Changes

* Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:

* Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:

[[File:Networking rutxxx configuration examples ipsec server configuration v1.jpg|border|class=tlt-border]]

[[File:Networking rutxxx configuration examples ipsec server configuration v2.png|border|class=tlt-border]]

* '''Enable''' - if checked, enables the IPsec instance

# '''Enable''' - if checked, enables the IPsec instance

* '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration

# '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. '''Leave empty''' for the server configuration

* '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance

# '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance

* '''Local identifier''' - 192.168.0.1

# '''Local identifier''' - 192.168.0.1

* '''Remote identifier''' - 192.168.0.20

# '''Remote identifier''' - 192.168.0.20

* '''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode

# '''Type''' - the type of the connection.  

* '''IKE liftime''' - 8h, make sure you've inserted the same liftime in '''Phase 1''' and '''Phase 2'''

#'''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode

# '''IKE lifetime''' - 8h, make sure you've inserted the same lifetime in '''Phase 1''' and '''Phase 2'''

====Client (RUT2)====

====Client (RUT2)====

* Create another instance on the second router the same way you created the server (login, add new instance, click "Edit"). Adhere to the configurations presented in the figure below:

* Create another instance on the second router the same way you created the server (login, add new instance, click "Edit"). Adhere to the configurations presented in the figure below:

[[File:Networking rutxxx configuration examples ipsec client configuration v1.jpg|border|class=tlt-border]]

[[File:Networking rutxxx configuration examples ipsec client configuration v2.png|border|class=tlt-border]]

* '''Enable''' - if checked, enables the IPsec instance

# '''Enable''' - if checked, enables the IPsec instance

* '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. Enter the '''IPsec server's Public IP address''' in the client's configuration

# '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. Enter the '''IPsec server's Public IP address''' in the client's configuration

* '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance

# ''' Pre-shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance

* '''Local identifier''' - 192.168.0.20

# '''Local identifier''' - 192.168.0.20

* '''Remote identifier''' - 192.168.0.1

# '''Remote identifier''' - 192.168.0.1

* '''Type''' - the type of the connection. '''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode

# '''Type''' - the type of the connection.  

* '''IKE liftime''' - 8h, make sure you've inserted the same liftime in '''Phase 1''' and '''Phase 2'''

#'''Transport''' encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]]) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode

# '''IKE lifetime''' - 8h, make sure you've inserted the same lifetime in '''Phase 1''' and '''Phase 2'''

====Testing the connection====

====Testing the connection====

When you're done with the configuration, you should test whether it works before you move on. The simplest way to test an IPsec connection is using the '''ipsec status''' command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to '''Services → CLI'''. Login to CLI with the user name '''root''' and the router's admin password. Then simply the ''ipsec status'' and press the "Enter" key:

When you're done with the configuration, you should test whether it works before you move on. The simplest way to test an IPsec connection is using the '''ipsec status''' command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to '''Services → CLI'''. Login to CLI with the user name '''root''' and the router's admin password. Then simply the ''ipsec status'' and press the "Enter" key:

[[File:Networking rutxxx configuration examples ipsec status v1.jpg|border|class=tlt-border]]

[[File:Networking rutxxx configuration examples ipsec status v3.png|border|class=tlt-border]]

As you can see, executing ''ipsec status'' displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a '''1 up''' indication next to Security Associations.

As you can see, executing ''ipsec status'' displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a '''1 up''' indication next to Security Associations.

----

----

* '''Server configuration''':

* '''Server configuration''':

# '''Enable''' - when checked, enables the instance

 

# '''Local IP''' - the server's virtual IP address

* '''Enable''' - when checked, enables the instance

# '''Remote IP range''' parameters - the range of virtual IP addresses that will be assigned to connecting clients

* '''Local IP''' - the server's virtual IP address

# '''User name''' and '''Password''' - authentication information used to authenticate connecting clients

* '''Remote IP range''' parameters - the range of virtual IP addresses that will be assigned to connecting clients

* '''User name''' and '''Password''' - authentication information used to authenticate connecting clients

----

----

* '''Client configuration''':

* '''Client configuration''':

[[File:Networking rutxxx configuration l2tp client configuration v1.jpg|border|class=tlt-border|1100px]]

[[File:Networking rutxxx configuration l2tp client configuration v2.png|border|class=tlt-border|1100px]]

* '''Enable''' - when checked, enables the instance

# '''Enable''' - when checked, enables the instance

* '''Server''' - L2TP server's Public IP address

# '''Server''' - L2TP server's Public IP address

* '''User name''' and '''Password''' - authentication information. Used the values specified in the Server's configuration  

# '''User name''' and '''Password''' - authentication information. Used the values specified in the Server's configuration

==Testing the setup==

==Testing the setup==

If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. We already tested the IPsec connection in the '''[[L2TP_over_IPsec#Testing_the_connection|3.1.3]]''' section of this article. To test an L2TP connection, login to one of the routers' WebUIs and go to '''Services → CLI'''. Login with user name: '''root''' and the router's admin password. You should then be able to '''ping''' the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type '''ping <ip_address>''' and press the "Enter" key on your keyboard:

If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. We already tested the IPsec connection in the '''[[L2TP_over_IPsec#Testing_the_connection|3.1.3]]''' section of this article. To test an L2TP connection, login to one of the routers' WebUIs and go to '''Services → CLI'''. Login with user name: '''root''' and the router's admin password. You should then be able to '''ping''' the opposite instance, i.e., if you logged in to the server's CLI, you should be able to ping the client's virtual IP address, and vice versa. To use a ping command, type '''ping <ip_address>''' and press the "Enter" key on your keyboard:

[[File:Networking rutxxx configuration examples l2tp over ipsec ping v1.jpg|border|class=tlt-border]]

[[File:Networking rutxxx configuration examples l2tp over ipsec ping v2.png|border|class=tlt-border|600px]]

If the ping requests are successful, congratulations, your setup works! If not, we suggest that you review all steps once more.

If the ping requests are successful, congratulations, your setup works! If not, we suggest that you review all steps once more.