I have almost given up trying to get my vyos system to act as L2TP/IPSEC VPN for remote access.
If anyone has actually got this running, could you tell me how you did it?
I have tried all the configurations in all the different docs with no success. I must be doing something wrong.
Any help would really be appreciated.
Howard
Hi,
Can you post your use case and configs?
as @hammerstud mentioned - pls post your config and use case.
The wiki or documentation should be sufficient. This config definitely works.
I basically would like to have a secure IPSEC VPN access fopr 4 - 5 Windows 10 using the Microsoft builtin VPN driver.
Any assistance would be appreciated.
Here is my configuration (pruned for posting):
----------------
Show Tech-Support
----------------
----------------
CONFIGURATION
----------------
Version: VyOS 1.2.0
Built by: Sentrium S.L.
Built on: Sun 27 Jan 2019 19:08 UTC
Build ID: 795d6338-c1ce-4ebb-992f-d064f5af9309
Architecture: x86_64
Boot via: installed image
System type: VMware guest
Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: Unknown
Hardware UUID: Unknown
Copyright: VyOS maintainers and contributors
Package versions:
----------------
Configuration File
----------------
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
:
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time 60
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
protocol esp
}
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
:
interfaces {
ethernet eth0 {
address xxx.xxx.235.151/23
description Outside
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id XX:XX:XX:85:58:cd
smp-affinity auto
speed auto
}
ethernet eth1 {
address xxx.xxx.62.230/22
description Inside
duplex auto
hw-id XX:XX:XX:85:b2:bd
smp-affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address xxx.xxx.60.0/22
}
translation {
address masquerade
}
}
rule 110 {
outbound-interface eth0
source {
address xxx.xxx.60.0/22
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.235.254 {
distance 1
}
}
}
}
service {
dns {
forwarding {
:
cache-size 0
listen-address xxx.xxx.62.230
name-server xxx.xxx.0.255
name-server xxx.xxx.12.1
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
domain-name xxxxxx
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
level admin
}
}
ntp {
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network xxx.xxx.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
:
remote-access {
authentication {
local-users {
username xxxxxx {
password xxxxxx
}
}
mode local
}
client-ip-pool {
start xxx.xxx.62.231
stop xxx.xxx.62.239
}
dns-servers {
server-1 xxx.xxx.0.1
server-2 xxx.xxx.0.255
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
ike-lifetime 3600
lifetime 3600
}
outside-address xxx.xxx.235.151
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@3:ssh@1:system@9:vrrp@2:wanloadbalanc e@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.0 */