Chapter 4: Remote Access VPN Remote Access VPN Configuration 261

NOTE You must make sure that, between the remote client and the VPN server, nothing is
blocking packets with protocol GRE or TCP port 1723. (Check firewall settings, home gateway,
DSL modem, ISP, and so on.)

L2TP/IPsec with Pre‐Shared Key VPN Example

The first step in configuring a basic remote access VPN setup using L2TP/IPsec with
pre-shared key between R1 and a Windows XP client is to configure R1 as an
L2TP/IPsec–based VPN server.

Example 4‐2 Remote Access VPN ‐ L2TP/IPsec example

Step Command
vyatta@R1# set vpn ipsec ipsec‐interfaces interface
Define the interface used for wan1
IPsec; in this case, wan1.

Enable NAT traversal. This is vyatta@R1# set vpn ipsec nat‐traversal enable
mandatory.

Set the allowed subnet. vyatta@R1# set vpn ipsec nat‐networks allowed‐network
192.168.100.0/24

Commit the change. vyatta@R1# commit

Show the ipsec configuration. vyatta@R1# show vpn ipsec

ipsec‐interfaces {
interface wan1
}
nat‐networks {
allowed‐network 192.168.100.0/24 {
}
}
nat‐traversal enable

Bind the L2TP server to the vyatta@R1# set vpn l2tp remote‐access outside‐address
external address. 12.34.56.78

Set the nexthop address. vyatta@R1# set vpn l2tp remote‐access outside‐nexthop
12.34.56.254
vyatta@R1# set vpn l2tp remote‐access client‐ip‐pool
Set up the pool of IP addresses start
that remote VPN connections 192.168.100.101
vyatta@R1# set vpn l2tp remote‐access client‐ip‐pool
will assume. In this case we stop
make 10 addresses available 192.168.100.110
(from .101 to .110) on subnet
192.168.100.0/24. Note that we
do not use the subnet on the
LAN.

VPN 6.5R1 v01 Vyatta

Chapter 4: Remote Access VPN Remote Access VPN Configuration 262

Example 4‐2 Remote Access VPN ‐ L2TP/IPsec example

Set the IPsec authentication vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
mode to pre‐shared secret. authentication mode pre‐shared‐secret

Set the pre‐shared secret. vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
authentication pre‐shared‐secret !secrettext!
vyatta@R1# set vpn l2tp remote‐access authentication
Set the L2TP remote access mode
authentication mode to local. local

Set theL2TP remote access vyatta@R1# set vpn l2tp remote‐access authentication
username and password. local‐users username testuser password testpassword

Commit the change. vyatta@R1# commit

Show the l2tp remote access vyatta@R1# show vpn l2tp remote‐access
configuration. authentication {
local‐users {
username testuser {
password testpassword
}
}
mode local
}
client‐ip‐pool {
start 192.168.100.101
stop 192.168.100.110
}
ipsec‐settings {
authentication {
mode pre‐shared‐secret
pre‐shared‐secret !secrettext!
}
}
outside‐address 12.34.56.78
outside‐nexthop 12.34.56.254

The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2
system (the remote user in the example). You can use the Windows “New
Connection Wizard” as follows.
1 Select Start > Control Panel > Network Connections.
2 Click “Create a new connection”. The New Connection Wizard launches. Click
Next.
3 Select “Connect to the network at my workplace”. Click Next.
4 Select “Virtual Private Network connection”. Click Next.
5 Enter a name for the connection; for example “Vyatta-L2TP.” Click Next.

VPN 6.5R1 v01 Vyatta

Chapter 4: Remote Access VPN Remote Access VPN Configuration 263

6 Select “Do not dial the initial connection”. Click Next.

7 Type the VPN server address (12.34.56.78 in the example). Click Next.
8 If asked, select “Do not use my smart card”. Click Next.
9 Click Finish.
By default, after the VPN configuration is created, a pre-shared key is not configured and
must be added.
1 Go to “Network Connections” in the “Control Panel”.
2 Right-click the “Vyatta-L2TP” (or whatever name you specified) icon. Select
“Properties”.
3 Click the “Security” tab. Click “IPsec Settings...”.
4 Check the “Use pre-shared key for authentication” checkbox.
5 Type the pre-shared key (!secrettext! in our example) in the “Key” field.
6 Click “OK”. Click “OK”.
To connect to the VPN server, double-click the “Vyatta-L2TP” icon, type the user name
(“testuser” in our example) and password (“testpassword” in our example), and then
click “Connect”. The “show interfaces” and “show vpn remote-access” operational
commands will display the connected user on an interface named “l2tpX” where “X” is
an integer.
NOTE You need to make sure that, between the remote client and the VPN server, nothing is
blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway,
DSL modem, ISP, etc.)

L2TP/IPsec with X.509 Certificates VPN Example

The first step in configuring a basic remote access VPN setup using L2TP/IPsec with
X.509 certificates between R1 and a Windows XP client is to obtain the files necessary
for authentication using X.509 certificates. In general, the procedure for doing this is as
follows:
1 Generate the private key and a certificate signing request (CSR) (based on the public
key). This can be accomplished using generate vpn x509 key-pair <name> (for
example, generate vpn x509 key-pair R1, where R1.key is the private key and
R1.csr is the certificate signing request file - both created in /config/auth).
2 Send the CSR file (for example, R1.csr) to the certificate autority (CA) and
receive back a server certificate (for example, R1.crt), the CA certificate (for
example, ca.crt), and potentially, a certificate revocation list (CRL) file. This
procedure varies according to the CA being used.
3 The same procedure should be followed to obtain equivalent files for the
Windows client machine (for example, windows.crt and windows.key). The
same CA certificate (ca.crt) can be used on the Windows machine.

VPN 6.5R1 v01 Vyatta

Chapter 4: Remote Access VPN Remote Access VPN Configuration 264

NOTE If the CA can combine the windows.crt and windows.key files and export a PKCS #12 file
(for example, windows.p12), it will save a step later on.
Once the X.509-related files have been generated or acquired, the next step is to
configure R1 as an L2TP/IPsec–based VPN server.

Example 4‐3 Remote Access VPN ‐ L2TP/IPsec example

Step Command
vyatta@R1# set vpn ipsec ipsec‐interfaces interface
Define the interface used for wan1
IPsec; in this case, wan1.

Enable NAT traversal. This is vyatta@R1# set vpn ipsec nat‐traversal enable
mandatory.

Set the allowed subnet. vyatta@R1# set vpn ipsec nat‐networks allowed‐network
192.168.100.0/24

Commit the change. vyatta@R1# commit

Show the ipsec configuration. vyatta@R1# show vpn ipsec

ipsec‐interfaces {
interface wan1
}
nat‐networks {
allowed‐network 192.168.100.0/24 {
}
}
nat‐traversal enable

Bind the L2TP server to the vyatta@R1# set vpn l2tp remote‐access outside‐address
external address. 12.34.56.78

Set the nexthop address. vyatta@R1# set vpn l2tp remote‐access outside‐nexthop
12.34.56.254
vyatta@R1# set vpn l2tp remote‐access client‐ip‐pool
Set up the pool of IP addresses start
that remote VPN connections 192.168.100.101
vyatta@R1# set vpn l2tp remote‐access client‐ip‐pool
will assume. In this case we stop
make 10 addresses available 192.168.100.110
(from .101 to .110) on subnet
192.168.100.0/24. Note that we
do not use the subnet on the
LAN.

Set the IPsec authentication vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
mode to x509. authentication mode x509

Specify the location of the CA vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
certificate. authentication x509 ca‐cert‐file /config/auth/ca.crt

VPN 6.5R1 v01 Vyatta

Chapter 4: Remote Access VPN Remote Access VPN Configuration 265

Example 4‐3 Remote Access VPN ‐ L2TP/IPsec example

Specify the location of the vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
authentication x509 server‐cert‐file
server certificate. /config/auth/R1.crt

Specify the location of the vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
server key file. authentication x509 server‐key‐file /config/auth/R1.key

Specify the password for the vyatta@R1# set vpn l2tp remote‐access ipsec‐settings
server key file. authentication x509 server‐key‐password testpwd‐R1
vyatta@R1# set vpn l2tp remote‐access authentication
Set the L2TP remote access mode
authentication mode to local. local

Set theL2TP remote access vyatta@R1# set vpn l2tp remote‐access authentication
username and password. local‐users username testuser password testpassword

Commit the change. vyatta@R1# commit

Show the l2tp remote access vyatta@R1# show vpn l2tp remote‐access
configuration. authentication {
local‐users {
username testuser {
password testpassword
}
}
mode local
}
client‐ip‐pool {
start 192.168.100.101
stop 192.168.100.110
}
ipsec‐settings {
authentication {
mode x509
x509 {
ca‐cert‐file /config/auth/ca.crt
server‐cert‐file /config/auth/R1.crt
server‐key‐file /config/auth/R1.key
server‐key‐password testpwd‐R1
}
}
}
outside‐address 12.34.56.78
outside‐nexthop 12.34.56.254
VPN 6.5R1 v01 Vyatta