L2TPv3 over IPsec configuration example: Difference between revisions

The information on this page is updated in accordance with firmware version 00.07.11.3.

Introduction

Due to the inherent lack of confidentiality in the Layer 2 Tunneling Protocol (L2TP), it is commonly secured by pairing it with Internet Protocol Security (IPsec). IPsec provides essential features such as confidentiality, authentication, and integrity for L2TP packets. This combination is widely referred to as L2TP over IPsec (or simply L2TP/IPsec) and is a standard approach for secure VPN implementations.

This article provides instructions on configuring L2TPv3 over IPsec on Teltonika routers and gateway devices. Please note that the guide is designed for advanced users and skips some of the more straightforward steps to maintain overall clarity. For instance, adding new instances is only briefly mentioned rather than described in detail. If this level of information feels insufficient for your setup, consider referring to our dedicated configuration guides IPsec and L2TP for reference.

Prerequisites

• Two routers with configured VLANs, will refer to these as RUT1 and RUT2
• At least one router with a Public IP addresses (for L2TPv3/IPsec over mobile)
• Two PC devices for testing

L2TPv3/IPsec Over Wired WAN network

As mentioned in Prerequisites, two VLANs must be configured on both RUT devices. Detailed instructions for this process can be found on this page: VLAN Set Up. The remaining configuration steps are provided in this configuration example.

Topology

IPsec configuration

IPsec will be set up to ensure encrypted communication between two routers. The steps provided will guide through configuring the necessary parameters, such as authentication methods, encryption algorithms, and connection endpoints, starting with RUT1.

IPsec RUT1 Config

1. Access the router's WebUI, go to Services > VPN > IPsec, and input the desired name for the new instance.
2. Click the button

Instance configuration

Enable instance; Remote endpoint - RUT2 wired WAN IP Authentication method - Pre-shared key Pre shared key - Your chosen password (must match for both RUT1 & RUT2) Local identifier – RUT1 LAN IP, which is 192.168.1.1 in this case Remote identifier – RUT2 LAN IP, which is 192.168.2.1 in this case

Connection general section configuration

Mode - Start; Type - Tunnel; Default route - off Route based IPsec - off Local subnet – 192.168.1.0/24 Remote subnet – 192.168.2.0/24 Key exchange - IKEv2;

Proposal configuration

Important: Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.

Phase 1:

Encryption - AES256 Authentication - SHA512 DH group - MODP4096 IKE lifetime - 86400s

Phase 2:

Encryption - AES256 Authentication - SHA512; PFS group - MODP4096; Lifetime – 86400s

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

IPsec RUT2 Config

1. Access the router's WebUI, go to Services > VPN > IPsec, and input the desired name for the new instance.
2. Click the button

Instance configuration

Enable instance; Remote endpoint - RUT1 wired WAN IP; Authentication method - Pre-shared key; Pre shared key - Your chosen password (must match for both RUT1 & RUT2) Local identifier – RUT1 LAN IP, which is 192.168.2.1 in this case; Remote identifier – RUT2 LAN IP, which is 192.168.1.1 in this case;

Connection general section configuration

Mode - Start; Type - Tunnel; Default route - off Route based IPsec - off Local subnet – 192.168.2.0/24 Remote subnet – 192.168.1.0/24 Key exchange - IKEv2;

Proposal configuration

Important: Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.

Phase 1:

Encryption - AES256; Authentication - SHA512; DH group - MODP4096; IKE lifetime - 24h

Phase 2:

Encryption - AES256; Authentication - SHA512; PFS group - MODP4096; Lifetime – 24h;

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Testing IPsec connection

After completing the configuration, it is essential to test its functionality before proceeding further. The simplest method to test an IPsec connection is by using the swanctl -l command. This command can be executed via the command line interface (CLI)and to access the CLI, log in to the WebUI of any router (either one can be used), navigate to Services → CLI, log in to the CLI using the username root and the router's admin password. More details on accessing the CLI can be found here.

Enter the command swanctl -l and press the "Enter" key:

If "established" appears in the output along with other connection details, it indicates that the IPsec connection was successful.

L2TPv3 configuration

L2TPv3 is an enhanced version of L2TP, providing support for Layer 3 (IP) and Layer 2 (Ethernet) tunneling. It is typically used in scenarios where the need for secure data transmission across an untrusted network exists, such as remote access or site-to-site VPNs.

New L2TPv3 instances can be created from the Services > VPN > L2TPv3 section of the router's WebUI. Enter a custom name and click the "Add" button to create a new instance. Then click the "Edit" button located next to the newly created instance to enter its configuration page.

L2TPv3 RUT1 Config

1. Access the router's WebUI, go to Services > VPN > L2TPv3, and input the desired name for the new instance.
2. Click the button

Instance Settings

Enable - if checked, enables the L2TPv3 instance Local address - IP address of the local instance. Provide RUT1 device's LAN IP here. Tunnel ID - Uniquely identifies the tunnel. The value used must match the peer tunnel ID value being used at the peer. For this example 3000. Session ID - The value used must match the tunnel ID value being used at the peer. For this example 1000 Cookie - The value used must match the RUT2 peer cookie value in L2TPv3 instance peer settings. Peer address - IP address of the remote instance. Provide RUT2 device's LAN IP here. Peer Tunnel ID - RUT2 Tunnel ID: 4000 Peer Session ID - RUT2 Session ID: 2000 Peer Cookie - The value used must match the RUT2 cookie value in L2TPv3 instance settings. Bridge to - you can select an instance that you want to bridge to. In this case select lan1, which is bridged lan interface for VLAN3. MTU - 1488 Encapsulation - UDP UDP source port - RUT1 UDP port. In this example 5000 UDP destination port - RUT2 UDP port. In this example 6000 Layer 2 specific header type - Linux default

L2TPv3 RUT2 Config

1. Access the router's WebUI, go to Services > VPN > L2TPv3, and input the desired name for the new instance.
2. Click the button

Instance Settings

Enable - if checked, enables the L2TPv3 instance Local address - IP address of the local instance. Provide RUT2 device's LAN IP here. Tunnel ID - Uniquely identifies the tunnel. The value used must match the peer tunnel ID value being used at the peer. For this example 4000. Session ID - The value used must match the tunnel ID value being used at the peer. For this example 2000 Cookie - The value used must match the RUT1 peer cookie value in L2TPv3 instance peer settings. Peer address - IP address of the remote instance. Provide RUT1 device's LAN IP here. Peer Tunnel ID - RUT1 Tunnel ID: 4000 Peer Session ID - RUT1 Session ID: 2000 Peer Cookie - The value used must match the RUT2 cookie value in L2TPv3 instance settings. Bridge to - you can select an instance that you want to bridge to. In this case select lan1, which is bridged lan interface for VLAN3. MTU - 1488 Encapsulation - UDP UDP source port - RUT2 UDP port. In this example 5000 UDP destination port - RUT1 UDP port. In this example 6000 Layer 2 specific header type - Linux default

Testing L2TPv3 configuration

The simplest way to test an L2TPv3 connection is using the ip l2tp show tunnel command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to Services → CLI. Log in to CLI with the user name root and the router's admin password. Then simply the ip l2tp show tunnel and press the "Enter" key. If everything was configurated correctly you should see L2TPv3 tunnel information:

RUT1:

RUT2:

L2TPv3/IPsec Over Mobile Network

The configuration will be nearly identical to the L2TPv3/IPsec over Wired WAN setup, with only a few slight adjustments to the IPsec settings.

The steps for the L2TPv3 configuration will be identical to those outlined in the wired WAN configuration.

Topology

IPsec configuration

Set up IPsec following the same steps as in the wired WAN configuration, but in the RUT1 settings, leave the Remote endpoint field empty, and in the RUT2 settings, specify the RUT1 Public IP address in the Remote endpoint field.

RUT1:

RUT2:

Testing full configuration

To begin testing the setup, the first step is to verify if the traffic between RUT1 and RUT2 devices is encrypted. This can be achieved by using tcpdump, a tool that allows capturing traffic. In this example, tcpdump will be installed on RUT2, and then data passing through the device will be captured for analysis.

Installing TCP Dump

Firstly, you will need to connect to the RUT2 device's CLI/SSH. You can connect the RUT2 device CLI via WebUI by navigating to Services → CLI. Log in to CLI with the user name root and the router's admin password.

Now execute these commands one at a time:

opkg update

opkg install tcpdump

To test if TCP Dump has been installed on your device execute the command tcpdump

Installing Wireshark

To analyze the captured data from tcpdump, Wireshark will be used. While the data can be viewed directly through CLI/SSH, Wireshark provides a more detailed view and makes it easier to interpret the tcpdump output. You can download Wireshark: here.

Capturing TCP Dump

Log in to the RUT2 CLI/SSH and execute the following command:

tcpdump -i eth0.2 -vv -w test.pcap

This command captures all traffic on the wired wan interface and saves it to the test.pcap file. Leave this command running throughout the test.

Initiate a ping from PC1, connected to the RUT1 VLAN1 network, to PC2, connected to the RUT2 VLAN1 network.

Stop tcpdump command by pressing Ctrl + C.

On the RUT2 device (in the directory where the tcpdump command was executed, such as /root/ in this example), locate the test.pcap file. Extract the file to your computer. For instructions, refer to Upload & Download Files from RutOS and open this file with Wireshark. You should see similar output:

If ESP (Encapsulating Security Payload) packets are present, the configuration is functioning correctly.

If traffic is captured directly on PC2 using Wireshark, the same data will be visible, but in a decrypted format:

To summarize:

• Traffic between the IPSec routers (RUT1 and RUT2) will be encrypted while it is passing through the IPSec tunnel.
• Once the traffic reaches RUT2 (the destination router), it will be decrypted before being sent to the VLAN1 network, which includes PC2.

See also

Other types of VPNs supported by RUTxxx devices:

• L2TP configuration examples
• L2TP over IPsec
• IPsec configuration examples
• GRE Tunnel configuration examples
• OpenVPN configuration examples
• PPTP configuration examples