EdgeRouter - L2TP IPsec VPN Server

Overview


Readers will learn how to configure the EdgeRouter as a L2TP (Layer 2 Tunneling Protocol) server using either LOCAL or RADIUS authentication. This example is based on Pre-shared-Secret authentication and does not focus on Certificate-Based authentication.

 book_25x25.png  Notes & Requirements:

Applicable to EdgeOS 1.9.1+ firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Find a basic article on the subject in the Related Articles below.

 

Equipment used in this article:

- EdgeRouter-X (ER-X)

Table of Contents


  1. Network Diagram
  2. Steps - L2TP Server 
  3. Steps - Firewall Rules 
  4. Steps - Windows Client
  5. Steps - Testing and Verification
  6. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the ER:

  1. Ethernet 0 (Eth0) WAN 203.0.113.1
  2. Ethernet 1-4 (Switch0) LAN 192.168.1.1/24

The IP addresses and interfaces used by the VPN Client are not relevant in this example. The RADIUS server has been statically configured with the IP address 192.168.1.10/24. You do not need to deploy this server when using LOCAL authentication.


Steps - L2TP Server


Back to Top

In this example the ER has been pre-configured using the Basic Setup wizard. For the purpose of this article we will assume that the masquerade rules are in place so that the hosts on the LAN can communicate with hosts on Internet.

The UDP ports and protocols relevant to L2TP are:

  1. UDP 1701 (L2TP)
  2. UDP 500 (IKE)
  3. ESP (Protocol 50)
  4. UDP 4500 (NAT-T) 

 

CLI_circle.png  Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Configure the server authentication settings (replace <secret> with your desired passphrase).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
info_i_25x25.png Note: If you define a pre-shared-secret using 'quotation marks', make sure that the secret on the client side does not include these same quotes. For example set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'sup3rSecure' must be entered as only sup3rSecure on the client. 

3. Create the IP address information to be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
info_i_25x25.png Note: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network. Defining addresses in the same range as the local subnet can lead to issues with applications that rely on multicast.

4. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

You can also set the DNS server to be the internal IP of the router itself. In this case you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.

set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set service dns forwarding options "listen-address=192.168.1.1"
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0

5. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address (replace value with your external address).

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE, or you are using Dual WAN Load-Balancing.

set vpn l2tp remote-access outside-address 0.0.0.0
info_i_25x25.png Note: Use option C when multiple uplinks are used (Dual WAN Load-balancing). If you use either option A or B your L2TP server will only be reachable on a single WAN address.

6. Configure the LOCAL authentication (replace <password> with your desired user passwords).

If you want to use a RADIUS server for authentication, skip the commands below and continue on to step 7.

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username user1 password <password>
set vpn l2tp remote-access authentication local-users username user2 password <password>

7. (Optional) Configure the RADIUS authentication (replace <key> with your desired passphrase).

set vpn l2tp remote-access authentication mode radius 
set vpn l2tp remote-access authentication radius-server 192.168.1.10 key <key>

8. (Optional) Define the IPsec interfaces to be used for L2TP.

This step depends on the firmware version that is being used. Officially the usage of this command has been deprecated in v1.8.5. More information under the 'Enhancements and bug fixes' section here.

set vpn ipsec ipsec-interfaces interface eth0

9. (Optional) Lower the MTU for L2TP traffic.

Experiment with lowering the MTU value if the performance of the L2TP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn l2tp remote-access mtu <mtu-value>

10. (Optional) Specify the next-hop IP address for reaching the VPN clients.

This statement can be useful to force the VPN connection towards a single gateway (in case multiple are present in a load-balancing scenario).

set vpn l2tp remote-access outside-nexthop 203.0.113.2

11. (Optional) Require the VPN clients to use a specific authentication protocol when connecting.

set vpn l2tp remote-access authentication require [ pap | chap | mschap | mschap-v2 ]
  • PAP - Require Password Authentication Protocol 
  • CHAP - Require Challenge Handshake Authentication Protocol 
  • MS-CHAP - Require Microsoft Challenge Handshake Authentication Protocol
  • MS-CHAP-V2 - Require Microsoft Challenge Handshake Authentication Protocol Version 2

12. Commit the changes.

commit

13. Save the configuration.

save

Steps - Firewall Rules


Back to Top

The WAN_LOCAL rule created by the Basic Setup wizard does not allow any incoming connections by default. Firewall rules for L2TP, ESP and IKE need to be created in order to accept L2TP traffic.

1. Enter configuration mode.

configure

2. Add additional firewall rules for L2TP, IKE, NAT-T and ESP for the WAN interface(s).

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description L2TP
set firewall name WAN_LOCAL rule 40 destination port 1701
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol udp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description ESP
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol esp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description NAT-T
set firewall name WAN_LOCAL rule 60 destination port 4500
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp

3. Commit the changes.

commit 

4. Save the configuration.

save 

Steps - Windows Client


Back to Top

There are different ways to connect to an L2TP server using a multitude of applications and operating systems. In this article we are focusing on just one, the built-in Windows 10 VPN client. The reason for choosing this method is that it is commonly used and it also has a major caveat that is worth discussing.

1. Navigate to the Windows 10 Settings (WIN+I) > Network & Internet > Add a VPN connection

  1. VPN Provider: Windows (built-in)
  2. Connection name: ER-L2TP
  3. Server name: Your ER external WAN IP-address
  4. VPN Type: L2TP/IPsec with pre-shared key or certificate

2. Navigate to the Windows 10 Network Connections (WIN+X) > ER-L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
info_i_25x25.png Note: If your EdgeRouter is sitting behind NAT and you cannot connect to your L2TP server, it might be due to the Windows operating system and the way it handles IPsec traffic to servers/routers that are located behind a NAT device. In this case apply the hotfix in step 3.

3. power_bolt_25x25.png(Hotfix) Navigate to the Windows 10 registry (WIN+R) > regedit

Locate the following registry subtree:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Create a new DWORD (32-bit) value in this subtree:

AssumeUDPEncapsulationContextOnSendRule

Modify the newly created DWORD value and give it a value of 2 (default is 0) and restart your computer.


Steps - Testing & Verification


Back to Top

The last step is to test and verify the arrival of the L2TP traffic on the external interface. After initiating the VPN connection from the client verify the connection using the following:

1. The IPsec Security Associations (SAs):

show vpn ipsec sa
remote-access: #545, ESTABLISHED, IKEv1, b0a8c5df5ff1b225:a251946b15ebaaae
local '203.0.113.1' @ 203.0.113.1
remote '172.16.0.50' @ 192.0.2.1
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
established 351s ago
remote-access: #17, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 8 ago
in cd49a319, 0 bytes, 0 packets
out 47a8a786, 0 bytes, 0 packets
local 76.237.8.193/32[udp/l2f]
remote 192.0.2.1/32[udp/l2f]

2. The remote access users and interfaces:

show vpn remote-access 
Active remote access VPN sessions:

User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
ubnt 00h01m22s L2TP l2tp0 192.168.100.240 4 58 86 7.4K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
l2tp0 10.255.255.0 u/u User: ubnt (192.168.100.240)

3. The L2TP VPN logs:

show vpn log tail
[IKE] <14> 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] <remote-access|14> IKE_SA remote-access[14] established ...
[IKE] <remote-access|14> CHILD_SA remote-access{4} established with SPIs ...
[KNL] 10.255.255.0 appeared on ppp0

sudo swanctl --log
04[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
04[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
12[IKE] remote host is behind NAT
09[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.0.50]
09[CFG] selected peer config "remote-access"
09[IKE] IKE_SA remote-access[15] established between ...
04[IKE] CHILD_SA remote-access{5} established with SPIs ...
05[KNL] 10.255.255.0 appeared on ppp0

4. The arrival of L2TP traffic on the external WAN interface:

sudo tcpdump -i eth0 -n udp dst port 500 or port 1701 or port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:51:19.400846 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
07:51:19.405109 IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
07:51:19.658508 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
07:51:19.715406 IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident

Related Articles


Back to Top

Powered by Zendesk