AWS L2TP/IPSec
Created by Yuriy Andamasov, Modified on Tue, 11 Apr, 2023 at 4:29 PM by Yuriy Andamasov
All instances on AWS are located behind 1-to-1 NAT and this affectly IPSec negatively.
In this case we can use a simple solution with a dummy interface and DNAT rules on VyOS routers.
Set public IP addresses on the dummy interface:
set interfaces dummy dum0 address 'x.x.x.x/32'Create DNAT rules:
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 translation address 'x.x.x.x'Configure L2TP and IPSec:
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn l2tp remote-access outside-address 'x.x.x.x'
set vpn l2tp remote-access client-ip-pool start 192.168.255.1
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access dns-servers server-1 '1.1.1.1'
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username password Optional: Create NAT rules for L2TP customers:
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.255.0/24'
set nat source rule 10 translation address 'masquerade'
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article