So I’ve tried to configure an L2TP-based VPN (remote-access) to work with my ISP which uses PPPoE connections (with dynamically assigned IP’s)…
It all goes smoothly by following L2TP — VyOS 1.4.x (sagitta) documentation, except that you need to know before-hand the outside-address value… (Which obviously changes after a reboot / reconnect)…
Luckily there is the set vpn l2tp remote-access dhcp-interface option, which unfortunately does not work with PPPoE interfaces, and fails with: The specified interface is not configured for DHCP.
However if one just edits /opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm and searches for that error message (which seems to appear in three places) and just comments the code like:
# return (undef, "The specified interface is not configured for DHCP")
# if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0));
, it all goes smoothly.
However if your PPPoE connection disconnects and reconnects, the L2TP connection won’t work… Apparently not even a restart vpn will solve it, but instead you’ll have to either force a configure (by changing the actual value of dhcp-interface and commit), or reboot… (Or just sed-ing /etc files…)
If anyone has any idea on how to fix this better, please let me know.
Apparently the “hack” mentioned above doesn’t seem to work on VyOS 1.2, because the IPSec configuration is generated before the PPPoE interface is set-up. (Perhaps it happens the same also in 1.1.8?)
I’ve also tried the following which according to man ipsec.conf should work by setting left = %any (but which unfortunately doesn’t seem to work):
sub get_ra_conn {
my ($self, $name) = @_;
my $oaddr = $self->{_out_addr};
if (defined($self->{_dhcp_if})){
return (undef, "The specified interface is not configured for DHCP")
if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0));
my $dhcpif = $self->{_dhcp_if};
$oaddr = get_dhcp_addr($dhcpif);
}
+ if ($oaddr eq "0.0.0.0"){
+ $oaddr = "%any";
+ }
Apparently by applying the previous sub get_ra_conn patch, a manual restart of the VPN (i.e. restart vpn) after the system has booted should do the trick… (Also double-check that the xl2tpd is actually running…)
(Why the manual restart solves anything is beyond me…)
Apparently on 1.2.0 (at least from April 2019), you can just use set vpn l2tp remote-access outside-address 0.0.0.0 and L2TP should work. (Without any additional patches as described in my previous post.)