VPN Topology (Client to Site VPN)
L2TP Client <--> Firewall<---> Internet<---->Firewall<--->VyOS-L2TP-Server
VyOS Setting
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address '10.1.1.254/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0d:30:bb:72:57'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback lo
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '192.168.1.0/24'
set nat source rule 110 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.1.1.1
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password ''
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system ntp server clock.hinet.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Taipei'
set vpn ipsec esp-group l2tp compression 'disable'
set vpn ipsec esp-group l2tp lifetime '3600'
set vpn ipsec esp-group l2tp mode 'tunnel'
set vpn ipsec esp-group l2tp pfs 'dh-group2'
set vpn ipsec esp-group l2tp proposal 1 encryption 'aes128'
set vpn ipsec esp-group l2tp proposal 1 hash 'sha1'
set vpn ipsec ike-group l2tp close-action 'none'
set vpn ipsec ike-group l2tp ikev2-reauth 'no'
set vpn ipsec ike-group l2tp key-exchange 'ikev2'
set vpn ipsec ike-group l2tp lifetime '3600'
set vpn ipsec ike-group l2tp proposal 1 dh-group '2'
set vpn ipsec ike-group l2tp proposal 1 encryption 'aes128'
set vpn ipsec ike-group l2tp proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username VPNUser1 password 'User1Password'
set vpn l2tp remote-access authentication local-users username VPNUser2 password 'User2Password'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.1.50'
set vpn l2tp remote-access client-ip-pool stop '192.168.1.100'
set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'L2TP-PASSWORD'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access mtu '1492'
set vpn l2tp remote-access outside-address '0.0.0.0'
vyos@vyos:~$
=================================================
vyos@vyos:~$ show vpn debug
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.195-amd64-vyos, x86_64):
uptime: 25 minutes, since Jul 29 01:13:44 2021
malloc: sbrk 2973696, mmap 0, used 813120, free 2160576
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1
rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici
updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire
led addrblock counters
Listening IP addresses:
10.1.1.254
Connections:
remote-access: 0.0.0.0...%any IKEv1, dpddelay=15s
remote-access: local: [10.1.1.254] uses pre-shared key authentication
remote-access: remote: uses pre-shared key authentication
remote-access: child: dynamic[0/l2f] === dynamic TRANSPORT, dpdaction=clear
Security Associations (1 up, 0 connecting):
remote-access[1]: ESTABLISHED 11 minutes ago, 10.1.1.254[10.1.1.254]...114.35.xxx.xxx[192.168.1.51]
remote-access[1]: IKEv1 SPIs: 6e74c683a4e351d3_i 0cc2f51574ea4e80_r*, rekeying disabled
remote-access[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
remote-access{1}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cc8f0e29_i ce27b6dd_o
remote-access{1}: 3DES_CBC/HMAC_SHA1_96, 438878 bytes_i, 420717 bytes_o (1724 pkts, 14s ago), rekeying disabled
remote-access{1}: 10.1.1.254/32[udp/l2f] === 114.35.xxx.xxx/32[udp/l2f]
=================================================
Reference
https://docs.vyos.io/en/latest/configuration/vpn/l2tp.html
https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2
https://brezular.com/2019/06/01/l2tp-ipsec-remote-access-vpn-on-vyos/
===========================================
Firewall Policy Rule (https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2)
UDP port 500 (IKE)
IP protocol number 50 (ESP)
UDP port 1701 for IPsec
As well as the below to allow NAT-traversal
(when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):
UDP port 4500 (NAT-T)
=============================================
Debug CLI
vyos@vyos:~$ show vpn ipsec state
vyos@vyos:~$ show vpn ipsec status
vyos@vyos:~$ show vpn debug
vyos@vyos:~$ show log vpn all
vyos@vyos:~$ show vpn remote-access
======================================
Other
configure-l2tp-ipsec-server-behind-nat-t-device (Windows)
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device
Set AssumeUDPEncapsulationContextOnSendRule registry key
To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
1.Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
2.Select Start > All Programs > Accessories > Run, type regedit, and then select OK. If the
User Account Control dialog box is displayed on the screen and prompts you to elevate your
administrator token, select Continue.
3. Locate and then select the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
=======================================================
Note
You can also apply the AssumeUDPEncapsulationContextOnSendRule DWORD value to a
Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do so,
locate and then select the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec registry subkey.
======================================================
4. On the Edit menu, point to New, and then select DWORD (32-bit) Value.
5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then select Modify.
7. In the Value Data box, type one of the following values:
0.
It's the default value. When it's set to 0, Windows can't establish security
associations with servers located behind NAT devices.
1.
When it's set to 1, Windows can establish security associations with
servers that are located behind NAT devices.
2.
When it's set to 2, Windows can establish security associations when
both the server and VPN client computer
(Windows Vista or Windows Server 2008-based)
are behind NAT devices.
8. Select OK, and then exit Registry Editor.
9. Restart the computer.
========================================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002