Jump to content
  • EN

L2TPv3 over IPsec configuration example: Difference between revisions

L2TPv3 over IPsec configuration example (view source)

Revision as of 13:57, 23 October 2024

3,460 bytes added ,  23 October
no edit summary
VisualWikitext
No edit summary
No edit summary
 
Line 1: Line 1:
==Introduction==
==Introduction==


<span style="color: red;">The information on this page is updated in accordance with firmware version <span style="color: #0054A6;"><b>00.07.02.7</b></span>.</span>
<span style="color: red;">The information on this page is updated in accordance with firmware version <span style="color: #0054A6;"><b>00.07.10</b></span>.</span>


Because of the lack of confidentiality inherent in the '''Layer 2 Networking Protocol''' ('''L2TP''') protocol, '''Internet Protocol Security''' ('''IPsec''') is often used to secure L2TP packets by providing confidentiality, authentication, and integrity. The combination of these two protocols is generally known as '''L2TP over IPsec''' (or simply '''L2TP/IPsec''').  
Because of the lack of confidentiality inherent in the '''Layer 2 Networking Protocol''' ('''L2TP''') protocol, '''Internet Protocol Security''' ('''IPsec''') is often used to secure L2TP packets by providing confidentiality, authentication, and integrity. The combination of these two protocols is generally known as '''L2TP over IPsec''' (or simply '''L2TP/IPsec''').  
Line 26: Line 26:
[[File:Networking rutxxx configuration examples l2tpv3 over ipsec topology v1.png|border|class=tlt-border|1100px]]
[[File:Networking rutxxx configuration examples l2tpv3 over ipsec topology v1.png|border|class=tlt-border|1100px]]


==IPsec configuration==
==IPSec configuration==
If you have familiarized yourself with the configuration schemes and have all of the devices in order, we can start configuring the routers using instructions provided in this section.
We will start our configuration with RUT1.


First, you must configure a working IPsec Transport connection. This subsection contains instructions on how to do just that. The relevant parameters will be encapsulated <span style="color:red">'''in red rectangles'''</span>. Explanations about these parameters will be provided under each example. Other used parameters will be defaults; you can find explanations for those parameters in the '''[[VPN#IPsec|VPN manual page, IPsec section]]'''.
===IPsec RUT1 Config===
----
* Login to the router's WebUI and go to '''Services → VPN -> IPsec'''
* Add a new instance with your desired name, in my case, I will be using '''RUT1'''
 
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec.png|border|center|class=tlt-border|1102px]]
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
====Instance configuration====
----
Make the following changes:
# '''''Enable''''' instance;
# Remote endpoint - '''''RUT2 public WAN IP;'''''
# Authentication method - '''''Pre-shared key;'''''
# Pre shared key - '''''Your chosen password (must match for both RUT1 & RUT2)'''''
# Local identifier – '''''RUT1 LAN IP, which is 192.168.3.1 in this case;'''''
# Remote identifier – '''''RUT2 LAN IP, which is 192.168.14.1 in this case;'''''
[[File:RutOS_IPsec_config_ex_7.8_rut1.png|border|class=tlt-border|center]]
====Connection general section configuration====
----
Make the following changes:
# Mode - '''''Start;'''''
# Type - '''''Tunnel;'''''
# Local subnet – '''''192.168.3.0/24;'''''
# Remote subnet – '''''192.168.14.0/24;'''''
# Key exchange - '''''IKEv2;'''''
 
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection.png|border|class=tlt-border|center]]
 
====Proposal configuration====
'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
 
Make the following changes:
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# DH group - '''''MODP4096;'''''
# IKE lifetime - '''86400s'''.
        </td>
    </tr>
</table>
 
----
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# PFS group - '''''MODP4096;'''''
# Lifetime – '''''86400s;'''''
        </td>
    </tr>
</table>


===RUT1===
Login to the router's WebUI and navigate to '''Services → VPN → IPsec'''. Enter a custom name for your IPsec instance and click the "Add" button. Then click the "Edit" button located next to the newly created instance after which you will be redirected to that instance's configuration window. Adhere to the configurations presented in the figure below:


[[File:Networking rutxxx configuration examples ipsec rut1 configuration v2.jpg|border|class=tlt-border|1100px]]


* '''Enable''' - if checked, enables the IPsec instance
* '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. Provide '''RUT2''' device's '''WAN IP''' here.
* '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance
* '''Local identifier''' - 10.1.0.1
* '''Remote identifier''' - 10.2.0.2
* '''Local subnet''' - 10.1.0.0/24
* '''Remote subnet''' - 10.2.0.0/24
*'''IKE liftime''' - 3h, make sure you've inserted the same liftime in '''Phase 1''' and '''Phase 2'''


===IPsec RUT2 Config===
----
----
* Login to the router's WebUI and go to '''Services → VPN -> IPsec'''
* Add a new instance with your desired name, in my case I will be using '''RUT2'''


===RUT2===
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec.png|border|center|class=tlt-border|1102px]]


Create another instance on the second router the same way you created the server (login, add new instance, click '''"Edit"'''). Adhere to the configurations presented in the figure below:
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
====Instance configuration====
----
Make the following changes:
# '''''Enable''''' instance;
# Authentication method - '''''Pre-shared key;'''''
# Pre shared key - '''''Your chosen password (must match for both RUT1 & RUT2)'''''
# Local identifier – '''''RUT2 LAN IP, which is 192.168.14.1 in this case;'''''
# Remote identifier – '''''RUT1 LAN IP, which is 192.168.3.1 in this case;'''''
[[File:RutOS_IPsec_config_ex_7.8_rut2222.png|border|class=tlt-border|center]]
====Connection general section configuration====
----
Make the following changes:
# Mode - '''''Start;'''''
# Type - '''''Tunnel;'''''
# Local subnet – '''''192.168.14.0/24;'''''
# Remote subnet – '''''192.168.3.0/24;'''''
# Key exchange - '''''IKEv2;'''''


[[File:Networking rutxxx configuration examples ipsec rut2 configuration v1.jpg|border|class=tlt-border|1100px]]
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_rut2_general.png|border|class=tlt-border|center]]
====Proposal configuration====
'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''


* '''Enable''' - if checked, enables the IPsec instance
Make the following changes:
* '''Remote endpoint''' - IP address or hostname of the remote IPsec instance. Provide '''RUT1''' device's '''WAN IP''' here.
<table class="nd-othertables_2">
* '''Pre shared key''' - a shared password used for authentication between the peers. The value of this field must match the other instance
    <tr>
* '''Local identifier''' - 10.2.0.2
        <th width=330; style="border-bottom: 1px solid white;></th>
* '''Remote identifier''' - 10.1.0.1
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
* '''Local subnet''' - 10.2.0.0/24
    </tr>
* '''Remote subnet''' - 10.1.0.0/24
    <tr>
*'''IKE liftime''' - 3h, make sure you've inserted the same liftime in '''Phase 1'''and '''Phase 2'''
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# DH group - '''''MODP4096;'''''
# IKE lifetime - '''86400s'''.
        </td>
    </tr>
</table>


----
----
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# Encryption - '''''AES256;'''''
# Authentication - '''''SHA512;'''''
# PFS group - '''''MODP4096;'''''
# Lifetime – '''''86400s;'''''
        </td>
    </tr>
</table>


===Testing IPsec connection===
===Testing IPsec connection===
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/134763"