.2) ...
    17:30:24.705320 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(opensuse-13.2) ...
    17:30:25.706888 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(opensuse-13.2) ...
    17:30:26.709495 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59957) *RESULT_CODE(1/0 Timeout)
    17:30:27.711114 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59957) *RESULT_CODE(1/0 Timeout)
    17:30:28.712753 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59957) *RESULT_CODE(1/0 Timeout)
    17:30:29.714371 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59957) *RESULT_CODE(1/0 Timeout)
    17:30:30.716024 IP 10.0.2.15.1701 > 195.149.70.70.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59957) *RESULT_CODE(1/0 Timeout)
  20. Убедившись в наличии L2TP-трафика, останавливаем дальнейшие попытки службы xl2tpd установить соединение.
    opensuse-13.2:~ # echo "d vpn-uz" > /run/xl2tpd/l2tp-control
  21. Добавляем в ядро операционной системы политику шифрования L2TP-трафика между локальным хостом и сервером vpn.uz.gov.ua (195.149.70.70). Это означает, что при появлении такого трафика демон charon должен автоматически установить IPsec-соединение.
    opensuse-13.2:~ # ipsec route vpn-uz
    'vpn-uz' routed
    opensuse-13.2:~ #
    opensuse-13.2:~ # ipsec status vpn-uz
    Routed Connections:
          vpn-uz{2}:  ROUTED, TRANSPORT
          vpn-uz{2}:   10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f] 
    Security Associations (0 up, 0 connecting):
      no match
    opensuse-13.2:~ #
  22. Устанавливаем VPN-соединение.
    opensuse-13.2:~ # echo "c vpn-uz" > /run/xl2tpd/l2tp-control
    или, если имя пользователя и пароль НЕ сохранены в файлах /etc/ppp/options.vpn-uz и /etc/ppp/chap-secrets:
    opensuse-13.2:~ # echo "c vpn-uz username password" > /run/xl2tpd/l2tp-control
    Вывод journalctl:
    May 24 17:55:06 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Connecting to host 195.149.70.70, port 1701
    May 24 17:55:06 opensuse-13.2 charon[1419]: 01[KNL] creating acquire job for policy 10.0.2.15/32[udp/l2f] === 195.149.70.70/32[udp/l2f] with reqid {2}
    May 24 17:55:06 opensuse-13.2 charon[1419]: 01[IKE] initiating Main Mode IKE_SA vpn-uz[3] to 195.149.70.70
    May 24 17:55:06 opensuse-13.2 charon[1419]: 01[IKE] initiating Main Mode IKE_SA vpn-uz[3] to 195.149.70.70
    May 24 17:55:06 opensuse-13.2 charon[1419]: 01[ENC] generating ID_PROT request 0 [ SA V V V V ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 01[NET] sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (188 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[NET] received packet: from 195.149.70.70[500] to 10.0.2.15[500] (124 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[ENC] parsed ID_PROT response 0 [ SA V V ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[IKE] received FRAGMENTATION vendor ID
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 11[NET] sending packet: from 10.0.2.15[500] to 195.149.70.70[500] (244 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[NET] received packet: from 195.149.70.70[500] to 10.0.2.15[500] (304 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[IKE] received Cisco Unity vendor ID
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[IKE] received XAuth vendor ID
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[ENC] received unknown vendor ID: a2:4e:f1:44:d2:18:1c:91:5c:07:c8:72:0f:8f:63:8a
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[IKE] local host is behind NAT, sending keep alives
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[ENC] generating ID_PROT request 0 [ ID HASH ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 09[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (68 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (84 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[ENC] parsed ID_PROT response 0 [ ID HASH V ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[IKE] received DPD vendor ID
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[IKE] IKE_SA vpn-uz[3] established between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[IKE] IKE_SA vpn-uz[3] established between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[IKE] scheduling reauthentication in 9977s
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[IKE] maximum IKE_SA lifetime 10517s
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[ENC] generating QUICK_MODE request 2535444454 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 12[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (220 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (164 bytes)
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[ENC] parsed QUICK_MODE response 2535444454 [ HASH SA No ID ID NAT-OA ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[IKE] CHILD_SA vpn-uz{2} established with SPIs cfe53b98_i d8f5c263_o and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[IKE] CHILD_SA vpn-uz{2} established with SPIs cfe53b98_i d8f5c263_o and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[ENC] generating QUICK_MODE request 2535444454 [ HASH ]
    May 24 17:55:06 opensuse-13.2 charon[1419]: 05[NET] sending packet: from 10.0.2.15[4500] to 195.149.70.70[4500] (60 bytes)
    May 24 17:55:07 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Connection established to 195.149.70.70, 1701.  Local: 51442, Remote: 12967 (ref=0/0).
    May 24 17:55:07 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Calling on tunnel 51442
    May 24 17:55:07 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Call established with 195.149.70.70, Local: 17683, Remote: 9930, Serial: 1 (ref=0/0)
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Plugin passwordfd.so loaded.
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Plugin pppol2tp.so loaded.
    May 24 17:55:07 opensuse-13.2 pppd[1769]: pppd 2.4.7 started by root, uid 0
    May 24 17:55:07 opensuse-13.2 pppd[1769]: using channel 2
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Using interface ppp0
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Connect: ppp0 <-->
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Overriding mtu 1500 to 1410
    May 24 17:55:07 opensuse-13.2 pppd[1769]: PPPoL2TP options: debugmask 0
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Overriding mru 1500 to mtu value 1410
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0xe854bd43>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x1ddc51d9>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic 0x1ddc51d9>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [LCP ConfRej id=0x1 <mru 1410> <asyncmap 0x0>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [LCP ConfReq id=0x2 <magic 0xe854bd43>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [LCP ConfAck id=0x2 <magic 0xe854bd43>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Overriding mtu 1500 to 1410
    May 24 17:55:07 opensuse-13.2 pppd[1769]: PPPoL2TP options: debugmask 0
    May 24 17:55:07 opensuse-13.2 pppd[1769]: Overriding mru 1500 to mtu value 1410
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [LCP EchoReq id=0x0 magic=0xe854bd43]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [CHAP Challenge id=0x1 <9ec7dd40159e34d84d48a49ffced2ca7>, name = ""]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: added response cache entry 0
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [CHAP Response id=0x1 <f90cc3a643ac6818e2d2b49f089b2d34...06aa601f2633cd25a31a9b94a27a504d00>, name = "username"]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [LCP EchoRep id=0x0 magic=0x1ddc51d9]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [CHAP Success id=0x1 "S=8315ABD09A62012AFB94E57884CC8CA1831CB7C3"]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: response found in cache (entry 0)
    May 24 17:55:07 opensuse-13.2 pppd[1769]: CHAP authentication succeeded
    May 24 17:55:07 opensuse-13.2 pppd[1769]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
    May 24 17:55:07 opensuse-13.2 pppd[1769]: rcvd [IPCP TermAck id=0x1]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x1 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x1 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfNak id=0x1 <addr 10.10.10.128> <ms-dns1 10.1.100.4> <ms-dns2 10.1.100.5>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfReq id=0x2 <addr 10.10.10.128> <ms-dns1 10.1.100.4> <ms-dns2 10.1.100.5>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x2 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x2 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfAck id=0x2 <addr 10.10.10.128> <ms-dns1 10.1.100.4> <ms-dns2 10.1.100.5>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x3 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x3 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x4 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x4 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x5 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x5 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x6 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x6 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x7 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x7 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x8 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x8 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x9 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x9 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xa <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xa <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xb <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xb <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xc <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xc <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xd <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xd <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xe <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xe <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0xf <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0xf <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x10 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x10 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x11 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x11 <addr 10.0.0.1>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x12 <addr 195.149.70.70>]
    May 24 17:55:10 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x12 <addr 10.0.0.1>]
    
                             ----- пропущено 162 строки -----
    
    May 24 17:55:11 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x64 <addr 195.149.70.70>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: sent [IPCP ConfNak id=0x64 <addr 10.0.0.1>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x65 <addr 195.149.70.70>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: sent [IPCP ConfRej id=0x65 <addr 195.149.70.70>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x66 <addrs 195.149.70.70 10.10.10.128>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: sent [IPCP ConfRej id=0x66 <addrs 195.149.70.70 10.10.10.128>]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: rcvd [IPCP ConfReq id=0x67]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: sent [IPCP ConfAck id=0x67]
    May 24 17:55:11 opensuse-13.2 pppd[1769]: local  IP address 10.10.10.128
    May 24 17:55:11 opensuse-13.2 pppd[1769]: remote IP address 10.0.0.1
    May 24 17:55:11 opensuse-13.2 pppd[1769]: primary   DNS address 10.1.100.4
    May 24 17:55:11 opensuse-13.2 pppd[1769]: secondary DNS address 10.1.100.5
    May 24 17:55:11 opensuse-13.2 charon[1419]: 11[KNL] 10.10.10.128 appeared on ppp0
    May 24 17:55:11 opensuse-13.2 charon[1419]: 12[KNL] 10.10.10.128 disappeared from ppp0
    May 24 17:55:11 opensuse-13.2 charon[1419]: 04[KNL] 10.10.10.128 appeared on ppp0
    May 24 17:55:11 opensuse-13.2 charon[1419]: 08[KNL] interface ppp0 activated
    Вывод tcpdump:
    17:55:06.897044 IP 10.0.2.15.500 > 195.149.70.70.500: isakmp: phase 1 I ident
    17:55:06.900767 IP 195.149.70.70.500 > 10.0.2.15.500: isakmp: phase 1 R ident
    17:55:06.905607 IP 10.0.2.15.500 > 195.149.70.70.500: isakmp: phase 1 I ident
    17:55:06.908594 IP 195.149.70.70.500 > 10.0.2.15.500: isakmp: phase 1 R ident
    17:55:06.911737 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 1 I ident[E]
    17:55:06.914702 IP 195.149.70.70.4500 > 10.0.2.15.4500: NONESP-encap: isakmp: phase 1 R ident[E]
    17:55:06.921936 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
    17:55:06.927791 IP 195.149.70.70.4500 > 10.0.2.15.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
    17:55:06.931110 IP 10.0.2.15.4500 > 195.149.70.70.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
    17:55:07.900035 IP 10.0.2.15.4500 > 195.149.70.70.4500: UDP-encap: ESP(spi=0xd8f5c263,seq=0x1), length 164
    17:55:07.902141 IP 195.149.70.70.4500 > 10.0.2.15.4500: UDP-encap: ESP(spi=0xcfe53b98,seq=0x1), length 164
    17:55:07.902517 IP 10.0.2.15.4500 > 195.149.70.70.4500: UDP-encap: ESP(spi=0xd8f5c263,seq=0x2), length 68
    17:55:07.902989 IP 10.0.2.15.4500 > 195.149.70.70.4500: UDP-encap: ESP(spi=0xd8f5c263,seq=0x3), length 100
    17:55:07.904304 IP 195.149.70.70.4500 > 10.0.2.15.4500: UDP-encap: ESP(spi=0xcfe53b98,seq=0x2), length 68
    17:55:07.904699 IP 195.149.70.70.4500 > 10.0.2.15.4500: UDP-encap: ESP(spi=0xcfe53b98,seq=0x3), length 84
    17:55:07.904958 IP 10.0.2.15.4500 > 195.149.70.70.4500: UDP-encap: ESP(spi=0xd8f5c263,seq=0x4), length 100
    17:55:07.907671 IP 195.149.70.70.4500 > 10.0.2.15.4500: UDP-encap: ESP(spi=0xcfe53b98,seq=0x4), length 68
    17:55:07.907736 IP 195.149.70.70.4500 > 10.0.2.15.4500: UDP-encap: ESP(spi=0xcfe53b98,seq=0x5), length 84
    17:55:07.907962 IP 10.0.2.15.4500 > 195.149.70.70.4500: UDP-encap: ESP(spi=0xd8f5c263,seq=0x5), length 68
    ...
  23. Проверяем, появился ли cетевой интерфейс ppp0 и назначен ли ему IP-адрес (в данном случае - 10.10.10.128).
    opensuse-13.2:~ # ip address
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 08:00:27:33:83:72 brd ff:ff:ff:ff:ff:ff
        inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3
           valid_lft forever preferred_lft forever
        inet6 fe80::a00:27ff:fe33:8372/64 scope link 
           valid_lft forever preferred_lft forever
    3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1410 qdisc pfifo_fast state UNKNOWN group default qlen 3
        link/ppp 
        inet 10.10.10.128 peer 10.0.0.1/32 scope global ppp0
           valid_lft forever preferred_lft forever
    opensuse-13.2:~ #
  24. При необходимости добавляем маршруты на необходимые подсети и IP-адреса в сети УЗ.
    opensuse-13.2:~ # ip route add 10.1.100.4 dev ppp0
    opensuse-13.2:~ # ip route add 10.1.100.5 dev ppp0
    opensuse-13.2:~ # ip route add 10.1.100.58 dev ppp0
    opensuse-13.2:~ # ip route add 10.1.180.37 dev ppp0
    opensuse-13.2:~ # 
    opensuse-13.2:~ # ip route
    default via 10.0.2.2 dev enp0s3  proto dhcp 
    10.0.0.1 dev ppp0  proto kernel  scope link  src 10.10.10.128 
    10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.15 
    10.1.100.4 dev ppp0  scope link 
    10.1.100.5 dev ppp0  scope link 
    10.1.100.58 dev ppp0  scope link 
    10.1.180.37 dev ppp0  scope link 
    opensuse-13.2:~ #
  25. Разрываем VPN-соединение.
    opensuse-13.2:~ # echo "d vpn-uz" > /run/xl2tpd/l2tp-control
    Вывод journalctl:
    May 24 18:02:26 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Disconnecting from 195.149.70.70, Local: 51442, Remote: 12967
    May 24 18:02:26 opensuse-13.2 xl2tpd[1767]: xl2tpd[1767]: Connection 12967 closed to 195.149.70.70, port 1701 (Goodbye!)
    May 24 18:02:26 opensuse-13.2 charon[1419]: 03[KNL] interface ppp0 deactivated
    May 24 18:02:26 opensuse-13.2 charon[1419]: 01[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (68 bytes)
    May 24 18:02:26 opensuse-13.2 charon[1419]: 01[ENC] parsed INFORMATIONAL_V1 request 2674151236 [ HASH D ]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 01[IKE] received DELETE for ESP CHILD_SA with SPI d8f5c263
    May 24 18:02:26 opensuse-13.2 charon[1419]: 01[IKE] closing CHILD_SA vpn-uz{2} with SPIs cfe53b98_i (5188 bytes) d8f5c263_o (4733 bytes) and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 01[IKE] closing CHILD_SA vpn-uz{2} with SPIs cfe53b98_i (5188 bytes) d8f5c263_o (4733 bytes) and TS 10.0.2.15/32[udp] === 195.149.70.70/32[udp/l2f]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 13[NET] received packet: from 195.149.70.70[4500] to 10.0.2.15[4500] (84 bytes)
    May 24 18:02:26 opensuse-13.2 charon[1419]: 13[ENC] parsed INFORMATIONAL_V1 request 406132984 [ HASH D ]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 13[IKE] received DELETE for IKE_SA vpn-uz[3]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 13[IKE] deleting IKE_SA vpn-uz[3] between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 13[IKE] deleting IKE_SA vpn-uz[3] between 10.0.2.15[10.0.2.15]...195.149.70.70[195.149.70.70]
    May 24 18:02:26 opensuse-13.2 charon[1419]: 11[KNL] 10.10.10.128 disappeared from ppp0
    May 24 18:02:26 opensuse-13.2 charon[1419]: 05[KNL] interface ppp0 deleted