L2TP over IPsec PC: Difference between revisions

===L2TP===

New L2TP instances can be created from the '''Services → VPN → L2TP''' section of the router's WebUI. Select role as '''Server''', enter any name for easy management. Then the configuration window will open up automatically when you press the "Add" button.

* '''L2tp Client's IP''' - Optionaly, set a fixed IP for this client (if left empty, client will receive first free IP from the IP range).

Next, you must configure a working IPsec transport connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. Other used parameters will be defaults; you can find explanations for those parameters in the '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.

Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:

[[File:L2tpoveripsecserver1f.png|left|L2tpoveripsecserver1|border|class=tlt-border|1100px]]

[[File:L2tpoveripsecserver2f.png|left|L2tpoveripsecserver2|border|class=tlt-border|1100px]]

*'''Remote VPN endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration

*'''Enable''' - if checked, enables the IPsec instance

*'''Authentication method''' - different authentication methods between the peers. For this configuration we select '''Pre-shared key'''

*'''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance

*'''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.

If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. The simplest way to test an IPsec connection is using the ipsec status command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to the routers' WebUI and navigate to ''' Services'''  → ''' CLI''' . Login to CLI with the user name root and the router's admin password. Then simply the ipsec status and press the "Enter" key:

[[File:Ipseccorrectlyfinal2.png|left|Ipseccorrectlyfinal2|border|class=tlt-border|1100px]]

As you can see, executing ipsec status displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a 1 up indication next to Security Associations.

[[File:L2tpcorrectlyfinal.png|left|L2tpcorrectly|border|class=tlt-border|1100px]]

**[[OpenVPN configuration examples RUT R 00.07|OpenVPN configuration examples]]