L2TP over IPsec with Pre-shared key on clavister | Simet Bilişim Teknolojileri A.Ş.
Üye Ol | Şifremi Unuttum

L2TP over IPsec with Pre-shared key on clavister

SUBJECT

 L2TP over IPsec with Pre-shared key on clavister

RELATED DEVICES

100 Serisi (Netwall 110 and 140)

Document Date and Revision

4/25/2023

Software Version

14

Hardware Version

1

Description / Script / Topology

  L2TP over IPsec with Pre-shared key on clavister

Requirements  :

        before start the configuration we need to create some special things because we need this things on our main configuration part

        Frist of all you should create a IKE algoritm  and IP-sec algoritm base on( AE-SHA1)

        From this way > objects >VPN objects >IKE algorithms > Add > 

  • After that this page is open for you do the same configuration as pic
  • Give a custom name
  • Choose AES on Encryption algorithms
  • Choose SHA1 on  INTEGRITY algorithms  

  • After that should create ip-sec algorithms like IKE
  • From this way > objects >VPN objects >IP-SEC algorithms > Add

To be able to authenticate the IPsec tunnel that will be used for the L2TP tunnel, a pre-shared key needs to be defined. This is done under Objects -> Key Ring -> Pre-Shared Keys.

 

In this How-to a pre-shared key named L2TP_PSK will be used.

Preparing a new Local User Database

To be able to authenticate the users using the L2TP tunnel a local user database will be used, this can of course also be a RADIUS server. Create a new database under System -> Users -> Local User Databases

Setting up the IPsec Tunnel

Now it’s time to set up the IPsec tunnel, this is done in the IPsec Tunnels section located in the Network tab of the Security Gateway. The example screenshot above shows the Clavister Firewall (cOS Core).

Name

First of all, a name is needed for the VPN connection. This virtual interface will later be used in the L2TP section.
In this example, the name L2TP_IPsec is being used.

IKE Version

Select IKEv1 as version.

Encapsulation mode

As we’re setting up L2TP this should be set to Transport Mode.

Authentication

As authentication method, choose Pre-Shared Key. In the Pre-Shared Key drop-down list, select the Pre-Shared Key

Diffie-Hellman group

Here we select DH-Group 14(2048-bit) since that is the most secure proposal group sent by Windows 10.

NOTE: If you want to use an Android device you must select DH-Group 02(1024-bit) as well.

Algorithms

Here we select the IKE algorithm that we created earlier.
We leave the life-time to it’s default value.

Local Endpoint

In this scenario we’re assuming that our connection attempts are from the outside so we select our Wan_IP
Note: When the SGW is behind a NAT:ing device, Local Endpoint should be all-nets because of the incorrect local ID that will be sent due to the SGW being behind NAT.

All other settings can be left to it’s default value

Algorithms

Here we select the IKE algorithm that we created earlier.

Setup SA per:

Note: Make sure that you have selected Network in this section.

Static route is enabled by default on the IPsec tunnel. This should be disabled. This is because the L2TP Tunnel will do the routing.

Setting up the L2TP Tunnel

Now it’s time to setup the L2TP Server, this is done in the PPTP/L2TP Servers section located in the Network folder of the Security Gateway.

First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the policies and user authentication rules sections.
In this example, the name L2TP is being used.

Inner IP Address

This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be L2TP_ip (anything).

Tunnel Protocol

As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.

Outer Interface Filter

This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from Windows 10, the interface should be the IPsec tunnel, created earlier L2TP_IPsec.

Server IP

This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. Wan_ip.

Authentication

Should be enabled, and a rule needs to be configured, (as described further down “Setting up the User Authentication Rule”).

Microsoft Point-to-Point Encryption

Select the encryption strength the server should allow.

Note: The recommendation is to ONLY have None checked. Disable the 40/56/128 bit encryption.

.We already have IPsec encryption, there is no need to encrypt once more, and MPPE is not hardware accelerated, meaning that throughput and CPU usage will suffer. IPsec is hardware accelerated on certain models which gives vastly improved performance

IP Pool

Specify the addresses that are to be assigned to the clients. In this case, use the pool created earlier, L2TP_pool. You can also specify up to two DNS and WINS servers.

 

A ProxyARP needs to be configured for the IP’s used by the L2TP Clients. What we do is publish the IP’s from the L2TP_pool on Lan and the L2TP server will automatically route them over the L2TP_tunnel interface.

Virtual Routing

The L2TP Server will automatically add routes to the L2TP Clients and route them over the L2TP_tunnel interface. Select which routing table those routes should be added to. In this guide we will use main which is the ordinary routing table.

Setting up the User Authentication Rule

A user authentication rule needs to be configured as below:

Name:L2TP_Auth
Authentication Agent: L2TP/PPTP/SSL_VPN (As we’re using an L2TP tunnel)
Authentication Source: Local (Since we are using an local database)
Interface: L2TP_tunnel(This should be the L2TP server)
Originator IP: all-nets (As the clients are roaming)
Terminator IP: Wan_ip (Should be the same as the Outer IP)
Local User DB: L2TP (This Option is under the Authentication Options tab)

The rule should look like in the below screenshot

Setting up the Policies

When the other parts are done, all that is left are the policies. To let traffic trough from the tunnel two policies should be added, the first one with the following characteristics:

Name: L2TP_out
Action: Allow
Source Interface: L2TP_tunnel
Source Network: L2TP_pool
Destination Interface: Wan
Destination Network: all_nets
Service: all_services
Source Translation: NAT

The second policy should have the following characteristics

Name: L2TP_to_Lan
Action: Allow
Source Interface: L2TP_tunnel
Source Network: L2TP_pool
Destination Interface: Lan
Destination Network: LAN_net
Service: all_services

Note: As it is a policy towards the internet it is recommended to narrow the service down as much as possible.

Windows 10 - Setting up the VPN connection

To setup the new L2TP/IPsec network connection in Windows 10, in Settings press Network & Internet -> VPN -> Add a VPN connection, then enter the information for the L2TP/IPsec connection.

VPN provider

Choose “Windows (built in)”.

Connection name

Give the VPN connection a name.

Server name or address

Type in the hostname or IP of the Clavister Security Gateway you are connecting to. The IP Shown in the picture is the IP of our WAN interface, i.e Wan_IP.

VPN type

Since we want to set up a L2TP/IPsec connection we choose “L2TP/IPsec with pre-shared key”.

Type of sign-in info

Since we want to authenticate with the local users we created, choose Username and password.

Username (optional)

Here you enter the Username of the user you want to connect as, in this example we use the user we created earlier, testuser. This is optional, if you don’t fill this in you will get a pop-up asking for your username and password.

Password (optional)

Here you enter the password matching with the user you want to connect as. This is also optional, in the same way as the username.

 

Kurumsal