Does anyone have a simple vyos 1.2.0 VPN using L2TP/IPSEC running

vpn

#1

I have almost given up trying to get my vyos system to act as L2TP/IPSEC VPN for remote access.
If anyone has actually got this running, could you tell me how you did it?

I have tried all the configurations in all the different docs with no success. I must be doing something wrong.

Any help would really be appreciated.

Howard


#2

Hi,

Can you post your use case and configs?


#3

as @hammerstud mentioned - pls post your config and use case.

The wiki or documentation should be sufficient. This config definitely works.


#4

I basically would like to have a secure IPSEC VPN access fopr 4 - 5 Windows 10 using the Microsoft builtin VPN driver.

Any assistance would be appreciated.

Here is my configuration (pruned for posting):

----------------
Show Tech-Support
----------------

----------------
CONFIGURATION
----------------

Version:          VyOS 1.2.0
Built by:         Sentrium S.L.
Built on:         Sun 27 Jan 2019 19:08 UTC
Build ID:         795d6338-c1ce-4ebb-992f-d064f5af9309

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors
Package versions:

----------------
Configuration File
----------------
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
: 
                new enable
            }
        }
        rule 30 {
            action drop
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 31 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            protocol esp
        }
        rule 41 {
            action accept
            destination {
                port 500
            }
            protocol udp
        }
        rule 42 {
            action accept
            destination {
                port 4500
            }
            protocol udp
        }
        rule 43 {
            action accept
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
: 
interfaces {
    ethernet eth0 {
        address xxx.xxx.235.151/23
        description Outside
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
        hw-id XX:XX:XX:85:58:cd
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        address xxx.xxx.62.230/22
        description Inside
        duplex auto
        hw-id XX:XX:XX:85:b2:bd
        smp-affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address xxx.xxx.60.0/22
            }
            translation {
                address masquerade
            }
        }
        rule 110 {
            outbound-interface eth0
            source {
                address xxx.xxx.60.0/22
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.235.254 {
                distance 1
            }
        }
    }
}
service {
    dns {
        forwarding {
: 
            cache-size 0
            listen-address xxx.xxx.62.230
            name-server xxx.xxx.0.255
            name-server xxx.xxx.12.1
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name xxxxxx
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
            }
            level admin
        }
    }
    ntp {
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network xxx.xxx.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
: 
        remote-access {
            authentication {
                local-users {
                    username xxxxxx {
                        password xxxxxx
                    }
                }
                mode local
            }
            client-ip-pool {
                start xxx.xxx.62.231
                stop xxx.xxx.62.239
            }
            dns-servers {
                server-1 xxx.xxx.0.1
                server-2 xxx.xxx.0.255
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret xxxxxx
                }
                ike-lifetime 3600
                lifetime 3600
            }
            outside-address xxx.xxx.235.151
        }
    }
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@3:ssh@1:system@9:vrrp@2:wanloadbalanc e@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.0 */