L2TP over IPsec RutOS: Difference between revisions

Revision as of 14:21, 30 December 2025

Main Page > General Information > Configuration Examples > VPN > L2TP over IPsec RutOS

Introduction

Because of the lack of confidentiality inherent in the Layer 2 Networking Protocol (L2TP) protocol, Internet Protocol Security (IPsec) is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP over IPsec (or simply L2TP/IPsec).

This article provides a guide on how to configure L2TP/IPsec on RUTxxx routers. It should also be noted that this guide is aimed at more advanced users and, therefore, skips some of the more self-explanatory steps in order to preserve the overall coherence of the article. For example, instead of showing how to add new instances step by step, it is only mentioned in a short sentence. If you feel this lack of information impedes your ability to configure the setup, we suggest you check out our separate configuration guides on IPsec and L2TP for reference.

Configuration overview and prerequisites

Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

Two RUTxxx routers of any type
At least one router with a Public Static or Public Dynamic IP addresses
At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers

Configuration scheme:

The figure above depicts the L2TP/IPsec scheme. It is fairly similar to the L2TP and IPsec configuration schemes - the router with the Public IP address (RUT1) acts as the L2TP/IPsec server and the other router (RUT2) acts a client. L2TP connects the networks of RUT1 and RUT2 and IPsec provides the encryption for the L2TP tunnel.

When the scheme is realized, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, the original source and destination IP address is encrypted within the packet.

RUT1 Configuration(Server)

As mentioned in the prerequisites section, the router that acts as the server must have a Public Static or Public Dynamic IP address (more information on the subject can be found here). If that is in order, we should start configuring the server.

L2TP

Login to the router's WebUI and navigate to the Services → VPN → L2TP page and do the following:

Select Role: Server.
Enter a custom configuration name.
Click the Add button. You will be prompted to the configuration window


Enable the L2TP instance. Select L2TP role - Server Enter the name of the instance Click on the Add button to add a new user Enter a User name and Password for authentication for the client. Optionally, set a fixed IP for this client (if left empty, the client will receive the first free IP from the IP range). Don't forget to Save the changes.

IPsec

Go to the Services → VPN → IPsec page and do the following:

Enter a custom name for the IPsec instance.
Click the Add button. You will be prompted to the configuration window

In the IPsec Configuration page, do the following (and leave the rest as defaults, unless your specific configuration requires otherwise):

Enable the instance.
Enter your Pre-shared key.


3. Select Type: Transport. 4. Select Bind to: L2TP interface Do not forget to Save changes.

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Make the following changes:


Encryption - AES256; Authentication - SHA512; DH group - MODP4096; IKE lifetime - 86400s.


Encryption - AES256; Authentication - SHA512; PFS group - MODP4096; Lifetime – 86400s;

RUT2 Configuration(client)

Now let's configure the L2TP/IPsec Client.

L2TP

Login to the router's WebUI and navigate to the Services → VPN → L2TP page and do the following:

Click on "Add" button to create a new L2TP instance


Enable the L2TP instance. Select Role - Client Enter your preferred instance name Enter the Public IP of RUT1 Enter the Username that we created on RUT1 Enter the Password that we created on RUT1 Don't forget to Save the changes.

IPsec

Go to the Services → VPN → IPsec page and do the following:

Enter a custom name for the IPsec instance.
Click the Add button. You will be prompted to the configuration window

In the IPsec Configuration page, do the following (and leave the rest as defaults, unless your specific configuration requires otherwise):

Enable the instance.
Enter the Public IP of RUT1
Enter your Pre-shared key.


4. Select Type: Transport. 5. Select Bind to: L2TP interface. Do not forget to Save changes.

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Make the following changes:


Encryption - AES256; Authentication - SHA512; DH group - MODP4096; IKE lifetime - 86400s.


Encryption - AES256; Authentication - SHA512; PFS group - MODP4096; Lifetime – 86400s;

Testing the setup

If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.

To test an L2TP connection, login to one of the routers' WebUIs and go to Services → CLI. Login with user name: root and the router's admin password. You should then be able to ping the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type ping <ip_address> and press the "Enter" key on your keyboard:

Use the swanctl -l command to retrieve IPsec status output. With this commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a RUT device:

If the ping requests are successful and ipsec status shows information, congratulations, your setup works! If not, we suggest that you review all steps once more.

@@ Line 30: / Line 30: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:RutOS_L2TP_IPsec_VPN_7,8_add_L2TP_Server.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:Create.png|right|790x790px]]</th>
      </tr>
      <tr>
@@ Line 49: / Line 49: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:L2TP instance create.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:L2tpseverconfiguration.png|right|803x803px]]</th>
      </tr>
      <tr>
@@ Line 55: / Line 55: @@
 <ol>
      <li>'''Enable''' the L2TP instance.</li>
+    <li>Select L2TP role - '''Server'''</li>
+    <li>Enter the name of the instance</li>
      <li>Click on the '''Add''' button to add a new user</li>
      <li>Enter a '''User name''' and '''Password''' for authentication for the client.</li>
@@ Line 88: / Line 90: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instnace222.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:Ipsecserverconfiguration.png|right|770x770px]]</th>
     </tr>
      <tr>
@@ Line 103: / Line 105: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instance_connection.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:Ipsecserverconnectionconfiguration.png|right|770x770px]]</th>
     </tr>
      <tr>
          <td style="border-bottom: 1px solid white>
 <ol>
-'''3.''' Select '''Type: Transport'''.
+'''3.'''
+Select '''Type: Transport'''.
 <br>
+'''4.'''
+Select '''Bind to''': '''L2TP interface'''
 Do not forget to '''Save''' changes.
 </ol>
@@ Line 157: / Line 163: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:RutOS_L2TP_IPsec_VPN_7,8_1.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:Create.png|right|770x770px]]</th>
      </tr>
      <tr>
@@ Line 163: / Line 169: @@
 Login to the router's WebUI and navigate to the '''Services → VPN → L2TP''' page and do the following:
 <ol>
-    <li>Select '''Role: Client'''.</li>
+     <li>Click on "Add" button to create a new L2TP instance</li></ol>
-    <li>Enter a '''custom configuration name'''.</li>
-     <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
-</ol>
          </td>
      </tr>
@@ Line 176: / Line 179: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:L2TP client instance.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:L2tpclienconfiguratoinv2.png|right|770x770px]]</th>
      </tr>
      <tr>
@@ Line 182: / Line 185: @@
 <ol>
      <li>'''Enable''' the L2TP instance.</li>
+    <li>Select '''Role''' - '''Client'''</li>
+    <li>Enter your preferred instance name</li>
      <li>Enter the '''Public IP''' of RUT1</li>
      <li>Enter the '''Username''' that we created on RUT1</li>
@@ Line 215: / Line 220: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_3.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:2025-12-30 13h19 16.png|right|770x770px]]</th>
     </tr>
      <tr>
@@ Line 231: / Line 236: @@
      <tr>
          <th width=355; style="border-bottom: 1px solid white;></th>
-         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instance_connection.png|770px|right]]</th>
+         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:Ipsecclientconnectionconfigurationv2.png|right|770x770px]]</th>
     </tr>
      <tr>
          <td style="border-bottom: 1px solid white>
 <ol>
-'''4.''' Select '''Type: Transport'''.
+'''4.'''
+Select '''Type: Transport'''.
 <br>
+'''5.'''
+Select '''Bind to: L2TP''' interface.
+<br>
 Do not forget to '''Save''' changes.
 </ol>
@@ Line 284: / Line 297: @@
 To test an L2TP connection, login to one of the routers' WebUIs and go to '''Services → CLI'''. Login with user name: '''root''' and the router's admin password. You should then be able to '''ping''' the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type '''ping <ip_address>''' and press the "Enter" key on your keyboard:
-[[File:RutOS_L2TP_IPsec_VPN_7,8_5.png|border|class=tlt-border|500px]]
+[[File:2025-12-30 14h19 18.png|border|500x500px]]
 ----
-Using the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device:
+Use the <code><span class="highlight">'''swanctl -l'''</span></code>  command to retrieve IPsec status output. With this commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device:
-[[File:RutOS_L2TP_IPsec_VPN_7,8_4.png|border|class=tlt-border]]
+[[File:2025-12-30 14h18 04.png|border]]
 If the ping requests are successful and ipsec status shows information, congratulations, your setup works! If not, we suggest that you review all steps once more.

Revision as of 14:21, 30 December 2025

Introduction

Configuration overview and prerequisites

RUT1 Configuration(Server)

L2TP

IPsec

RUT2 Configuration(client)

L2TP

IPsec

Testing the setup

See also