Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Show Page Sections

Remote Access VPN Configuration

This section provides configuration examples for three of the RA VPN scenarios supported: L2TP/IPsec with pre-shared key, and L2TP/IPsec with X.509 certificates.

RA VPN configuration overview

Each configuration example uses the diagram shown below as the deployment scenario:

Figure 1. Remote access VPN example

L2TP/IPsec with pre-shared key

The first step in configuring a basic remote access VPN setup using L2TP/IPsec with pre-shared key between R1 and a Windows XP client is to configure R1 as an L2TP/IPsec-based VPN server.

Table 1. Remote access VPN - L2TP/IPsec example

Step

Command

Enable NAT traversal. This is mandatory.

vyatta@R1# set security vpn ipsec nat-traversal enable

Set the allowed subnet.

vyatta@R1# set security vpn ipsec nat-networks allowed-network 192.168.100.0/24

Commit the change.

vyatta@R1# commit

Show the ipsec configuration.

vyatta@R1# show security vpn ipsec
 ipsec {
        nat-networks {
                allowed-network 192.168.100.0/24
        }
        nat-traversal enable
 }

Bind the L2TP server to the external address.

vyatta@R1# set security vpn l2tp remote-access outside-address 12.34.56.78

Set the nexthop address.

vyatta@R1# set security vpn l2tp remote-access outside-nexthop 12.34.56.254

Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from .101 to .110) on subnet 192.168.100.0/24. Note that we do not use the subnet on the LAN.

vyatta@R1# set security vpn l2tp remote-access client-ip-pool start 192.168.100.101
vyatta@R1# set security vpn l2tp remote-access client-ip-pool stop 192.168.100.110

(Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from .1 - .10) on subnet 10.22.0.0/24. Note that we do not use the subnet on the LAN.

vyatta@R1# set security vpn l2tp remote-access server-ip-pool start 10.22.0.1

vyatta@R1# set security vpn l2tp remote-access server-ip-pool stop 10.22.0.10

Set the IPsec authentication mode to pre-shared secret.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

Set the pre-shared secret.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret !secrettext!

Set the L2TP remote access authentication mode to local.

vyatta@R1# set security vpn l2tp remote-access authentication mode local

Set the L2TP remote access username and password.

vyatta@R1# set security vpn l2tp remote-access authentication local-users username testuser password testpassword

Commit the change.

vyatta@R1# commit

Show the l2tp remote access configuration.

vyatta@R1# show security vpn l2tp remote-access
remote-access {
       authentication {
               local-users {
                       username testuser {
                               password "********"
                       }
               }
               mode local
       }
       client-ip-pool {
               start 192.168.100.101
               stop 192.168.100.110
       }
       ipsec-settings {
               authentication {
                       mode pre-shared-secret
                       pre-shared-secret "********"
               }
       }
       outside-address 12.34.56.78
       outside-nexthop 12.34.56.254
       server-ip-pool {
               start 10.22.0.1
               stop 10.22.0.10
       }
}

The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). You can use the Windows New Connection Wizard as follows.

  1. Select Start > Control Panel > Network Connections.
  2. Click Create a new connection. The New Connection Wizard launches. Click Next.
  3. Select Connect to the network at my workplace. Click Next.
  4. Select Virtual Private Network connection. Click Next.
  5. Enter a name for the connection; for example vRouter-L2TP. Click Next.
  6. Select Do not dial the initial connection. Click Next.
  7. Type the VPN server address (12.34.56.78 in the example). Click Next.
  8. If asked, select Do not use my smart card. Click Next.
  9. Click Finish.

By default, after the VPN configuration is created, a pre-shared key is not configured and must be added.

  1. Go to Network Connections in the Control Panel.
  2. Right-click the vRouter-L2TP (or whatever name you specified) icon. Select Properties.
  3. Click the Security tab. Click IPsec Settings....
  4. Check the Use pre-shared key for authentication checkbox.
  5. Type the pre-shared key (!secrettext! in our example) in the Key field.
  6. Click OK. Click OK.

To connect to the VPN server, double-click the vRouter-L2TP icon, type the user name (testuser in our example) and password (testpassword in our example), and then click Connect. The show interfaces and show vpn remote-access operational commands will display the connected user on an interface named l2tpX where X is an integer.

Note: You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.)

Configuring the L2TP/IPsec VPN client on a Windows XP SP2 system

The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). You can use the Windows New Connection Wizard as follows.
  1. Select Start > Control Panel > Network Connections.
  2. Click Create a new connection. The New Connection Wizard launches. Click Next.
  3. Select Connect to the network at my workplace. Click Next.
  4. Select Virtual Private Network connection. Click Next.
  5. Enter a name for the connection; for example vRouter-L2TP. Click Next.
  6. Select Do not dial the initial connection. Click Next.
  7. Type the VPN server address (12.34.56.78 in the example). Click Next.
  8. If asked, select Do not use my smart card. Click Next.
  9. Click Finish.

Connecting to the VPN server

  1. Go to Network Connections in the Control Panel.
  2. Right‐click the vRouter‐L2TP (or whatever name you specified) icon. Select Properties.
  3. Click the Security tab. Click IPsec Settings....
  4. Check the Use pre‐shared key for authentication checkbox.
  5. Type the pre‐shared key (!secrettext! in our example) in the Key field.
  6. Click OK. Click OK.

    To connect to the VPN server, double-click the vRouter-L2TP icon, type the user name (testuser in our example) and password (testpassword in our example), and then click Connect. The show interfaces and show vpn remote‐access operational commands will display the connected user on an interface named l2tpX where X is an integer.

    Note: You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.)

L2TP/IPsec with x.509 certificates

The first step in configuring a basic remote access VPN setup using L2TP/IPsec with X.509 certificates between R1 and a Windows XP client is to obtain the files necessary for authentication using X.509 certificates. In general, the procedure for doing this is as follows:

  1. Generate the private key and a certificate signing request (CSR) (based on the public key). This can be accomplished using generate vpn x509 key-pair name (for example, generate vpn x509 key-pair R1, where R1.key is the private key and R1.csr is the certificate signing request file - both created in /config/auth).
  2. Send the CSR file (for example, R1.csr) to the certificate authority (CA) and receive back a server certificate (for example, R1.crt), the CA certificate (for example, ca.crt), and potentially, a certificate revocation list (CRL) file. This procedure varies according to the CA being used.
  3. The same procedure should be followed to obtain equivalent files for the Windows client machine (for example, windows.crt and windows.key). The same CA certificate (ca.crt) can be used on the Windows machine.
    Note: If the CA can combine the windows.crt and windows.key files and export a PKCS #12 file (for example, windows.p12), it will save a step later on.

    Once the X.509-related files have been generated or acquired, the next step is to configure R1 as an L2TP/IPsec-based VPN server.

Table 2. Remote access VPN - L2TP/IPsec example

Step

Command

Define the interface used for IPsec; in this case, dp0p1p1.

vyatta@R1# set security vpn ipsec ipsec-interfaces interface dp0p1p1

Enable NAT traversal. This is mandatory.

vyatta@R1# set security vpn ipsec nat-traversal enable

Set the allowed subnet.

vyatta@R1# set security vpn ipsec nat-networks allowed-network 192.168.100.0/24

Commit the change.

vyatta@R1# commit

Show the ipsec configuration.

vyatta@R1# show vpn ipsec
ipsec-interfaces {
    interface dp0p1p1
}
nat-networks {
    allowed-network 192.168.100.0/24 {
    }
}
nat-traversal enable

Bind the L2TP server to the external address.

vyatta@R1# set security vpn l2tp remote-access outside-address 12.34.56.78

Set the nexthop address.

vyatta@R1# set security vpn l2tp remote-access outside-nexthop 12.34.56.254

Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from .101 to .110) on subnet 192.168.100.0/24. Note that we do not use the subnet on the LAN.

vyatta@R1# set security vpn l2tp remote-access client-ip-pool start 192.168.100.101
vyatta@R1# set security vpn l2tp remote-access client-ip-pool stop 192.168.100.110

(Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from .1 - .10) on subnet 10.22.0.0/24. Note that we do not use the subnet on the LAN.

vyatta@R1# set security vpn l2tp remote-access server-ip-pool start 10.22.0.1

vyatta@R1# set security vpn l2tp remote-access server-ip-pool stop 10.22.0.10

Set the IPsec authentication mode to x509.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings authentication mode x509

Specify the location of the CA certificate.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings
authentication x509 ca-cert-file /config/auth/ca.crt

Specify the location of the server certificate.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings 
authentication x509 server-cert-file /config/auth/R1.crt

Specify the location of the server key file.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file
/config/auth/R1.key

Specify the password for the server key file.

vyatta@R1# set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password testpwd-R1
testpwd-R1

Set the L2TP remote access authentication mode to local.

vyatta@R1# set security vpn l2tp remote-access authentication mode local

Set theL2TP remote access username and password.

vyatta@R1# set security vpn l2tp remote-access authentication local-users username testuser password testpassword

Commit the change.

vyatta@R1# commit

Show the l2tp remote access configuration.

vyatta@R1# show security vpn l2tp remote-access
authentication {
    local-users {
        username testuser {
            password testpassword
        }
    }
    mode local
}
client-ip-pool {
    start 192.168.100.101
    stop 192.168.100.110
}
server-ip-pool {
    start 10.22.0.1
    stop 10.22.0.10
}
ipsec-settings {
    authentication {
        mode x509
        x509 {
            ca-cert-file /config/auth/ca.crt
            server-cert-file /config/auth/R1.crt
            server-key-file /config/auth/R1.key
            server-key-password testpwd-R1
        }
    }
}
outside-address 12.34.56.78
outside-nexthop 12.34.56.254

Once R1 is configured, the next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). The first part of this is to import the key and certificate files created by the CA onto the Windows machine. Windows expects the key and server certificates to be wrapped into a single file in a PKCS #12 format (a .p12 file).

Note: If the CA does not provide this, then you will need to use a tool (e.g. openssl) to combine the key file and the certificate file for the Windows machine into a .p12 file.
  1. Copy the ca.crt and windows.p12 files to the Windows machine.
  2. On the Windows machine: Select Start > Run.... The Run dialog opens.
  3. Enter mmc at the Open: prompt. Click OK. The Console1 MMC console opens.
  4. Select File > Add/Remove Snap‐in.... The Add/Remove Snap‐in dialog opens.
  5. Click Add.... The Add Standalone Snap‐in dialog opens.
  6. Select Certificates in the list of Available standalone snap‐ins. Click Add. The Certificates snap‐in dialog opens.
  7. Select Computer account. Click Next. The Select Computer dialog appears.
  8. Select Local computer (the computer this console is running on). Click Finish. Click Close. Click OK.

Certificates (Local Computer) appears beneath Console Root in the Console1 MMC console. Now you can import the certificate, as follows.

  1. Expand Certificates (Local Computer).
  2. Right click Personal and select All Tasks > Import.... The Certificate Import Wizard opens.
  3. Click Next. Specify the location of the windows.p12 file. Click Next.
  4. Enter the password for the private key. Click Next. Click Finish.
  5. Right click Trusted Root Certification Authorities and select All Tasks > Import.... The Certificate Import Wizard opens.
  6. Click Next. Specify the location of the ca.crt file. Click Next.
  7. Click Finish. Close the Console1 MMC console.

At this point, the necessary key and certificate files have been imported to the Windows machine. The next part of configuring the L2TP/IPsec VPN client on the Windows XP SP2 system is to specify the VPN connection. You can use the Windows New Connection Wizard as follows.

  1. Select Start > Control Panel > Network Connections.
  2. Click Create a new connection. The New Connection Wizard launches. Click Next.
  3. Select Connect to the network at my workplace. Click Next.
  4. Select Virtual Private Network connection. Click Next.
  5. Enter a name for the connection; for example vRouter‐X509. Click Next.
  6. Select Do not dial the initial connection. Click Next.
  7. Type the VPN server address (12.34.56.78 in the example). Click Next.
  8. If asked, select Do not use my smart card. Click Next.
  9. Click Finish.

At this point, the configuration on the Windows machine is complete.

To connect to the VPN server, double‐click the vRouter‐X509 icon. Enter the User name and Password, then click Connect to establish the connection.

The show interfaces and show vpn remote‐access operational commands will display the connected user on an interface named l2tpX where X is an integer.

Note: You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.)

Split tunneling on a windows client

On a Windows client, by default, after the VPN configuration is created, the client is configured for Full Tunneling (all traffic flows across the VPN). If you want to configure the client for Split Tunneling (where Internet traffic does not flow across the VPN), you can modify the client VPN configuration as follows:

  1. Select Start > Control Panel > Network Connections.
  2. Right-click the icon for the VPN connection. Click Properties.
  3. Click the Networking tab. Select Internet Protocol (TCP/IP), then click Properties.
  4. Click Advanced. Uncheck the Use default gateway on remote network checkbox.
  5. Click OK three times.