567
edits
Changes
no edit summary
----
----
'''Configuration scheme''':
'''Configuration scheme''':
[[File:Finaltopology.jpg|left|Finaltopology]]
The figure above shows the L2TP/IPsec scheme. It is quite similar to the [[L2TP_configuration_examples#Configuration_overview_and_prerequisites|L2TP]] and [[IPsec_configuration_examples#Configuration_overview_and_prerequisites|IPsec]] configuration schemes - the router with the public IP address (''RUT'') acts as the L2TP/IPsec server and a ''PC'' acts as the client. L2TP connects the RUT and PC networks and IPsec provides the encryption for the L2TP tunnel.
The figure above shows the L2TP/IPsec scheme. It is quite similar to the [[L2TP_configuration_examples#Configuration_overview_and_prerequisites|L2TP]] and [[IPsec_configuration_examples#Configuration_overview_and_prerequisites|IPsec]] configuration schemes - the router with the public IP address (''RUT'') acts as the L2TP/IPsec server and a ''PC'' acts as the client. L2TP connects the RUT and PC networks and IPsec provides the encryption for the L2TP tunnel.
----
----
*'''Server configuration''':
*'''Server configuration''':
[[File:L2tpoveripsecl2tpserverconfiguration new.png|left]]
[[File:L2tpoveripsecl2tpserverconfiguration_newf.png|border|class=tlt-border|1100px]]
*'''Enable''' - when checked, enables the instance
*'''Enable''' - when checked, enables the instance
*'''Local IP''' - the server's virtual IP address
*'''Local IP''' - the server's virtual IP address
Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:
Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:
[[File:L2tpoveripsecserver1.png|left|L2tpoveripsecserver1]]
[[File:L2tpoveripsecserver1f.png|left|L2tpoveripsecserver1|border|class=tlt-border|1100px]]
[[File:L2tpoveripsecserver2.png|left|L2tpoveripsecserver2]]
[[File:L2tpoveripsecserver2f.png|left|L2tpoveripsecserver2|border|class=tlt-border|1100px]]
[[File:Custom options configuration v1.png|center|L2tpoveripsecserverIKE|border|class=tlt-border]]
[[File:Custom options configuration v3.png|center|L2tpoveripsecserverCustom|border|class=tlt-border]]
*'''Remote VPN endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration
*'''Remote VPN endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration
*'''Enable''' - if checked, enables the IPsec instance
*'''Enable''' - if checked, enables the IPsec instance
*'''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.
*'''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.
*'''Bind to''' - which interface is going to be bind to the IPsec configuration. The L2TP interface must be selected.
*'''Bind to''' - which interface is going to be bind to the IPsec configuration. The L2TP interface must be selected.
*'''Custom option''' - rekey=0
*'''Encryption algorithm''' - AES 256
*'''Authentication''' - SHA1
*'''Force crypto proposal''' - Enabled
*'''DH group''' - MODP2048
===PC Client===
===PC Client===
To configure a windows PC as a client, you can use the already developed VPN function. To do this, select the search bar and type "Add a VPN connection". Then select the "Add VPN" option.
To configure a windows PC as a client, you can use the already developed VPN function. To do this, select the search bar and type "Add a VPN connection". Then select the "Add VPN" option.
*'''Client configuration''':
*'''Client configuration''':
[[File:WindowsVPNconfig.png|left|WindowsVPNconfig]]
[[File:WindowsVPNconfigf.png|left|WindowsVPNconfig|border|class=tlt-border|1100px]]
*'''VPN provider''' - VPN provider to be configured. In our case we select the "Windows (build-in)" option.
*'''VPN provider''' - VPN provider to be configured. In our case we select the "Windows (build-in)" option.
*'''Connection name''' - enter a custom name.
*'''Connection name''' - enter a custom name.
If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. The simplest way to test an IPsec connection is using the ipsec status command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to the routers' WebUI and navigate to ''' Services''' → ''' CLI''' . Login to CLI with the user name root and the router's admin password. Then simply the ipsec status and press the "Enter" key:
If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. The simplest way to test an IPsec connection is using the ipsec status command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to the routers' WebUI and navigate to ''' Services''' → ''' CLI''' . Login to CLI with the user name root and the router's admin password. Then simply the ipsec status and press the "Enter" key:
[[File:Ipseccorrectly.png|left|Ipseccorrectly]]
[[File:Ipseccorrectlyfinal2.png|left|Ipseccorrectlyfinal2|border|class=tlt-border|1100px]]
As you can see, executing ipsec status displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a 1 up indication next to Security Associations.
As you can see, executing ipsec status displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a 1 up indication next to Security Associations.
To test an L2TP connection. You should then be able to ping the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type ''' ping <ip_address>''' and press the ''' Enter''' key on your keyboard:
To test an L2TP connection. You should then be able to ping the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type ''' ping <ip_address>''' and press the ''' Enter''' key on your keyboard:
[[File:L2tpcorrectly.png|left|L2tpcorrectly]]
[[File:L2tpcorrectlyfinal.png|left|L2tpcorrectly|border|class=tlt-border|1100px]]
If the ping requests are successful, congratulations, your setup works! If not, we suggest that you review all steps once more.
If the ping requests are successful, congratulations, your setup works! If not, we suggest that you review all steps once more.
*Other types of VPNs suported by RUTxxx devices:
*Other types of VPNs suported by RUTxxx devices:
**[[L2TP configuration examples]]
**[[L2TP configuration examples RutOS|L2TP configuration examples]]
**[[IPsec configuration examples]]
**[[IPsec RUTOS configuration example|IPsec configuration examples]]
**[[GRE Tunnel configuration examples]]
**[[GRE Tunnel configuration examples RutOS|GRE Tunnel configuration examples]]
**[[OpenVPN configuration examples]]
**[[OpenVPN configuration examples RUT R 00.07|OpenVPN configuration examples]]
**[[PPTP configuration examples]]
**[[PPTP configuration examples RutOS|PPTP configuration examples]]
[[Category:VPN]]
