EdgeRouter - L2TP IPsec VPN Server

Overview


Readers will learn how to configure the EdgeRouter as a L2TP (Layer 2 Tunneling Protocol) server using either LOCAL or RADIUS authentication. This example is based on Pre-shared-Secret authentication and does not focus on Certificate-Based authentication.

 book_25x25.png  Notes & Requirements:

Applicable to EdgeOS 1.9.1+ firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Find a basic article on the subject in the Related Articles below.

Table of Contents


  1. Introduction
  2. Network Diagram
  3. Steps - L2TP Server 
  4. Steps - Firewall Rules 
  5. Steps - Windows Client
  6. Steps - Testing and Verification
  7. Related Articles

Introduction


Back to Top

This article describes the steps needed setup a L2TP Server and create the corresponding firewall rules on an EdgeRouter. The L2TP VPN client setup is also shown for Windows 10 devices.

Equipment used in this article:

  1. EdgeRouter-X (ER-X)
  2. Windows 10 client using the built-in VPN client (configuration shown in this article)

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the ER:

  1. Ethernet 0 (eth0) WAN 203.0.113.1
  2. Ethernet 1-4 (switch0) LAN 192.168.1.1/24

The IP-addresses and interfaces used by the VPN Client are not relevant in this example. The RADIUS server has been statically configured with the IP address 192.168.1.10/24. You do not need to deploy this server when using LOCAL authentication.


Steps - L2TP Server


Back to Top

In this example the ER has been pre-configured using the Basic Setup wizard. For the purpose of this article we will assume that the masquerade rules are in place so that the hosts on the LAN can communicate with hosts on Internet.

The UDP ports and protocols relevant to L2TP are:

  1. UDP 1701 (L2TP)
  2. UDP 500 (IKE)
  3. ESP (Protocol 50)
  4. UDP 4500 (NAT-T) 

Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

 

1. Enter configuration mode.

configure

2. Configure the server authentication settings (replace <secret> with your desired passphrase).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

3. Create the IP address information to be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
info_i_25x25.png Note: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.

4. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface gets an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address (replace value with your external address).

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface gets an address through PPPoE, or you are using Dual WAN Load-Balancing.

set vpn l2tp remote-access outside-address 0.0.0.0
info_i_25x25.png Note: Use option C when multiple uplinks are used (Dual WAN Load-balancing). If you use either option A or B your L2TP server will only be reachable on a single WAN address.

5. Configure the LOCAL authentication (replace <password> with your desired user passwords).

If you want to use a RADIUS server for authentication, skip the commands below and continue on to step 6.

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username user1 password <password>
set vpn l2tp remote-access authentication local-users username user2 password <password>

6. (Optional) Configure the RADIUS authentication (replace <key> with your desired passphrase).

set vpn l2tp remote-access authentication mode radius 
set vpn l2tp remote-access authentication radius-server 192.168.1.10 key <key>

7. (Optional) Lower the MTU for L2TP traffic (lower values than 1492 can also be used if necessary).

set vpn l2tp remote-access mtu 1492

8. Commit the changes.

commit

9. Save the configuration.

save

10. Exit to operational mode by typing.

exit

Steps - Firewall Rules


Back to Top

The WAN_LOCAL rule created by the Basic Setup wizard does not allow any incoming connections by default. Firewall rules for L2TP, ESP and IKE need to be created in order to accept L2TP traffic.

1. Enter configuration mode.

configure

2. Add additional firewall rules for L2TP, IKE, NAT-T and ESP for the WAN interface(s).

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description L2TP
set firewall name WAN_LOCAL rule 40 destination port 1701
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol udp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description ESP
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol esp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description NAT-T
set firewall name WAN_LOCAL rule 60 destination port 4500
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp

3. Commit the changes.

commit 

4. Save the configuration.

save 

5. Exit to operational mode.

exit

 


Steps - Windows Client


Back to Top

There are different ways to connect to an L2TP server using a multitude of applications and operating systems. In this article we are focusing on just one, the built-in Windows 10 VPN client. 

1. Navigate to the Windows 10 Settings (WIN+I) > Network & Internet > Add a VPN connection

  1. VPN Provider: Windows (built-in)
  2. Connection name: ER-L2TP
  3. Server name: Your ER external WAN IP-address
  4. VPN Type: L2TP/IPsec with pre-shared key or certificate

2. Navigate to the Windows 10 Network Connections (WIN+X) > ER-L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

Steps - Testing & Verification


Back to Top

The last step is to test and verify the arrival of the L2TP traffic on the external interface. After initiating the VPN connection from the client verify the connection using the following:

1. The IPsec Security Associations (SAs):

show vpn ipsec sa
remote-access: #545, ESTABLISHED, IKEv1, b0a8c5df5ff1b225:a251946b15ebaaae
local '203.0.113.1' @ 203.0.113.1
remote '172.16.0.50' @ 192.0.2.1
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
established 351s ago
remote-access: #17, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 8 ago
in cd49a319, 0 bytes, 0 packets
out 47a8a786, 0 bytes, 0 packets
local 76.237.8.193/32[udp/l2f]
remote 192.0.2.1/32[udp/l2f]

2. The remote access users and interfaces:

show vpn remote-access 
Active remote access VPN sessions:

User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
-------------------------------------------------------
ubnt 00h01m22s L2TP l2tp0 192.168.100.240 4 58 92 8.1K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
l2tp0 10.255.255.0 u/u User: ubnt (192.168.100.240)

3. The L2TP VPN logs:

show vpn log tail
[IKE] <14> 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] <remote-access|14> IKE_SA remote-access[14] established ...
[IKE] <remote-access|14> CHILD_SA remote-access{4} established with SPIs ...
[KNL] 10.255.255.0 appeared on ppp0

sudo swanctl --log
04[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
04[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
12[IKE] remote host is behind NAT
09[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.0.50]
09[CFG] selected peer config "remote-access"
09[IKE] IKE_SA remote-access[15] established between ...
04[IKE] CHILD_SA remote-access{5} established with SPIs ...
05[KNL] 10.255.255.0 appeared on ppp0

4. The arrival of L2TP traffic on the external WAN interface:

sudo tcpdump -i eth0 -n udp dst port 500 or port 1701 or port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:51:19.400846 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
07:51:19.405109 IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
07:51:19.658508 IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
07:51:19.715406 IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident

 

Related Articles


Back to Top

Powered by Zendesk