10.2.5.2. Remote Access VPN Using L2TP/IPsec

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes the settings for remotely connecting a terminal such as a PC to the firewall, using L2TP/IPsec.
Using L2TP/IPsec VPN allows a client PC to make VPN connections within the site.

Setting for Remote Access Using L2TP/IPsec

This section describes a remote access server which connects a client such as a Windows PC with the firewall, using the L2TP/IPsec VPN protocol.

Note

Presumed case for sample setting

  • To make VPN connections from an Internet-accessible PC to the firewall

  • To make VPN connections using L2TP/IPsec

  • To accept/reject connections of a client PC through authentication with a user name and password registered for firewall settings

Configuration diagram
l2tp_ipsec_fig1

Authentication information for connections

Local authentication user

test-user01

Local authentication password

testpass

Pre-shared key pass phrase

testkey

Setting flow in a presumed case

1.With IPsec, accepting network “192.168.3.0/28” to be used by the connected PC, to accept the terminal which makes connections
2.Enabling the NAT traversal function
3.Performing authentication with user name “test-user01” and password “testpass”, for users which attempt to make L2TP/IPsec connections
4.Setting “192.168.3.4” to “192.168.3.9” as IP addresses to be used by connected PCs (etc.)
5.Setting “testkey” as the password for L2TP/IPsec authentication
6.Setting “153.xx.xx.178” as the IP address to be used for the L2TP tunnel
7.Setting “153.xx.xx.190” as the IP next hop address to be used for the L2TP tunnel

Command to be entered with CLI

set security vpn ipsec nat-networks allowed-network '192.168.3.0/28'
set security vpn ipsec nat-traversal 'enable'
set security vpn l2tp remote-access authentication local-users username test-user01 password 'testpass'
set security vpn l2tp remote-access authentication mode 'local'
set security vpn l2tp remote-access client-ip-pool start '192.168.3.4'
set security vpn l2tp remote-access client-ip-pool stop '192.168.3.9'
set security vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'testkey'
set security vpn l2tp remote-access outside-address '153.xx.xx.178'
set security vpn l2tp remote-access outside-nexthop '153.xx.xx.190'

Note

  • For commands to be entered with CLI, passwords (etc.) have been written to ease comprehension.

The configuration after completion of appropriate settings is as follows.
security{
        vpn {
                ipsec {
                        nat-networks {
                                  allowed-network 192.168.3.0/28
                        }
                        nat-traversal enable
                }
                l2tp {
                        remote-access {
                                authentication {
                                      local-users {
                                             username test-user01 {
                                                         password "********"
                                             }
                                      }
                                      mode local
                                }
                                client-ip-pool {
                                        start 192.168.3.4
                                        stop 192.168.3.9
                                }
                                ipsec-settings {
                                        authentication {
                                                mode pre-shared-secret
                                                pre-shared-secret "********"
                                        }
                                }
                                outside-address 153.xx.xx.178
                                outside-nexthop 153.xx.xx.190
                        }
                }
        }
}

Note

  • When the configuration is viewed with CLI, “*” is shown for the password.

  • In practice, a global IP address is wholly shown, but in the example above, part of a global IP address is masked like “153.xx.xx”.

Operation check result

It was confirmed that the firewall accepted remote access connections from a client, resulting in connection establishment.
Direct connections were identified for route information and communications were possible, and thus it was confirmed that the L2TP/IPsec settings worked properly.
 # Connection check from Firewall -> OK

 user-admin@raFW01:~$ date;show vpn remote-access
 Sat Mar 18 10:37:15 UTC 2017
 Active remote access VPN sessions:
 User            Proto Iface  Tunnel IP       TX byte RX byte  Time
 ----            ----- -----  -----------     ------- -------  ----
 test-user01     L2TP  ppp0   192.168.3.4         402   10.8K  00h05m28s


 # Routing check from Firewall -> OK

 user-admin@raFW01:~$ show ip route connect
 IP Route Table for VRF "default"
 C    *> 10.255.0.0/32 is directly connected, ppp0
 C    *> xxx.xx.xx.0/20 is directly connected, dp0s3
 C    *> 127.0.0.0/8 is directly connected, lo
 C    *> 153.xxx.xxx.176/28 is directly connected, dp0s8
 C    *> 192.168.3.0/28 is directly connected, dp0s7
 C    *> 192.168.3.4/32 is directly connected, ppp0
 C    *> 192.168.3.16/28 is directly connected, dp0s11
 user-admin@raFW01:~$


 # Ping check from Firewall -> OK

user-admin@raFW01:~$ ping 192.168.3.4
PING 192.168.3.4 (192.168.3.4) 56(84) bytes of data.
64 bytes from 192.168.3.4: icmp_seq=1 ttl=128 time=1.55 ms
64 bytes from 192.168.3.4: icmp_seq=2 ttl=128 time=0.933 ms
64 bytes from 192.168.3.4: icmp_seq=3 ttl=128 time=0.793 ms
64 bytes from 192.168.3.4: icmp_seq=4 ttl=128 time=0.786 ms
64 bytes from 192.168.3.4: icmp_seq=5 ttl=128 time=1.09 ms
^C
--- 192.168.3.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.786/1.031/1.554/0.287 ms
user-admin@raFW01:~$