EdgeRouter - L2TP IPsec VPN Server

Overview


Readers will learn how to configure the EdgeRouter as an L2TP (Layer 2 Tunneling Protocol) server using local authentication. Please see the L2TP IPsec VPN Server using RADIUS article for information on how to setup RADIUS authentication with L2TP. 

warning_25x25white.png ATTENTION: The EdgeRouter L2TP server uses MS-CHAP v2 authentication by default. Make sure that this protocol is enabled in the L2TP adapter security settings on the clients. Some clients (macOS) have MS-CHAP v2 authentication enabled by default, whereas others (Windows) do not.

 

book_25x25white.png

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.

 

Equipment used in this article:

EdgeRouter-4 (ER-4)

- Test clients

Table of Contents


  1. Network Diagram
  2. Steps: L2TP IPsec VPN Server
  3. Steps: Windows / macOS Client
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24


Steps: L2TP IPsec VPN Server


Back to Top

For the purpose of this article, it is assumed that the routing and interface configuration are already in place and that reachability has been tested.

The ports and protocol that are relevant to L2TP are:

  • UDP 1701 (L2TP)
  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T) 

 

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the L2TP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description L2TP
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
info_i_25x25white.png

NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username user1 password <secret>
set vpn l2tp remote-access authentication local-users username user2 password <secret>
info_i_25x25white.png

NOTE: If you define a pre-shared-secret using 'quotation marks', make sure that the secret on the client side does not include these same quotes. For example, set vpn l2tp ... username user1 password 'sup3rSecure' must be entered as sup3rSecure on the client. 

4. Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
info_i_25x25white.png

NOTE You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network. 

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

(Optional) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.

set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set service dns forwarding options "listen-address=192.168.1.1"
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

6. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address.

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE.

set vpn l2tp remote-access outside-address 0.0.0.0

7. Define the interface which will receive L2TP client requests.

set vpn ipsec ipsec-interfaces interface eth0

8. (Optional) Assign a specific IP address to an L2TP client.

set vpn l2tp remote-access authentication local-users username user1 static-ip 192.168.100.250

9. (Optional) Lower the MTU for L2TP traffic.

Experiment with lowering the MTU value if the performance of the L2TP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn l2tp remote-access mtu <mtu-value>

10. (Optional) Require the VPN clients to use a specific authentication protocol when connecting.

set vpn l2tp remote-access authentication require [ pap | chap | mschap | mschap-v2 ]
  • PAP - Require Password Authentication Protocol 
  • CHAP - Require Challenge Handshake Authentication Protocol 
  • MS-CHAP - Require Microsoft Challenge Handshake Authentication Protocol
  • MS-CHAP-V2 - Require Microsoft Challenge Handshake Authentication Protocol Version 2 (default)

11. Commit the changes and save the configuration.

commit ; save

Steps - Windows / macOS Client


Back to Top

There are different ways to connect to an L2TP server using a multitude of applications and operating systems. In this article, we are focusing on two, the built-in Windows 10 and the macOS VPN clients.  

Windows_logo_-_2012.svg.png

1. Navigate to the Windows 10 VPN settings and add a new connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name: 203.0.113.1
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <secret>
Type of sign-in info: User name and password
User name: user1
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
warning_25x25white.png ATTENTION: Newer versions of Windows prevent clients from connecting to an L2TP server behind NAT. If your EdgeRouter is located behind NAT, then apply the hotfix in step 3.

3. Open the Windows registry.

Run > regedit

Locate the registry subtree below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Create a new DWORD (32-bit) value in this subtree.

AssumeUDPEncapsulationContextOnSendRule

Modify the newly created DWORD and give it a value of 2 (default is 0) and restart your computer.

apple-logo-transparent.png

1. Navigate to the macOS network settings and add a new service (+).

System Preferences > Network > + 

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: L2TP

2. Add the IP address information and credentials to the L2TP adapter.

System Preferences > Network > L2TP

Configuration: Default
Server Address: 203.0.113.1
Account name: user1

System Preferences > Network > L2TP > Authentication Settings

User Authentication: Password <secret>
Machine Authentication: Shared Secret <secret>

3. (Optional) Route all traffic over the VPN.

System Preferences > Network > L2TP > Advanced

Send all traffic over VPN connection

Steps - Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the L2TP firewall rules.

show firewall name WAN_LOCAL statistics 
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    164         23837       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    1           436         ACCEPT  IKE
40    2           368         ACCEPT  ESP
50    0           0           ACCEPT  NAT-T
60    1           131         ACCEPT  L2TP
10000 0           0           DROP    DEFAULT ACTION

2. Capture the L2TP traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others R oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x1), length 164
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x2), length 164
IP 203.0.113.1 > 192.0.2.1: ESP(spi=0x216ec4ce,seq=0x1), length 148
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x3), length 68
info_i_25x25white.png

NOTE This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.

3. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] remote host is behind NAT
[ENC] parsed ID_PROT request 0 [ ID HASH ]
[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.1.10]
[IKE] IKE_SA remote-access[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[172.16.1.10]
[IKE] CHILD_SA remote-access{1} established with SPIs and TS 203.0.113.1/32[udp/l2f] === 192.0.2.1/32[udp/l2f]
[KNL] 10.255.255.0 appeared on ppp0
[KNL] 10.255.255.0 disappeared from ppp0
[KNL] 10.255.255.0 appeared on ppp0
[KNL] interface l2tp0 activated
info_i_25x25white.png

NOTE: This is also live capture. If there is no output that means that the traffic is either not being allowed through the firewall. Alternatively, you can use the show vpn log | no-more command to view the entire IPsec log history.

4. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
remote-access: #2, ESTABLISHED, IKEv1, 6c5e6bc5f68ca8c1:6529f3d96c5f8264
  local  '203.0.113.1' @ 203.0.113.1
  remote '10.0.1.10' @ 198.51.100.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 56s ago
  remote-access: #2, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 56 ago
    in  cf5622bf,  15763 bytes,   158 packets,     1s ago
    out cd1b3e08,   3373 bytes,    49 packets,    53s ago
    local  203.0.113.1/32[udp/l2f]
    remote 198.51.100.1/32[udp/l2f]

remote-access: #1, ESTABLISHED, IKEv1, 42df1e888432f98f:9b553c0804da6f1d
  local  '203.0.113.1' @ 203.0.113.1
  remote '172.16.1.10' @ 192.0.2.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 113s ago
  remote-access: #1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 113 ago
    in  cb5471df,  16488 bytes,   188 packets,     0s ago
    out 1e7fabb4,   4833 bytes,    70 packets,    52s ago
    local  203.0.113.1/32[udp/l2f]
    remote 192.0.2.1/32[udp/l2f]

5. Verify the status of the remote access users and interfaces.

show vpn remote-access 
Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte 
---------- --------- ----- -----   --------------- ------ ------ ------ ------
user2      00h02m11s L2TP  l2tp1   192.168.100.241    76   4.7K    403  56.2K
user1      00h04m17s L2TP  l2tp0   192.168.100.240    17    888    125  12.2K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                                            
l2tp0        10.255.255.0                      u/u  User: user1                
                                                    (192.168.100.240)          
l2tp1        10.255.255.0                      u/u  User: user2                
                                                    (192.168.100.241)  

6. Analyze the L2TP log messages.

show log | match 'xl2tpd|pppd'
ubnt xl2tpd[2267]: Connection established to 192.0.2.1, 1701.  Local: 7337, Remote: 9 (ref=0/0).  LNS session is 'default'
ubnt xl2tpd[2267]: Call established with 192.0.2.1, PID: 18921, Local: 8145, Remote: 1, Serial: 0

ubnt pppd[18921]: pppd 2.4.4 started by root, uid 0
ubnt pppd[18921]: Connect: ppp0 <-->
ubnt pppd[18921]: Overriding mtu 1500 to 1400
ubnt pppd[18921]: Overriding mru 1500 to mtu value 1400
ubnt pppd[18921]: local  IP address 10.255.255.0
ubnt pppd[18921]: remote IP address 192.168.100.240

7. (Advanced users) Verify the x2tpd configuration files.

sudo cat /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=203.0.113.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600
  keylife=3600
### Vyatta L2TP VPN End ###

sudo cat /etc/xl2tpd/xl2tpd.conf
;### Vyatta L2TP VPN Begin ###
[global]
listen-addr = 203.0.113.1

[lns default]
ip range = 192.168.100.240-192.168.100.249
local ip = 10.255.255.0
refuse pap = yes
require authentication = yes
name = VyattaL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### Vyatta L2TP VPN End ###

sudo cat /etc/ppp/options.xl2tpd
### Vyatta L2TP VPN Begin ###
name xl2tpd
linkname l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
idle 1800
### Vyatta L2TP VPN End ###

Related Articles


Back to Top