L2TPv3 over IPsec configuration example

From Teltonika Networks Wiki
Main Page > General Information > Configuration Examples > Use cases > L2TPv3 over IPsec configuration example

Introduction

The information on this page is updated in accordance with firmware version 00.07.02.7.

Because of the lack of confidentiality inherent in the Layer 2 Networking Protocol (L2TP) protocol, Internet Protocol Security (IPsec) is often used to secure L2TP packets by providing confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP over IPsec (or simply L2TP/IPsec).

This article provides a guide on how to configure L2TPv3/IPsec on RUTxxx routers. It should also be noted that this guide is aimed at more advanced users and, therefore, skips some of the more self-explanatory steps in order to preserve the overall coherence of the article. For example, instead of showing how to add new instances step by step, it is only mentioned in a short sentence. If you feel this lack of information impedes your ability to configure the setup, we suggest you check out our separate configuration guides on IPsec and L2TP for reference.

Configuration overview and prerequisites

Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

  • Two RUTxxx routers
  • At least one router with a Public Static or Public Dynamic IP addresses
  • At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers
  • Two VLANs configurated on both devices

Preparation

As mentioned in Prerequisites, you will need to configure two VLANs on both RUT devices, detailed instructions on how to configure them can be found on this page: VLAN Set Up Everything else we will configure along the way.

Topology

Networking rutxxx configuration examples l2tpv3 over ipsec topology v1.png

IPsec configuration

First, you must configure a working IPsec Transport connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated in red rectangles. Explanations about these parameters will be provided under each example. Other used parameters will be defaults; you can find explanations for those parameters in the VPN manual page, IPsec section.

RUT1

Login to the router's WebUI and navigate to Services → VPN → IPsec. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will be redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:

Networking rutxxx configuration examples ipsec rut1 configuration v2.jpg

  • Enable - if checked, enables the IPsec instance
  • Remote endpoint - IP address or hostname of the remote IPsec instance. Provide RUT2 device's WAN IP here.
  • Pre shared key - a shared password used for authentication between the peers. The value of this field must match the other instance
  • Local identifier - 10.1.0.1
  • Remote identifier - 10.2.0.2
  • Local subnet - 10.1.0.0/24
  • Remote subnet - 10.2.0.0/24
  • IKE liftime - 3h, make sure you've inserted the same liftime in Phase 1 and Phase 2

RUT2

Create another instance on the second router the same way you created the server (login, add new instance, click "Edit"). Adhere to the configurations presented in the figure below:

Networking rutxxx configuration examples ipsec rut2 configuration v1.jpg

  • Enable - if checked, enables the IPsec instance
  • Remote endpoint - IP address or hostname of the remote IPsec instance. Provide RUT1 device's WAN IP here.
  • Pre shared key - a shared password used for authentication between the peers. The value of this field must match the other instance
  • Local identifier - 10.2.0.2
  • Remote identifier - 10.1.0.1
  • Local subnet - 10.2.0.0/24
  • Remote subnet - 10.1.0.0/24
  • IKE liftime - 3h, make sure you've inserted the same liftime in Phase 1and Phase 2

Testing IPsec connection

When you're done with the configuration, you should test whether it works before you move on. The simplest way to test an IPsec connection is using the ipsec status command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to Services → CLI. Log in to CLI with the user name root and the router's admin password. Then simply the ipsec status and press the "Enter" key:

Networking rutxxx configuration examples ipsec status v2.jpg

As you can see, executing ipsec status displays the number of active/inactive IPsec connections. If the connection you just configured is the only IPsec connection that you're using, you should a 1 up indication next to Security Associations.

L2TPv3

Next, you must configure a working L2TPv3 connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated in red rectangles. Explanations about these parameters will be provided under each example. For more detailed informaton refer to VPN, L2TPv3.

New L2TPv3 instances can be created from the Services → VPN → L2TP → L2TPv3 section of the router's WebUI. Enter a custom name and click the "Add" button to create a new instance. Then click the "Edit" button located next to the newly created instance to enter its configuration page.

RUT1

Networking rutxxx configuration examples l2tpv3 rut1 v1.jpg

  • Enable - if checked, enables the L2TPv3 instance
  • Local address - IP address of the local instance. Provide RUT1 device's LAN IP here.
  • Tunnel ID - Uniquely identifies the tunnel. The value used must match the peer tunnel ID value being used at the peer. For this example 3000.
  • Session ID - The value used must match the tunnel ID value being used at the peer. For this example 1000.
  • Peer address - IP address of the remote instance. Provide RUT2 device's LAN IP here.
  • Peer Tunnel ID - RUT2 Tunnel ID: 4000
  • Peer Session ID - RUT2 Session ID: 2000
  • Bridge to - you can select an instance that you want to bridge to. In this case select None.
  • IPv4 address - Provide your RUT1 first VLAN IP adress here. In this example 10.10.10.1
  • Netmask - netmask for provided IPv4 address above. In this example 255.255.255.0
  • MTU - 1488
  • Encapsulation - UDP
  • UDP source port - RUT1 UDP port. In this example 5000
  • UDP destination port - RUT2 UDP port. In this example 6000


RUT2

Networking rutxxx configuration examples l2tpv3 rut2 v1.jpg

  • Enable - if checked, enables the L2TPv3 instance
  • Local address - IP address of the local instance. Provide RUT2 device's LAN IP here.
  • Tunnel ID - Uniquely identifies the tunnel. The value used must match the peer tunnel ID value being used at the peer. For this example 4000.
  • Session ID - The value used must match the tunnel ID value being used at the peer. For this example 2000.
  • Peer address - IP address of the remote instance. Provide RUT1 device's LAN IP here.
  • Peer Tunnel ID - RUT1 Tunnel ID: 3000
  • Peer Session ID - RUT1 Session ID: 1000
  • Bridge to - you can select an instance that you want to bridge to. In this case select None.
  • IPv4 address - Provide your RUT2 first VLAN IP adress here. In this example 10.10.10.2
  • Netmask - netmask for provided IPv4 address above. In this example 255.255.255.0
  • MTU - 1488
  • Encapsulation - UDP
  • UDP source port - RUT2 UDP port. In this example 6000
  • UDP destination port - RUT1 UDP port. In this example 5000

Firewall rules

Before testing L2TPv3 over IPsec configuration we will need to change L2TPv3 Firewall rules on both RUT1 and RUT2. To do that Open your device's Firewall by navigating to Network → Firewall → Traffic Rules. Now on both RUT1 and RUT2, you will need to find two rules called Allow-your_instance_name-L2TPv3-traffic

Networking rutxxx configuration examples l2tpv3 firewall v1.jpg

Now Edit both of these rules and search for Destination address field. In this field, there should be written 0.0.0.0 you need to delete this address and Save the configuration. Repeat this process on both rules and on both RUT1 and RUT2.

Networking rutxxx configuration examples l2tpv3 firewall edit v1.jpg

Testing L2TPv3 configuration

The simplest way to test an L2TPv3 connection is using the ip l2tp show tunnel command. You can execute this command via a command line interface (CLI). A CLI is present in all RUTxxx routers' WebUIs. To access it, login to one of the routers' WebUI (doesn't matter which one) and navigate to Services → CLI. Log in to CLI with the user name root and the router's admin password. Then simply the ip l2tp show tunnel and press the "Enter" key. IF everything was configurated correctly you should see two L2TPv3 tunnels (example was taken from RUT1):

Networking rutxxx configuration examples l2tpv3 tunnel status v1.jpg.jpg

Testing full configuration

TCP Dump

The first way of testing our setup would be to check if the traffic between RUT1 and RUT2 devices is encrypted. To do this we will require to utilize TCP Dump, TCP Dump will let us capture traffic that goes through RUT2. In this example, we will install TCP Dump on RUT2 and we will proceed on capturing the data that is going through the device.

Installing TCP Dump on RUT2

Firstly, you will need to connect to the RUT2 device's CLI/SSH. You can connect the RUT2 device CLI via WebUI by navigating to Services → CLI. Log in to CLI with the user name root and the router's admin password.

Now execute these commands one at a time:


opkg update

opkg install tcpdump


To test if TCP Dump has been installed on your device execute the command tcpdump

Installing Wireshark

To see captured data via TCP Dumb we will be using Wireshark, although the data can be seen directly from CLI/SSH, Wireshark will let you see more information about captured data and it is simpler to understand TCP Dump output. The Wireshark can be downloaded here.

Capturing TCP Dump

Now you will need to login on to both RUT1 and RUT2 devices CLI/SSH. Once you have logged on both devices CLI/SSH, on RUT1 execute command ping 10.2.0.0

Leave this command running, the output should be similar:

Networking rutxxx configuration examples l2tpv3 ping rut2 lan v1.jpg

Now on RUT2 execute the command tcpdump -i wwan0 -n -w test.pcap this command will capture all wwan0 interface (mobile) traffic and write it into test.pcap file. Leave this command running for a minute and after that press Ctrl + C to stop this command.

Networking rutxxx configuration examples l2tpv3 tcpdump rut2 v1.jpg

Now in your device (at the directory in that you have executed the TCP Dump command(in this example /root/) you will be able to find test.pcap file, extract it to your computer(you can find instructions on how to do that here:Upload & Download Files from RutOS and open this file with Wireshark. You should see similar output:

Networking rutxxx configuration examples l2tpv3 wireshark rut2 v1.jpg

Here you will need to look if your devices communicate with ESP(Encapsulating Security Payload) protocol, if so then your configuration is working.

Ping VLANs

Another simple method to check if the configuration is working is to test if RUT1 VLAN can reach RUT2 VLAN and vice versa. In this example we will execute ping command of VLAN1 interface of RUT1 to VLAN1 of RUT2.

Once again login to RUT1 CLI/SSH and execute the command ping -I 10.10.10.1 10.10.10.2 this will execute a ping from VLAN1 of RUT1 to VLAN1 of RUT2. If the configuration is working you should see a similar output of this command:

Networking rutxxx configuration examples l2tpv3 ping VLANS v1.jpg

See also

Other types of VPNs supported by RUTxxx devices:

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=L2TPv3_over_IPsec_configuration_example&oldid=109693"