L2TP Remote Access

From VyOS Wiki
Jump to: navigation, search
Warning sign.png This page is migrated to Readthedocs .
Information found on this page is in progress of being migrated to readthedocs. https://vyos.readthedocs.io/en/latest/vpn/l2tp_ipsec.html


Introduction

On VyOS, remote access will set up an L2TP/IPSec server to which you can connect with a variety of OS default clients. This includes Windows, iOS, OSX, Windows Mobile etc

For the purpose of this document, we will assume 1.2.0.0/16 to be "the internet, where 1.2.0.1 is our VyOS Server

VyOS Configuration (Server)

We will need to configure the L2TP/IPSec

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
edit vpn l2tp
set remote-access outside-address 1.2.0.1
set remote-access authentication mode local
set remote-access authentication local-users username bob password '1tsm3'
set remote-access authentication local-users username tim password 'n0itsm3'
set remote-access client-ip-pool start 192.168.214.1
set remote-access client-ip-pool stop 192.168.214.255
set remote-access description RoadWarriors
set remote-access dns-servers server-1 8.8.8.8
set remote-access ipsec-settings authentication mode pre-shared-secret
set remote-access ipsec-settings authentication pre-shared-secret s0m3s3cr3t
set remote-access ipsec-settings ike-lifetime 3600
top

Then the masquerading

set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.214.0/24
set nat source rule 100 translation address masquerade

Established sessions can be viewed using the show vpn remote-access operational command.

vyos@vyos:~$ show vpn remote-access
Active remote access VPN sessions:
User            Proto Iface     Tunnel IP       TX byte RX byte  Time 
----            ----- -----     ---------       ------- -------  ---- 
bob             L2TP  l2tp0     192.168.214.1      3.2K    8.0K  00h06m13s

VyOS Configuration (Client)

TODO.

Windows 7/8

  1. Click on the Start Menu and type VPN into the search box
  2. Click on the Set up a virtual private network (VPN) connection.
  3. Click on the Start Menu, type the word Network into the search box, and click on Network and Sharing Center

On Windows 7, the default client can connect to VyOS L2TP

  1. At the bottom right, right click the network icon
  2. Click Open Network and Sharing Center
  3. Click Set up a new connection or network
  4. Click Connect to a workplace and click Next
  5. Click Use my Internet connection (VPN)
  6. In the Internet address field, enter 1.2.0.1
  7. In the Destination name field, enter a descriptive name for this connection (for example VyOS Remote Access)
  8. Windows 7 Only
    1. Make sure that the checkbox labelled Don’t connect now; just set it up so I can connect later is checked
    2. Click Next
    3. In the User name field, enter one of your configured users (in our example, bob)
    4. In the Password field, enter the users password (in our example 1tsm3)
    5. Click Create
    6. Click Close
  9. Windows 8
    1. Click Create
  10. At the bottom right, right click the network icon
  11. Click Open Network and Sharing Center
  12. Click on Change adapter settings
  13. Right click on the VyOS Remote Access adapter, and select Properties
  14. Select the Security tab
  15. Select Later 2 Tunneling Protocol with IPSec (L2TP/IPSec) from the Type of VPN dropdown
  16. Click Advanced settings
  17. Select Use preshared key for authentication and enter it in the field (s0m3s3cr3t in our example)
  18. Click OK
  19. Under Authentication select Allow these protocols and check Microsoft CHAP Version 2 (MS-CHAP V2)
  20. Click OK

Now when you want to connect to your VPN, do the following:

  • Windows 7
    1. At the bottom right, click the network icon
    2. Under the section Dial-up and VPN you will see the connection you just set up
    3. Click your VPN name (VyOS Remote Access in our example) and click the Connect button
    4. You are now connected.
  • Windows 8
    1. At the bottom right, click the network icon
    2. On the right side, under Connections you will see the connection you just set up
    3. Click your VPN name (VyOS Remote Access in our example) and click the Connect button
    4. Enter your username and password
    5. You are now connected.

OSX

On OSX, the default client can connect to VyOS L2TP

  1. go to System Preferences
  2. go to Network
  3. Click + to add a new interface
  4. Select VPN from the Interface dropdown
  5. Select L2TP over IPSec from the VPN Type dropdown
  6. Fill out a name (for example VyOS Remote Access) in the Service Name field
  7. Click Create
  8. In the Server Address field, enter 1.2.0.1
  9. In the Account Name field, enter one of your configured users (in our example, bob)
  10. Click Authentication Settings
  11. Under User Authentication in the Password field, enter your users password (in our example 1tsm3)
  12. Under Machine Authentication in the Shared Secret field, enter your configured pre-shared secred (in our example s0m3s3cr3t)
  13. Click OK
  14. Click Advanced
  15. Under Session Options select Send all traffic over VPN connection
  16. Click OK
  17. Click Connect

If all went well, you now have an L2TP/IPSec tunnel with your VyOS

Apple iOS

On iOS, the default client can connect to VyOS L2TP

  1. Go to Settings
  2. Select VPN
  3. Select Add VPN Configuration
  4. Select the L2TP tab
  5. In the Description field, enter a description (for example VyOS Remote Access)
  6. In the Server field, enter our remote IP (1.2.0.1 in our example)
  7. In the Account field, enter your username (bob in our example)
  8. In the Password field, enter your password (1tsm3 in our example)
  9. In the Secret field, enter your pre-shared secret (s0m3s3cr3t in our example)
  10. Put the Send All Traffic slider to on
  11. Select Save
  12. Put the Not Connected slider to on
  13. You are now connected


Android

  1. Go to Settings.
  2. Selectmore below the options available for connectivity.
  3. Select VPN.
  4. Select "Add VPN Network"
  5. Enter a desired name.
  6. Change type to "L2TP/IPSec PSK"
  7. Scroll down and fill "IPSec preshared key"
  8. Save the connection
  9. Tap on the created connection
  10. Enter user and password
  11. Tap connect