Remote Access VPN Configuration
This section provides configuration examples for three of the RA VPN scenarios supported: L2TP/IPsec with pre-shared key, and L2TP/IPsec with X.509 certificates.
RA VPN configuration overview
Each configuration example uses the diagram shown below as the deployment scenario:
L2TP/IPsec with pre-shared key
The first step in configuring a basic remote access VPN setup using L2TP/IPsec with pre-shared key between R1 and a Windows XP client is to configure R1 as an L2TP/IPsec-based VPN server.
Step | Command |
|---|---|
Enable NAT traversal. This is mandatory. | |
Set the allowed subnet. | |
Commit the change. | |
Show the ipsec configuration. | |
Bind the L2TP server to the external address. | |
Set the nexthop address. | |
Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from .101 to .110) on subnet 192.168.100.0/24. Note that we do not use the subnet on the LAN. | |
(Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from .1 - .10) on subnet 10.22.0.0/24. Note that we do not use the subnet on the LAN. | |
Set the IPsec authentication mode to pre-shared secret. | |
Set the pre-shared secret. | |
Set the L2TP remote access authentication mode to local. | |
Set the L2TP remote access username and password. | |
Commit the change. | |
Show the l2tp remote access configuration. | |
The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). You can use the Windows New Connection Wizard as follows.
- Select .
- Click Create a new connection. The New Connection Wizard launches. Click Next.
- Select Connect to the network at my workplace. Click Next.
- Select Virtual Private Network connection. Click Next.
- Enter a name for the connection; for example vRouter-L2TP. Click Next.
- Select Do not dial the initial connection. Click Next.
- Type the VPN server address (12.34.56.78 in the example). Click Next.
- If asked, select Do not use my smart card. Click Next.
- Click Finish.
By default, after the VPN configuration is created, a pre-shared key is not configured and must be added.
- Go to Network Connections in the Control Panel.
- Right-click the vRouter-L2TP (or whatever name you specified) icon. Select Properties.
- Click the Security tab. Click IPsec Settings....
- Check the Use pre-shared key for authentication checkbox.
- Type the pre-shared key (!secrettext! in our example) in the Key field.
- Click OK. Click OK.
To connect to the VPN server, double-click the vRouter-L2TP icon, type the user name (testuser in our example) and password (testpassword in our example), and then click Connect. The show interfaces and show vpn remote-access operational commands will display the connected user on an interface named l2tpX where X is an integer.
Configuring the L2TP/IPsec VPN client on a Windows XP SP2 system
- Select
- Click Create a new connection. The New Connection Wizard launches. Click Next.
- Select Connect to the network at my workplace. Click Next.
- Select Virtual Private Network connection. Click Next.
- Enter a name for the connection; for example vRouter-L2TP. Click Next.
- Select Do not dial the initial connection. Click Next.
- Type the VPN server address (12.34.56.78 in the example). Click Next.
- If asked, select Do not use my smart card. Click Next.
- Click Finish.
Connecting to the VPN server
L2TP/IPsec with x.509 certificates
The first step in configuring a basic remote access VPN setup using L2TP/IPsec with X.509 certificates between R1 and a Windows XP client is to obtain the files necessary for authentication using X.509 certificates. In general, the procedure for doing this is as follows:
- Generate the private key and a certificate signing request (CSR) (based on the public key). This can be accomplished using generate vpn x509 key-pair name (for example, generate vpn x509 key-pair R1, where R1.key is the private key and R1.csr is the certificate signing request file - both created in /config/auth).
- Send the CSR file (for example, R1.csr) to the certificate authority (CA) and receive back a server certificate (for example, R1.crt), the CA certificate (for example, ca.crt), and potentially, a certificate revocation list (CRL) file. This procedure varies according to the CA being used.
- The same procedure should be followed to obtain equivalent files for the Windows client machine (for example, windows.crt and windows.key). The same CA certificate (ca.crt) can be used on the Windows machine. Note: If the CA can combine the windows.crt and windows.key files and export a PKCS #12 file (for example, windows.p12), it will save a step later on.
Once the X.509-related files have been generated or acquired, the next step is to configure R1 as an L2TP/IPsec-based VPN server.
Step | Command |
|---|---|
Define the interface used for IPsec; in this case, dp0p1p1. | |
Enable NAT traversal. This is mandatory. | |
Set the allowed subnet. | |
Commit the change. | |
Show the ipsec configuration. | |
Bind the L2TP server to the external address. | |
Set the nexthop address. | |
Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from .101 to .110) on subnet 192.168.100.0/24. Note that we do not use the subnet on the LAN. | |
(Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from .1 - .10) on subnet 10.22.0.0/24. Note that we do not use the subnet on the LAN. | |
Set the IPsec authentication mode to x509. | |
Specify the location of the CA certificate. | |
Specify the location of the server certificate. | |
Specify the location of the server key file. | |
Specify the password for the server key file. | |
Set the L2TP remote access authentication mode to local. | |
Set theL2TP remote access username and password. | |
Commit the change. | |
Show the l2tp remote access configuration. | |
Once R1 is configured, the next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). The first part of this is to import the key and certificate files created by the CA onto the Windows machine. Windows expects the key and server certificates to be wrapped into a single file in a PKCS #12 format (a .p12 file).
- Copy the ca.crt and windows.p12 files to the Windows machine.
- On the Windows machine: Select . The Run dialog opens.
- Enter mmc at the Open: prompt. Click OK. The Console1 MMC console opens.
- Select . The Add/Remove Snap‐in dialog opens.
- Click Add.... The Add Standalone Snap‐in dialog opens.
- Select Certificates in the list of Available standalone snap‐ins. Click Add. The Certificates snap‐in dialog opens.
- Select Computer account. Click Next. The Select Computer dialog appears.
- Select Local computer (the computer this console is running on). Click Finish. Click Close. Click OK.
Certificates (Local Computer) appears beneath Console Root in the Console1 MMC console. Now you can import the certificate, as follows.
- Expand Certificates (Local Computer).
- Right click Personal and select . The Certificate Import Wizard opens.
- Click Next. Specify the location of the windows.p12 file. Click Next.
- Enter the password for the private key. Click Next. Click Finish.
- Right click Trusted Root Certification Authorities and select . The Certificate Import Wizard opens.
- Click Next. Specify the location of the ca.crt file. Click Next.
- Click Finish. Close the Console1 MMC console.
At this point, the necessary key and certificate files have been imported to the Windows machine. The next part of configuring the L2TP/IPsec VPN client on the Windows XP SP2 system is to specify the VPN connection. You can use the Windows New Connection Wizard as follows.
- Select .
- Click Create a new connection. The New Connection Wizard launches. Click Next.
- Select Connect to the network at my workplace. Click Next.
- Select Virtual Private Network connection. Click Next.
- Enter a name for the connection; for example vRouter‐X509. Click Next.
- Select Do not dial the initial connection. Click Next.
- Type the VPN server address (12.34.56.78 in the example). Click Next.
- If asked, select Do not use my smart card. Click Next.
- Click Finish.
At this point, the configuration on the Windows machine is complete.
To connect to the VPN server, double‐click the vRouter‐X509 icon. Enter the User name and Password, then click Connect to establish the connection.
The show interfaces and show vpn remote‐access operational commands will display the connected user on an interface named l2tpX where X is an integer.
Split tunneling on a windows client
On a Windows client, by default, after the VPN configuration is created, the client is configured for Full Tunneling (all traffic flows across the VPN). If you want to configure the client for Split Tunneling (where Internet traffic does not flow across the VPN), you can modify the client VPN configuration as follows: