EdgeRouter - L2TP IPsec VPN Server using RADIUS


Overview


Readers will learn how to configure the EdgeRouter as an L2TP (Layer 2 Tunneling Protocol) server using RADIUS authentication. Please see the L2TP IPsec VPN Server article for information on how to setup local authentication with L2TP. 

ATTENTION: The EdgeRouter L2TP server uses MS-CHAP v2 authentication by default. Make sure that this protocol is enabled in the L2TP adapter security settings on the clients. Some clients (macOS) have MS-CHAP v2 authentication enabled by default, whereas others (Windows) do not.

 

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Steps: L2TP IPsec VPN Server
  3. Steps: Windows Server
  4. Steps: Windows / macOS / Android Client
  5. Steps: Testing & Verification
  6. Related Articles

Network Diagram


Back to Top

The network topology is shown below.

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24


Steps: L2TP IPsec VPN Server


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to L2TP are:

  • UDP 1701 (L2TP)
  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T) 
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the L2TP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description L2TP
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
NOTE: Make sure that these rules do not override any existing firewall policies!

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication radius-server 192.168.1.10 key <secret>
set vpn l2tp remote-access authentication radius-server 192.168.1.10 port 1812
set vpn l2tp remote-access authentication mode radius
NOTE: The default port used for RADIUS authentication in EdgeOS is UDP 1812.

4. Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

(Optional) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.

set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set service dns forwarding options "listen-address=192.168.1.1"
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

6. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address.

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE.

set vpn l2tp remote-access outside-address 0.0.0.0

7. Define the IPsec interface which will receive L2TP requests from clients.

set vpn ipsec ipsec-interfaces interface eth0

8. (Optional) Assign a specific IP address to an L2TP client.

set vpn l2tp remote-access authentication local-users username user1 static-ip 192.168.100.250

9. (Optional) Lower the MTU for L2TP traffic.

Experiment with lowering the MTU value if the performance of the L2TP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn l2tp remote-access mtu <mtu-value>

10. (Optional) Require the VPN clients to use a specific authentication protocol when connecting.

set vpn l2tp remote-access authentication require [ pap | chap | mschap | mschap-v2 ]
  • PAP - Require Password Authentication Protocol 
  • CHAP - Require Challenge Handshake Authentication Protocol 
  • MS-CHAP - Require Microsoft Challenge Handshake Authentication Protocol
  • MS-CHAP-V2 - Require Microsoft Challenge Handshake Authentication Protocol Version 2 (default)

11. Commit the changes and save the configuration.

commit ; save

Steps - Windows Server


Back to Top

The section below (briefly) focuses on configuring the Network Policy and Access Services (NPS) role on a Windows 2016 server. There are multiple guides available online that go into more detail than this article.

Windows_logo_-_2012.svg.png

1. Add the NPS role.

Server Manager > Add Roles and Features > Network Policy and Access Services

2. Add the EdgeRouter to the RADIUS clients (replace <secret> with your desired passphrase).

Network Policy Server Console (NPS) > Radius Clients and Servers > Radius Clients > New

Friendly Name: ER-4 (does not have to match device hostname)
Address (IP or DNS): 192.168.1.1 (the source address of the router)
Shared Secrets Template: None
Shared Secret: Manual
Shared Secret / Confirm: <secret>
NOTE: You can also create a ‘RADIUS Shared Secret Template’ and use the same passphrase for all RADIUS Clients.

3. Create a Network Policy for the RADIUS clients.

NPS > Policies > Network Policy > New

Policy Name: ER Radius Clients
Type of Network Access Server: Unspecified

Specify Conditions > Add

Client Friendly Name: ER-?
User Groups: UBNT\Network Engineers
NOTE: You can use Active Directory (AD) or local users (Windows Group) for authentication. In this example, the users allowed to authenticate to the ER are Network Engineers in the UBNT domain. You can use expressions when matching the Client Friendly Name. For example ER-? matches device names starting with 'ER-'.

Next > Specify Access Permission

Access Granted

Next > Configure Authentication Methods

Uncheck all methods and check ‘Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2)’

Next > Configure Constraints > Next > Configure Settings > Radius Attributes: Standard

Framed-Protocol: PPP
Service-Type: Framed


Steps - Windows / macOS / Android Client


Back to Top

There are different ways to connect to an L2TP server using a multitude of applications and operating systems. In this article, we are focusing on the built-in Windows 10, macOS and Android VPN clients.  

Windows_logo_-_2012.svg.png

1. Navigate to the Windows 10 VPN settings and add a new connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name: 203.0.113.1
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <secret>
Type of sign-in info: User name and password
User name: <username>
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
warning_25x25white.png ATTENTION: Newer versions of Windows prevent clients from connecting to an L2TP server behind NAT. If your EdgeRouter is located behind NAT, then apply the hotfix in step 3.

3. Open the Windows registry.

Run > regedit

Locate the registry subtree below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Create a new DWORD (32-bit) value in this subtree.

AssumeUDPEncapsulationContextOnSendRule

Modify the newly created DWORD and give it a value of 2 (default is 0) and restart your computer.

apple-logo-transparent.png

1. Navigate to the macOS network settings and add a new service (+).

System Preferences > Network > + 

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: L2TP

2. Add the IP address information and credentials to the L2TP adapter.

System Preferences > Network > L2TP

Configuration: Default
Server Address: 203.0.113.1
Account name: <username>

System Preferences > Network > L2TP > Authentication Settings

User Authentication: Password <secret>
Machine Authentication: Shared Secret <secret>

3. (Optional) Route all traffic over the VPN.

System Preferences > Network > L2TP > Advanced

Send all traffic over VPN connection

android-logo-icon-64976.png

1. Navigate to the Android VPN settings and add a new VPN (+).

Settings > ...More > VPN > + Add VPN 

Name: L2TP
Type: L2TP/IPsec PSK
Server address: 203.0.113.1
L2TP secret: (not used)
IPsec identifier: (not used)
IPsec pre-shared key: <secret>

2. Connect to the L2TP server and add the credentials.

Username: user1
Password: <secret>

Steps - Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the L2TP firewall rules.

show firewall name WAN_LOCAL statistics 
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    164         23837       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    1           436         ACCEPT  IKE
40    2           368         ACCEPT  ESP
50    0           0           ACCEPT  NAT-T
60    1           131         ACCEPT  L2TP
10000 0           0           DROP    DEFAULT ACTION

2. Capture the L2TP traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others R oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x1), length 164
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x2), length 164
IP 203.0.113.1 > 192.0.2.1: ESP(spi=0x216ec4ce,seq=0x1), length 148
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x3), length 68
NOTE: This is a live capture. If there is no output the traffic is either not being generated or there is something blocking the traffic upstream.

3. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] remote host is behind NAT
[ENC] parsed ID_PROT request 0 [ ID HASH ]
[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.1.10]
[IKE] IKE_SA remote-access[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[172.16.1.10]
[IKE] CHILD_SA remote-access{1} established with SPIs and TS 203.0.113.1/32[udp/l2f] === 192.0.2.1/32[udp/l2f]
[KNL] 10.255.255.0 appeared on ppp0
[KNL] 10.255.255.0 disappeared from ppp0
[KNL] 10.255.255.0 appeared on ppp0
[KNL] interface l2tp0 activated
NOTE: This is also a live capture. Alternatively, you can use the show vpn log | no-more command to view the entire IPsec log history.

4. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
remote-access: #2, ESTABLISHED, IKEv1, 6c5e6bc5f68ca8c1:6529f3d96c5f8264
  local  '203.0.113.1' @ 203.0.113.1
  remote '10.0.1.10' @ 198.51.100.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 56s ago
  remote-access: #2, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 56 ago
    in  cf5622bf,  15763 bytes,   158 packets,     1s ago
    out cd1b3e08,   3373 bytes,    49 packets,    53s ago
    local  203.0.113.1/32[udp/l2f]
    remote 198.51.100.1/32[udp/l2f]

remote-access: #1, ESTABLISHED, IKEv1, 42df1e888432f98f:9b553c0804da6f1d
  local  '203.0.113.1' @ 203.0.113.1
  remote '172.16.1.10' @ 192.0.2.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 113s ago
  remote-access: #1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 113 ago
    in  cb5471df,  16488 bytes,   188 packets,     0s ago
    out 1e7fabb4,   4833 bytes,    70 packets,    52s ago
    local  203.0.113.1/32[udp/l2f]
    remote 192.0.2.1/32[udp/l2f]

5. Verify the status of the remote access users and interfaces.

show vpn remote-access 
Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte 
---------- --------- ----- -----   --------------- ------ ------ ------ ------
user2      00h02m11s L2TP  l2tp1   192.168.100.241    76   4.7K    403  56.2K
user1      00h04m17s L2TP  l2tp0   192.168.100.240    17    888    125  12.2K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                                            
l2tp0        10.255.255.0                      u/u  User: user1                
                                                    (192.168.100.240)          
l2tp1        10.255.255.0                      u/u  User: user2                
                                                    (192.168.100.241)  

6. Analyze the L2TP log messages.

show log | match 'xl2tpd|pppd'
ubnt xl2tpd[2267]: Connection established to 192.0.2.1, 1701.  Local: 7337, Remote: 9 (ref=0/0).  LNS session is 'default'
ubnt xl2tpd[2267]: Call established with 192.0.2.1, PID: 18921, Local: 8145, Remote: 1, Serial: 0

ubnt pppd[18921]: pppd 2.4.4 started by root, uid 0
ubnt pppd[18921]: Connect: ppp0 <-->
ubnt pppd[18921]: Overriding mtu 1500 to 1400
ubnt pppd[18921]: Overriding mru 1500 to mtu value 1400
ubnt pppd[18921]: local  IP address 10.255.255.0
ubnt pppd[18921]: remote IP address 192.168.100.240

7. Capture the RADIUS authentication requests and responses on the internal interface.

sudo tcpdump -i eth1 -n -vv udp dst port 1812
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:15:08.874836 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 161)
192.168.1.1.37642 > 192.168.1.10.1812: [udp sum ok] RADIUS, length: 133
Access-Request (1), id: 0x91, Authenticator: 522ab5d069e26abc7782f7433119a087
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
User-Name Attribute (1), length: 7, Value: user1
0x0000: 7573 6572 31
Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
Vendor Attribute: 11, Length: 16, Value: X.wN......aDn4.o
0x0000: 0000 0137 0b12 58eb 774e 0690 81c9 b38a
0x0010: 6144 6e34 e66f
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 25, Length: 50, Value: ...TT........_..............A..+..4Y.....X.u.._...
0x0000: 0000 0137 1934 f300 0954 54e8 87a6 8cc1
0x0010: cbeb 865f 1006 00f2 0000 0000 0000 0000
0x0020: a7c2 41f4 cb2b 921a 3459 9eed 8792 d358
0x0030: 8d75 b188 5f99 1aa7
NAS-IP-Address Attribute (4), length: 6, Value: 127.0.1.1
0x0000: 7f00 0101
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000

8. Analyze the event logs on the RADIUS server.

Event Viewer > Custom Views > ServerRoles > Network Policy and Access Services

9. (Advanced users) Verify the x2tpd configuration files.

sudo cat /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=203.0.113.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600
  keylife=3600
### Vyatta L2TP VPN End ###

sudo cat /etc/xl2tpd/xl2tpd.conf
;### Vyatta L2TP VPN Begin ###
[global]
listen-addr = 203.0.113.1

[lns default]
ip range = 192.168.100.240-192.168.100.249
local ip = 10.255.255.0
refuse pap = yes
require authentication = yes
name = VyattaL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### Vyatta L2TP VPN End ###

sudo cat /etc/ppp/options.xl2tpd
### Vyatta L2TP VPN Begin ###
name xl2tpd
linkname l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
idle 1800
### Vyatta L2TP VPN End ###

Related Articles


Back to Top