Jump to content
  • EN

L2TP over IPsec RutOS: Difference between revisions

L2TP over IPsec RutOS (view source)

Revision as of 10:59, 20 August 2024

2,659 bytes added ,  20 August
no edit summary
VisualWikitext
No edit summary
Line 10: Line 10:


'''Prerequisites''':
'''Prerequisites''':
* Two RUTxxx routers of any type (excluding [[RUT850]])
* Two RUTxxx routers of any type
* At least one router with a Public Static or Public Dynamic IP addresses
* At least one router with a Public Static or Public Dynamic IP addresses
* At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers
* At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers
Line 18: Line 18:
[[File:Configuration examples l2tp over ipsec scheme.png]]
[[File:Configuration examples l2tp over ipsec scheme.png]]


The figure above depicts the L2TP/IPsec scheme. It is fairly similar to the [[L2TP configuration examples RutOS#Configuration overview and prerequisites|L2TP]] and [[IPsec RUTOS configuration example#Configuration overview and prerequisites|IPsec]] configuration schemes - the router with the Public IP address (''RUT1'') acts as the L2TP/IPsec server and the other router (''RUT'') acts a client.  L2TP connects the networks of ''RUT1'' and ''RUT2'' and IPsec provides the encryption for the L2TP tunnel.
The figure above depicts the L2TP/IPsec scheme. It is fairly similar to the [[L2TP configuration examples RutOS#Configuration overview and prerequisites|L2TP]] and [[IPsec RUTOS configuration example#Configuration overview and prerequisites|IPsec]] configuration schemes - the router with the Public IP address (''RUT1'') acts as the L2TP/IPsec server and the other router (''RUT2'') acts a client.  L2TP connects the networks of ''RUT1'' and ''RUT2'' and IPsec provides the encryption for the L2TP tunnel.


When the scheme is realized, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, the original source and destination IP address is encrypted within the packet.
When the scheme is realized, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, the original source and destination IP address is encrypted within the packet.


==Router configuration==
==RUT1 Configuration(Server)==


If you have familiarized yourself with the configuration scheme and have all of the devices in order, we can start configuring the routers using instructions provided in this section. To summarize, we'll be configuring an L2TP server and an IPsec Transport instance (server) on ''RUT1''; an L2TP client and an IPsec Transport instance (client) on ''RUT2''.
===L2TP===
 
 
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:RutOS_L2TP_IPsec_VPN_7,8_add_L2TP_Server.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Login to the router's WebUI and navigate to the '''Services → VPN → L2TP''' page and do the following:
<ol>
    <li>Select '''Role: Server'''.</li>
    <li>Enter a '''custom configuration name'''.</li>
    <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>
 
----
 
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_L2TP_Server_config.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>
    <li>'''Enable''' the L2TP instance.</li>
    <li>Click on the '''Add''' button to add a new user</li>
    <li>Enter a '''User name''' and '''Password''' for authentication for the client.</li>
    <li>Optionally, set a fixed IP for this client (if left empty, the client will receive the first free IP from the IP range).</li>
    <li>Don't forget to '''Save''' the changes.</li>
</ol>
        </td>
    </tr>
</table>


===IPsec===
===IPsec===
----
----
First, you must configure a working IPsec Transport connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. Other used parameters will be defaults; you can find explanations for those parameters in the '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.


====Server (RUT1)====
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Go to the '''Services → VPN → IPsec''' page and do the following:
<ol>   
      <li>Enter a custom name for the IPsec instance.</li>
      <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>
 
----
----
* Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:


[[File:Networking rutxxx configuration examples ipsec server configuration v2.png|border|class=tlt-border]]
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instnace222.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
In the '''IPsec Configuration''' page, do the following (and leave the rest as defaults, unless your specific configuration requires otherwise):
<ol>   
      <li>'''Enable''' the instance.</li>
      <li>Enter your '''Pre-shared key'''.</li>
</ol>
        </td>
    </tr>
</table>
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instance_connection.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>   
'''3.''' Select '''Type: Transport'''.
<br>
Do not forget to '''Save''' changes.
</ol>
        </td>
    </tr>
</table>
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''


# '''Enable''' - if checked, enables the IPsec instance
Make the following changes:
# '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration
<table class="nd-othertables_2">
# '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance
    <tr>
# '''Local identifier''' - 192.168.0.1
        <th width=330; style="border-bottom: 1px solid white;></th>
# '''Remote identifier''' - 192.168.0.20
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
# '''Type''' - the type of the connection.
    </tr>
#'''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode
    <tr>
# '''IKE lifetime''' - 8h, make sure you've inserted the same lifetime in '''Phase 1''' and '''Phase 2'''
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# DH group - '''''MODP4096;'''''
# IKE lifetime - '''86400s'''.
        </td>
    </tr>
</table>


====Client (RUT2)====
----
----
* Create another instance on the second router the same way you created the server (login, add new instance, click "Edit"). Adhere to the configurations presented in the figure below:
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# PFS group - '''''MODP4096;'''''
# Lifetime – '''''86400s;'''''
        </td>
    </tr>
</table>
==RUT2 Configuration(client)==
===L2TP===


[[File:Networking rutxxx configuration examples ipsec client configuration v2.png|border|class=tlt-border]]


# '''Enable''' - if checked, enables the IPsec instance
<table class="nd-othertables_2">
# '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. Enter the '''IPsec server's Public IP address''' in the client's configuration
    <tr>
# ''' Pre-shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance
        <th width=355; style="border-bottom: 1px solid white;></th>
# '''Local identifier''' - 192.168.0.20
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:RutOS_L2TP_IPsec_VPN_7,8_1.png|770px|right]]</th>
# '''Remote identifier''' - 192.168.0.1
    </tr>
# '''Type''' - the type of the connection.
    <tr>
#'''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode
        <td style="border-bottom: 1px solid white;>
# '''IKE lifetime''' - 8h, make sure you've inserted the same lifetime in '''Phase 1''' and '''Phase 2'''
Login to the router's WebUI and navigate to the '''Services → VPN → L2TP''' page and do the following:
<ol>
    <li>Select '''Role: Client'''.</li>
    <li>Enter a '''custom configuration name'''.</li>
    <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>


====Testing the connection====
----
----
When you're done with the configuration, you should test whether it works before you move on. The simplest way to test an IPsec connection is using the '''ipsec status''' command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to '''Services → CLI'''. Login to CLI with the user name '''root''' and the router's admin password. Then simply the ''ipsec status'' and press the "Enter" key:


[[File:Networking rutxxx configuration examples ipsec status v3.png|border|class=tlt-border]]
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_2.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>
    <li>'''Enable''' the L2TP instance.</li>
    <li>Enter the '''Public IP''' of RUT1</li>
    <li>Enter the '''Username''' that we created on RUT1</li>
    <li>Enter the '''Password''' that we created on RUT1</li>
    <li>Don't forget to '''Save''' the changes.</li>
</ol>
        </td>
    </tr>
</table>


As you can see, executing ''ipsec status'' displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a '''1 up''' indication next to Security Associations.
===IPsec===
 
===L2TP===
----
----
Next, you must configure a working L2TP connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. For more '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.


New L2TP instances can be created from the '''Services → VPN → L2TP''' section of the router's WebUI. Select a role (Server or Client), enter a custom name and click the "Add" button to create a new instance. Then click the "Edit" button located next to the newly created instance to enter its configuration page.
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Go to the '''Services → VPN → IPsec''' page and do the following:
<ol>   
      <li>Enter a custom name for the IPsec instance.</li>
      <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>


Although technically it doesn't matter on which router you create the Server or the Client, we recommend that for the sake of clarity and easier management you create the L2TP Server on the same router where you created the IPsec Server and the L2TP Client on the same router where you created the IPsec Client.
----
----
* '''Server configuration''':
[[File:Networking rutxxx configuration examples l2tp server configuration v2.png|border|class=tlt-border|1100px]]


# '''Enable''' - when checked, enables the instance
<table class="nd-othertables_2">
# '''Local IP''' - the server's virtual IP address
    <tr>
# '''Remote IP range''' parameters - the range of virtual IP addresses that will be assigned to connecting clients
        <th width=355; style="border-bottom: 1px solid white;></th>
# '''User name''' and '''Password''' - authentication information used to authenticate connecting clients
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_3.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
In the '''IPsec Configuration''' page, do the following (and leave the rest as defaults, unless your specific configuration requires otherwise):
<ol>   
      <li>'''Enable''' the instance.</li>
      <li>Enter the '''Public IP''' of RUT1</li>
      <li>Enter your '''Pre-shared key'''.</li>
</ol>
        </td>
    </tr>
</table>
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instance_connection.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>   
'''4.''' Select '''Type: Transport'''.
<br>
Do not forget to '''Save''' changes.
</ol>
        </td>
    </tr>
</table>
----
----
* '''Client configuration''':
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
 
Make the following changes:
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# DH group - '''''MODP4096;'''''
# IKE lifetime - '''86400s'''.
        </td>
    </tr>
</table>


[[File:Networking rutxxx configuration l2tp client configuration v2.png|border|class=tlt-border|1100px]]
----
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# PFS group - '''''MODP4096;'''''
# Lifetime – '''''86400s;'''''
        </td>
    </tr>
</table>
==Testing the setup==


# '''Enable''' - when checked, enables the instance
If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.
# '''Server''' - L2TP server's Public IP address
# '''User name''' and '''Password''' - authentication information. Used the values specified in the Server's configuration


==Testing the setup==
To test an L2TP connection, login to one of the routers' WebUIs and go to '''Services → CLI'''. Login with user name: '''root''' and the router's admin password. You should then be able to '''ping''' the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type '''ping <ip_address>''' and press the "Enter" key on your keyboard:


If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. We already tested the IPsec connection in the '''[[L2TP_over_IPsec#Testing_the_connection|3.1.3]]''' section of this article. To test an L2TP connection, login to one of the routers' WebUIs and go to '''Services → CLI'''. Login with user name: '''root''' and the router's admin password. You should then be able to '''ping''' the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type '''ping <ip_address>''' and press the "Enter" key on your keyboard:
[[File:RutOS_L2TP_IPsec_VPN_7,8_5.png|border|class=tlt-border|500px]]


[[File:Networking rutxxx configuration examples l2tp over ipsec ping v2.png|border|class=tlt-border|600px]]
----
Using the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device:


If the ping requests are successful, congratulations, your setup works! If not, we suggest that you review all steps once more.
[[File:RutOS_L2TP_IPsec_VPN_7,8_4.png|border|class=tlt-border]]


While you're connected to the Command Line Interface, you can also check the IPsec connection status again just to be safe. If you don't remember how to do that, refer to the '''[[L2TP_over_IPsec#Testing_the_connection|3.1.3]]''' section of this article.
If the ping requests are successful and ipsec status shows information, congratulations, your setup works! If not, we suggest that you review all steps once more.


==See also==
==See also==
Line 108: Line 297:
** [[IPsec RUTOS configuration example|IPsec configuration examples]]
** [[IPsec RUTOS configuration example|IPsec configuration examples]]
** [[GRE Tunnel configuration examples RutOS|GRE Tunnel configuration examples]]
** [[GRE Tunnel configuration examples RutOS|GRE Tunnel configuration examples]]
** [[OpenVPN configuration examples RUT R 00.07|OpenVPN configuration examples]]
** [[OpenVPN_configuration_examples|OpenVPN configuration examples]]
** [[PPTP configuration examples RutOS|PPTP configuration examples]]
** [[PPTP configuration examples RutOS|PPTP configuration examples]]
[[Category:VPN]]
[[Category:VPN]]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/130916"