2021年7月28日 星期三

L2TP over IPsec VPN on VyOS / Vyatta


VPN Topology (Client to Site VPN)


L2TP  Client  <--> Firewall<---> Internet<---->Firewall<--->VyOS-L2TP-Server



VyOS Setting 


 vyos@vyos:~$ show configuration commands

set interfaces ethernet eth0 address '10.1.1.254/24'

set interfaces ethernet eth0 duplex 'auto'

set interfaces ethernet eth0 hw-id '00:0d:30:bb:72:57'

set interfaces ethernet eth0 smp-affinity 'auto'

set interfaces ethernet eth0 speed 'auto'

set interfaces loopback lo

set nat source rule 110 outbound-interface 'eth0'

set nat source rule 110 source address '192.168.1.0/24'

set nat source rule 110 translation address 'masquerade'

set protocols static route 0.0.0.0/0 next-hop 10.1.1.1

set service ssh port '22'

set system config-management commit-revisions '100'

set system console device ttyS0 speed '9600'

set system host-name 'vyos'

set system login user vyos authentication encrypted-password ''

set system login user vyos authentication plaintext-password ''

set system login user vyos level 'admin'

set system name-server '168.95.1.1'

set system ntp server clock.hinet.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set system time-zone 'Asia/Taipei'

set vpn ipsec esp-group l2tp compression 'disable'

set vpn ipsec esp-group l2tp lifetime '3600'

set vpn ipsec esp-group l2tp mode 'tunnel'

set vpn ipsec esp-group l2tp pfs 'dh-group2'

set vpn ipsec esp-group l2tp proposal 1 encryption 'aes128'

set vpn ipsec esp-group l2tp proposal 1 hash 'sha1'

set vpn ipsec ike-group l2tp close-action 'none'

set vpn ipsec ike-group l2tp ikev2-reauth 'no'

set vpn ipsec ike-group l2tp key-exchange 'ikev2'

set vpn ipsec ike-group l2tp lifetime '3600'

set vpn ipsec ike-group l2tp proposal 1 dh-group '2'

set vpn ipsec ike-group l2tp proposal 1 encryption 'aes128'

set vpn ipsec ike-group l2tp proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec logging log-level '1'

set vpn ipsec logging log-modes 'any'

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal 'enable'

set vpn l2tp remote-access authentication local-users username VPNUser1 password 'User1Password'

set vpn l2tp remote-access authentication local-users username VPNUser2 password 'User2Password'

set vpn l2tp remote-access authentication mode 'local'

set vpn l2tp remote-access client-ip-pool start '192.168.1.50'

set vpn l2tp remote-access client-ip-pool stop '192.168.1.100'

set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'

set vpn l2tp remote-access idle '1800'

set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'L2TP-PASSWORD'

set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'

set vpn l2tp remote-access ipsec-settings lifetime '3600'

set vpn l2tp remote-access mtu '1492'

set vpn l2tp remote-access outside-address '0.0.0.0'

vyos@vyos:~$


=================================================


vyos@vyos:~$  show vpn debug

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.195-amd64-vyos, x86_64):

  uptime: 25 minutes, since Jul 29 01:13:44 2021

  malloc: sbrk 2973696, mmap 0, used 813120, free 2160576

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1

  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1

  rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 

 dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac 

 hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici 

 updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls 

 eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire 

 led addrblock counters

Listening IP addresses:

  10.1.1.254

Connections:

remote-access:  0.0.0.0...%any  IKEv1, dpddelay=15s

remote-access:   local:  [10.1.1.254] uses pre-shared key authentication

remote-access:   remote: uses pre-shared key authentication

remote-access:   child:  dynamic[0/l2f] === dynamic TRANSPORT, dpdaction=clear

Security Associations (1 up, 0 connecting):

remote-access[1]: ESTABLISHED 11 minutes ago, 10.1.1.254[10.1.1.254]...114.35.xxx.xxx[192.168.1.51]

remote-access[1]: IKEv1 SPIs: 6e74c683a4e351d3_i 0cc2f51574ea4e80_r*, rekeying disabled

remote-access[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

remote-access{1}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cc8f0e29_i ce27b6dd_o

remote-access{1}:  3DES_CBC/HMAC_SHA1_96, 438878 bytes_i, 420717 bytes_o (1724 pkts, 14s ago), rekeying disabled

remote-access{1}:   10.1.1.254/32[udp/l2f] === 114.35.xxx.xxx/32[udp/l2f]


=================================================

Reference

https://docs.vyos.io/en/latest/configuration/vpn/l2tp.html

https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2

https://brezular.com/2019/06/01/l2tp-ipsec-remote-access-vpn-on-vyos/


===========================================


Firewall Policy Rule  (https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2)


UDP port 500 (IKE)

IP protocol number 50 (ESP)

UDP port 1701 for IPsec

As well as the below to allow NAT-traversal 


(when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):


UDP port 4500 (NAT-T)



=============================================

Debug CLI

vyos@vyos:~$  show vpn ipsec state

vyos@vyos:~$  show vpn ipsec status

vyos@vyos:~$  show vpn debug

vyos@vyos:~$  show log vpn all

vyos@vyos:~$  show vpn remote-access


======================================

Other

configure-l2tp-ipsec-server-behind-nat-t-device (Windows)

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device


Set AssumeUDPEncapsulationContextOnSendRule registry key


To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:


1.Log on to the Windows Vista client computer as a user who is a member of the Administrators group.


2.Select Start > All Programs > Accessories > Run, type regedit, and then select OK. If the 


User Account Control dialog box is displayed on the screen and prompts you to elevate your 

administrator token, select Continue.


3. Locate and then select the following registry subkey:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent


=======================================================


 Note


You can also apply the AssumeUDPEncapsulationContextOnSendRule DWORD value to a 

Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do so, 

locate and then select the 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec registry subkey.


======================================================


4. On the Edit menu, point to New, and then select DWORD (32-bit) Value.


5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.


6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then select Modify.


7. In the Value Data box, type one of the following values:


0.

It's the default value. When it's set to 0, Windows can't establish security 

associations with servers located behind NAT devices.


1.

When it's set to 1, Windows can establish security associations with 

servers that are located behind NAT devices.


2.

When it's set to 2, Windows can establish security associations when 

both the server and VPN client computer 

        (Windows Vista or Windows Server 2008-based) 

are behind NAT devices.


8. Select OK, and then exit Registry Editor.


9. Restart the computer.

========================================


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]

"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002