Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself. Therefore, it is often combined with IPSec that is used for encapsulation of L2TP packets between the endpoints. Securing L2TP using IPsec is standardized in RFC3193. The tutorial provides remote Access L2TP/IPsec configuration for VyOS network OS.
So far, I have tested L2TP/IPSec configuration on VyOS 1.2.0 with an Android phone as configured as L2TP/IPSec client. However, I have not been successful, ended with the error message below. The same L2TP/IPSec configuration works for the legacy 64-bits Vyatta 6.6, therefore, it is used in our lab, instead of VyOS.
xl2tpd[1809]: Maximum retries exceeded for tunnel
We employ Cisco vIOS-L3 in order to simulate a SOHO router. The router is connected to the Wifi router Access_Point (172.17.100.1/26) with an associated wireless client (Android phone IP 172.17.100.5/16). The L2TP/IPSec client is running on the phone. The client is configured to connect to the VPN gateway running on Vyatta (10.0.1.1/24) in order to reach the server LAN subnet (10.0.0.0/24) within L2TP/IPSec VPN tunnel (Picture 1).
Picture 1 - Network Topology
The devices Vyatta, SOHO and Server-1 are running inside GNS3 topology. The devices Access_point and Android phone are hardware based. A route 10.0.1.0/24 with the next-hop address 172.17.100.50 must be configured on the Wifi router Access_Point.
The Bash script create_interfaces.sh creates tap0 and bridge0 interfaces and it attaches the tap0 and Ethernet interface enp4s0f2 to the bridge0. GNS3 cloud device is configured to connect to the interface tap0 thus the nodes running inside GNS3 topology can communicate with the hardware devices connected into the LAN network (the router Access_point and the Android phone).
1. Cisco SOHO Router
Router(config)# hostname SOHO
SOHO(config)# interface GigabitEthernet 0/0
SOHO(config-if)# ip address 10.0.1.2 255.255.255.0
SOHO(config-if)# no shutdown
SOHO(config-if)# interface GigabitEthernet 0/0
SOHO(config-if)# ip address 172.17.100.50 255.255.0.0
SOHO(config-if)# no shutdown
2. Vyatta
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# set interfaces ethernet eth1 address 10.0.0.254/24
vyatta@vyatta# set interfaces ethernet eth0 address 10.0.1.1/24
vyatta@vyatta# set vpn ipsec ipsec-interfaces interface eth0
vyatta@vyatta# set vpn ipsec nat-traversal enable
vyatta@vyatta# set vpn ipsec nat-networks allowed-network 0.0.0.0/0
vyatta@vyatta# set vpn l2tp remote-access outside-address 10.0.1.1
vyatta@vyatta# set vpn l2tp remote-access authentication mode local
vyatta@vyatta# set vpn l2tp remote-access authentication local-users username user1 password 'test1111'
vyatta@vyatta# set vpn l2tp remote-access authentication local-users username user2 password 'test2222'
vyatta@vyatta# set vpn l2tp remote-access client-ip-pool start 192.168.214.1
vyatta@vyatta# set vpn l2tp remote-access client-ip-pool stop 192.168.214.255
vyatta@vyatta# set vpn l2tp remote-access dns-servers server-1 8.8.8.8
vyatta@vyatta# set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
vyatta@vyatta# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testshared
vyatta@vyatta# set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
vyatta@vyatta# set protocols static route 0.0.0.0/0 next-hop '10.0.1.2'
3. Testing
We are going to connect to VPN and issue the ping command from Android phone to the server Server-1 (10.0.0.1) using Termux application. The screenshot from captured traffic on the link between Vyatta and SOHO routers is depicted on the Picture 2.
Picture 2 - Captured Encrypted Network Traffic
Established sessions can be checked with the show command (Picture 3).
vyatta@vyatta:~$ show vpn remote-access
Picture 3 - Established Remote Access VPN
There is laso a command for checking the status of IPSec VPN process (Picture 4).
yatta@vyatta:~$ show vpn ipsec status
Picture 4 - IPSec VPN Tunnel State
To ensure that L2TP packets are encapsulated withing IPSec tunnel,check kernel-in crypto state (Picture 5).
vyatta@vyatta:~$ show vpn ipsec state
Picture 5 - Kernel-in Crypto State
End.