Jump to content

L2TP over IPsec PC: Difference between revisions

no edit summary
No edit summary
No edit summary
 
Line 24: Line 24:
==Router configuration==
==Router configuration==
If you have familiarized yourself with the configuration scheme and have all of the devices in order, we can start configuring the router using instructions provided in this section. To summarize, we'll be configuring an L2TP server and an IPsec Transport instance (server) on ''RUT''; an L2TP/IPsec client on ''PC''.
If you have familiarized yourself with the configuration scheme and have all of the devices in order, we can start configuring the router using instructions provided in this section. To summarize, we'll be configuring an L2TP server and an IPsec Transport instance (server) on ''RUT''; an L2TP/IPsec client on ''PC''.
As mentioned in the prerequisites section, the router that acts as the server must have a Public Static or Public Dynamic IP address (more information on the subject can be found here). If that is in order, we should start configuring the server.
===L2TP===
For more in-depth explanations about these parameters, you can visit the following wiki pages: '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2> [[File:RutOS_L2TP_IPsec_VPN_7,8_add_L2TP_Server.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Login to the router's WebUI and navigate to the '''Services → VPN → L2TP''' page and do the following:
<ol>
    <li>Select '''Role: Server'''.</li>
    <li>Enter a '''custom configuration name'''.</li>
    <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>


===L2TP===
----
----
First, it is recommended to start with the L2TP tunnel configuration. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. For more information, you can visit the following wiki pages: '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.


New L2TP instances can be created from the '''Services → VPN → L2TP''' section of the router's WebUI. Select role as '''Server''', enter any name for easy management. Then the configuration window will open up automatically when you press the "Add" button.  
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_L2TP_Server_config.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>
    <li>'''Enable''' the L2TP instance.</li>
    <li>Click on the '''Add''' button to add a new user</li>
    <li>Enter a '''User name''' and '''Password''' for authentication for the client.</li>
    <li>Optionally, set a fixed IP for this client (if left empty, the client will receive the first free IP from the IP range).</li>
    <li>Don't forget to '''Save''' the changes.</li>
</ol>
        </td>
    </tr>
</table>
 
===IPsec===
----
----
*'''Server configuration''':
[[File:L2tpoveripsecl2tpserverconfiguration_newf.png|border|class=tlt-border|1100px]]
*'''Enable''' - when checked, enables the instance
*'''Local IP''' - the server's virtual IP address
*'''Remote IP range''' parameters - the range of virtual IP addresses that will be assigned to connecting clients
*'''User name''' and '''Password''' - authentication information used to authenticate connecting clients


* '''L2tp Client's IP''' - Optionaly, set a fixed IP for this client (if left empty, client will receive first free IP from the IP range).
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server.png|770px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Go to the '''Services → VPN → IPsec''' page and do the following:
<ol>   
      <li>Enter a custom name for the IPsec instance.</li>
      <li>Click the '''Add''' button. You will be prompted to the configuration window</li>
</ol>
        </td>
    </tr>
</table>


===IPsec===
----
----
Next, you must configure a working IPsec transport connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. Other used parameters will be defaults; you can find explanations for those parameters in the '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.


Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_VPN_7,8_add_Ipsec_Server_config_instnace222.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
In the '''IPsec Configuration''' page, do the following (and leave the rest as defaults, unless your specific configuration requires otherwise):
<ol>   
      <li>'''Enable''' the instance.</li>
      <li>Enter your '''Pre-shared key'''.</li>
</ol>
        </td>
    </tr>
</table>
<table class="nd-othertables_2">
    <tr>
        <th width=355; style="border-bottom: 1px solid white;></th>
        <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_L2TP_IPsec_PC_7.8_1.png|770px|right]]</th>
  </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
<ol>   
'''3.''' Select '''Type: Transport'''.<br>


[[File:L2tpoveripsecserver1f.png|left|L2tpoveripsecserver1|border|class=tlt-border|1100px]]
'''4.''' Select '''Bind to: Test(L2TP)'''.
[[File:L2tpoveripsecserver2f.png|left|L2tpoveripsecserver2|border|class=tlt-border|1100px]]
<br>
[[File:Custom options configuration v1.png|center|L2tpoveripsecserverIKE|border|class=tlt-border]]
</ol>
[[File:Custom options configuration v3.png|center|L2tpoveripsecserverCustom|border|class=tlt-border]]
        </td>
    </tr>
</table>
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''


Make the following changes:
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# DH group - '''''MODP4096;'''''
# IKE lifetime - '''86400s'''.
        </td>
    </tr>
</table>


*'''Remote VPN endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration
----
*'''Enable''' - if checked, enables the IPsec instance
<table class="nd-othertables_2">
*'''Authentication method''' - different authentication methods between the peers. For this configuration we select '''Pre-shared key'''
    <tr>
*'''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance
        <th width=330; style="border-bottom: 1px solid white;></th>
*'''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
*'''Bind to''' - which interface is going to be bind to the IPsec configuration. The L2TP interface must be selected.
    </tr>
*'''Custom option''' - rekey=0
    <tr>
*'''Encryption algorithm''' - AES 256
        <td style="border-bottom: 4px solid white>
*'''Authentication''' - SHA1
# Encryption - '''''AES256;'''''
*'''Force crypto proposal''' - Enabled
# Authentication - '''''SHA512;'''''
*'''DH group''' - MODP2048
# PFS group - '''''MODP4096;'''''
# Lifetime – '''''86400s;'''''
        </td>
    </tr>
</table>


===PC Client===
===PC Client===
Line 100: Line 188:
**[[IPsec RUTOS configuration example|IPsec configuration examples]]
**[[IPsec RUTOS configuration example|IPsec configuration examples]]
**[[GRE Tunnel configuration examples RutOS|GRE Tunnel configuration examples]]
**[[GRE Tunnel configuration examples RutOS|GRE Tunnel configuration examples]]
**[[OpenVPN configuration examples RUT R 00.07|OpenVPN configuration examples]]
**[[OpenVPN configuration examples|OpenVPN configuration examples]]
**[[PPTP configuration examples RutOS|PPTP configuration examples]]
**[[PPTP configuration examples RutOS|PPTP configuration examples]]
[[Category:VPN]]
[[Category:VPN]]