info_i_25x25.png See important information about Ubiquiti Devices and KRACK Vulnerability in this article. We will update this document as more information becomes available.

EdgeRouter - Forward L2TP-Traffic to an Internal Server Using NAT-T

Overview


Readers will learn how to implement NAT-Traversal (NAT-T) to forward VPN traffic to an internal L2TP server using either Port Forwarding or Destination NAT (DNAT). Note that Destination NAT is the preferred method to implement NAT-T when using multiple WAN interfaces in a Dual WAN Load-Balancing Scenario.

The implementation of NAT-T is needed when the EdgeRouter (ER) is not the L2TP server, but instead forwards the traffic to an internal L2TP server behind NAT. The ESP (Encapsulated Security Payload) traffic that is used by L2TP cannot be port-forwarded or translated in the regular manner. For this reason NAT-T is used encapsulate the ESP traffic into UDP using port 4500.  

 book_25x25.png  Notes & Requirements:

Applicable to EdgeOS 1.9.1+ firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Find a basic article on the subject in the Related Articles below.

 

Equipment used in this article:

- EdgeRouter-X (ER-X)

Table of Contents


  1. Network Diagram
  2. Steps - Port Forwarding L2TP-traffic
  3. Steps - (Optional) Forward L2TP-traffic using DNAT
  4. Steps - Windows Client
  5. Steps - Testing and Verification
  6. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeRouter: 

  1. Ethernet 0 (Eth0) WAN 203.0.113.1
  2. Ethernet 1-4 (Switch0) LAN 192.168.1.1/24 

The L2TP server has been statically configured with the IP address 192.168.1.10/24. The IP addresses and interfaces used by the VPN Client are not relevant in this example.


Steps - Port Forwarding L2TP-Traffic


Back to Top

In this example the ER has been pre-configured using the Basic Setup wizard. For the purpose of this article we will assume that the masquerade rules are in place so that the L2TP server on the LAN can communicate with hosts on Internet.

info_i_25x25.png Note: If your ER has multiple uplinks to the internet, we recommend that you skip the Port-Forwarding configuration and implement NAT-T using Destination NAT instead. See the DNAT section below for more information.

The UDP ports and protocols relevant to L2TP are:

  1. UDP 1701 (L2TP)
  2. UDP 4500 (NAT-T)
  3. UDP 500 (IKE)
  4. ESP (Protocol 50)

 

CLI_circle.png  Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the Port Forwarding rules for IKE and NAT-T for the eth0 WAN interface.

In this example the auto-firewall feature is used that will automatically open up the relevant ports in the WAN_IN firewall policy. See the DNAT section below if you prefer to create your own firewall rules.

set auto-firewall enable
set hairpin-nat enable
set lan-interface switch0
set wan-interface eth0

set port-forward rule 1 description IKE
set port-forward rule 1 forward-to address 192.168.1.10
set port-forward rule 1 forward-to port 500
set port-forward rule 1 original-port 500
set port-forward rule 1 protocol udp

set port-forward rule 2 description ESP
set port-forward rule 2 forward-to address 192.168.1.10
set port-forward rule 2 forward-to port 4500
set port-forward rule 2 original-port 4500
set port-forward rule 2 protocol udp
info_i_25x25.png Note: Even though L2TP uses port 1701 as well, it is NOT needed to forward/translate this port as it is encapsulated in the ESP traffic. The only parties that actually use port 1701 are the VPN client and the server. For this reason UDP port 1701 is not included in the rules.

3. Commit the changes.

commit

4. Save the configuration.

save

Steps - (Optional) Forward L2TP-Traffic Using DNAT


Back to Top

We recommend using DNAT over Port-Forwarding when multiple uplinks are used (Load-balancing). The reason for this is that the current implementation of PF only applies to the primary IP address on a single WAN interface. In the example below, the ER has been pre-configured using the Dual WAN Load-Balancing wizard. For the purpose of this article we will assume that the masquerade rules are in in place so that the L2TP server on the LAN can communicate with hosts on Internet.

1. Enter configuration mode.

configure

2. Create the Destination NAT rules for IKE and NAT-T for the Eth0 WAN interface.

set service nat rule 10 description IKE
set service nat rule 10 destination port 500
set service nat rule 10 inbound-interface eth0
set service nat rule 10 inside-address address 192.168.1.10
set service nat rule 10 inside-address port 500
set service nat rule 10 log disable
set service nat rule 10 protocol udp
set service nat rule 10 type destination

set service nat rule 11 description ESP
set service nat rule 11 destination port 4500
set service nat rule 11 inbound-interface eth0
set service nat rule 11 inside-address address 192.168.1.10
set service nat rule 11 inside-address port 4500
set service nat rule 11 log disable
set service nat rule 11 protocol udp
set service nat rule 11 type destination 

3. Create the Destination NAT rules for IKE and NAT-T for the Eth1 WAN interface.

set service nat rule 12 description IKE
set service nat rule 12 destination port 500
set service nat rule 12 inbound-interface eth1
set service nat rule 12 inside-address address 192.168.1.10
set service nat rule 12 inside-address port 500
set service nat rule 12 log disable
set service nat rule 12 protocol udp
set service nat rule 12 type destination

set service nat rule 13 description ESP
set service nat rule 13 destination port 4500
set service nat rule 13 inbound-interface eth1
set service nat rule 13 inside-address address 192.168.1.10
set service nat rule 13 inside-address port 4500
set service nat rule 13 log disable
set service nat rule 13 protocol udp
set service nat rule 13 type destination

4. Add the firewall rules for IKE and NAT-T for the WAN interfaces.

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description IKE
set firewall name WAN_IN rule 30 destination port 500
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol udp

set firewall name WAN_IN rule 40 action accept
set firewall name WAN_IN rule 40 description ESP
set firewall name WAN_IN rule 40 destination port 4500
set firewall name WAN_IN rule 40 log disable
set firewall name WAN_IN rule 40 protocol udp 

5. Commit the changes.

commit 

6. Save the configuration.

save 

Steps - Windows Client


Back to Top

There are different ways to connect to an L2TP server using a multitude of applications and operating systems. In this article we are focusing on just one, the built-in Windows 10 VPN client. The reason for choosing this method is that it is commonly used and it also has a major caveat that is worth discussing.

1. Navigate to the Windows 10 Settings (WIN+I) > Network & Internet > Add a VPN connection

  1. VPN Provider: Windows (built-in)
  2. Connection name: ER-L2TP
  3. Server name: Your ER external WAN IP-address
  4. VPN Type: L2TP/IPsec with pre-shared key or certificate

2. Navigate to the Windows 10 Network Connections (WIN+X) > ER-L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
info_i_25x25.png Note: If you cannot connect to your L2TP server, it might be due to the Windows operating system and the way it handles IPsec traffic to servers that are located behind a NAT device. In this case apply the hotfix in step 3.

3. power_bolt_25x25.png(Hotfix) Navigate to the Windows 10 registry (WIN+R) > regedit

Locate the following registry subtree:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Create a new DWORD (32-bit) value in this subtree:

AssumeUDPEncapsulationContextOnSendRule

Modify the newly created DWORD value and give it a value of 2 (default is 0) and restart your computer.


Steps - Testing & Verification


Back to Top

The last step is to test and verify the forwarding/translation of the L2TP traffic. It is assumed that the internal L2TP server has been setup with the correct configuration. After initiating the VPN connection from the client verify the connection attempts using the following commands: 

1. The translation in the NAT table:

show nat translations destination
Pre-NAT              Post-NAT           Type  Prot  Timeout
203.0.113.1          192.168.1.10       dnat   udp  147    
203.0.113.1          192.168.1.10       dnat   udp  152 

2. The counters on the WAN_IN firewall rules (if created):

show firewall name WAN_IN rule 30
IPv4 Firewall "WAN_IN":
Active on (eth0,IN) (eth1,IN)
rule  action   proto     packets  bytes                                  
----  ------   -----     -------  -----                                  
30    accept   udp       4        1744                                    
condition - udp dpt:isakmp                                                   

show firewall name WAN_IN rule 40
IPv4 Firewall "WAN_IN":
Active on (eth0,IN) (eth1,IN)
rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                  
40    accept   udp       4        432                                    
condition - udp dpt:4500           

3. The arrival of L2TP traffic on the external WAN interface:

sudo tcpdump -i eth0 -n udp dst port 4500 or port 500 or port 1701
00:58:35.508580 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
00:58:35.803213 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident
00:58:36.041596 IP 192.0.2.1.4500 > 203.0.113.1.4500: NONESP-encap: isakmp: phase 1 I ident[E]
00:58:36.047270 IP 192.0.2.1.4500 > 203.0.113.1.4500: NONESP-encap: isakmp: phase 1 R ident[E]
00:58:36.286845 IP 192.0.2.1.4500 > 203.0.113.1.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
00:58:36.292050 IP 192.0.2.1.4500 > 203.0.113.1.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
00:58:36.529811 IP 192.0.2.1.4500 > 203.0.113.1.4500: UDP-encap: ESP(spi=0xc645986c,seq=0x1), length 164
00:58:37.523640 IP 192.0.2.1.4500 > 203.0.113.1.4500: UDP-encap: ESP(spi=0xc645986c,seq=0x2), length 164  

info_i_25x25.png Note: This is a live capture. If there is no output that means that the traffic is either not being generated on the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the NAT/Port-Forwarding statistics and firewall rules above.

The most important part of the above output is the 4500: UDP-encap: ESP part. If you do not see this it means that the ESP traffic is NOT being encapsulated into UDP 4500 and NAT-T is not functioning properly. Also note the absence of UDP port 1701 in the output.

 


Related Articles


Back to Top