L2TP over IPsec VPN
Created by Yuriy Andamasov, Modified on Fri, 12 Jan 2024 at 05:18 PM by Srividya Anantapatnaikuni
| Article review date | 2024-01-08 |
| Validated for VyOS versions | 1.3.5 |
Introduction
Layer 2 Tunnel Protocol (L2TP) over IPsec is a very common way of configuring remote access via VPN. This article shows an example of the configuration process in VyOS.
Configuration
IPsec
Assuming an external interface of eth0:
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0L2TP
Assuming a public IP of 203.0.113.2 and an address pool for VPN clients of 192.168.255.2 - 192.168.255.254:
set vpn l2tp remote-access outside-address 203.0.113.2
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254Authentication may be configured either using a pre-shared-secret (a text password given to all clients) or by using X.509 certificates.
Client authentication for L2TP may be configured either using a username/password combination, or by using a RADIUS server. For simplicity, we will use a pre-shared-secret and basic username/password authentication; not-so-secret for the secret, alice for the user, and notsecure for the user's password:
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret "not-so-secret"
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username alice password notsecureFirewall
Additional configuration may be needed if you have a firewall policy on the external interface.
The following ports will need to be open:
- UDP port 500 for IKE
- IP protocol number 50 (ESP)
- UDP port 1701 for IPsec
- UDP port 4500 for ESP NAT traversal
When NAT is detected by the client's VPN software, ESP is encapsulated in UDP for NAT traversal, hence UDP port 4500.
Allow clients to reach external hosts
If you want the VPN to be used for external access (that is, allow clients connected to reach external hosts from the VPN server), SNAT will need to be properly configured:
set nat source rule 110 outbound-interface eth0
set nat source rule 110 source address 192.168.255.0/24
set nat source rule 110 translation address masqueradeAdditionally, clients will need their DNS servers configured (this example uses Google's public DNS servers; replace with your organization's if desired):
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4Additional Configuration Options
A full list of configuration options for L2TP can be seen by hitting the tab key after typing set vpn l2tp remote-access:
vyos@vyos# set vpn l2tp remote-access
Possible completions:
> authentication
Authentication for remote access L2TP VPN
> client-ip-pool
Pool of IP address to be assigned to remote clients
description Description for L2TP remote-access settings
dhcp-interface
DHCP interface to listen on
> dns-servers Domain Name Service (DNS) server
> ipsec-settings
Internet Protocol Security (IPsec) for remote access L2TP VPN
mtu Maximum Transmission Unit (MTU)
outside-address
Outside IP address to which VPN clients will connect
outside-nexthop
Nexthop IP address for reaching the VPN clients
> wins-servers Windows Inernet Name Service (WINS) server settingsAnd for set vpn ipsec:
yos@vyos# set vpn ipsec
Possible completions:
auto-update Set auto-update interval for IPsec daemon.
disable-uniqreqids
Option to disable requirement for unique IDs in the Security Database
+> esp-group Name of Encapsulating Security Payload (ESP) group
+> ike-group Name of Internet Key Exchange (IKE) group
> ipsec-interfaces
Interface to use for VPN [REQUIRED]
> logging IPsec logging
> nat-networks Network Address Translation (NAT) networks
nat-traversal
Network Address Translation (NAT) traversal
+> profile VPN IPSec Profile
> site-to-site Site to site VPNTweak these options and their sub-options as needed/desired.
Viewing VPN Status
Currently connected clients may be viewed through the following operational mode command:
vyos@vyos:~$ show l2tp-server sessions
Active remote access VPN sessions:
User Proto Iface Tunnel IP TX byte RX byte Time
---- ----- ----- --------- ------- ------- ----
alice L2TP l2tp0 192.168.255.2 3.2K 8.0K 00h06m13sWas this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article