.. _l2tp: #### L2TP #### VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used with local authentication or a connected RADIUS server. *********************** Configuring L2TP Server *********************** .. code-block:: none set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username test password 'test' set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 set vpn l2tp remote-access default-pool 'L2TP-POOL' set vpn l2tp remote-access outside-address 192.0.2.2 set vpn l2tp remote-access gateway-address 192.168.255.1 .. cfgcmd:: set vpn l2tp remote-access authentication mode Set authentication backend. The configured authentication backend is used for all queries. * **radius**: All authentication queries are handled by a configured RADIUS server. * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn l2tp remote-access authentication local-users username password Create `` for local authentication on this system. The users password will be set to ``. .. cfgcmd:: set vpn l2tp remote-access client-ip-pool range Use this command to define the first IP address of a pool of addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask. .. cfgcmd:: set vpn l2tp remote-access default-pool Use this command to define default address pool name. .. cfgcmd:: set vpn l2tp remote-access gateway-address Specifies single `` IP address to be used as local address of PPP interfaces. ***************** Configuring IPsec ***************** .. code-block:: none set vpn ipsec interface eth0 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret .. cfgcmd:: set vpn ipsec interface Use this command to define IPsec interface. .. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode Set mode for IPsec authentication between VyOS and L2TP clients. .. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode Set predefined shared secret phrase. If a local firewall policy is in place on your external interface you will need to allow the ports below: * UDP port 500 (IKE) * IP protocol number 50 (ESP) * UDP port 1701 for IPsec As well as the below to allow NAT-traversal (when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal): * UDP port 4500 (NAT-T) Example: .. code-block:: none set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' set firewall name OUTSIDE-LOCAL rule 41 action 'accept' set firewall name OUTSIDE-LOCAL rule 41 destination port '500' set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 42 action 'accept' set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 43 action 'accept' set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp' To allow VPN-clients access via your external address, a NAT rule is required: .. code-block:: none set nat source rule 110 outbound-interface 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade ********************************* Configuring RADIUS authentication ********************************* To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again. .. code-block:: none set vpn l2tp remote-access authentication mode radius .. cfgcmd:: set vpn l2tp remote-access authentication radius server key Configure RADIUS `` and its required shared `` for communicating with the RADIUS server. Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially. For example: .. code-block:: none set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' .. note:: Some RADIUS_ severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list. RADIUS source address ===================== If you are using OSPF as your IGP, use the interface connected closest to the RADIUS server. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. .. cfgcmd:: set vpn l2tp remote-access authentication radius source-address
Source IPv4 address used in all RADIUS server queires. .. note:: The ``source-address`` must be configured to that of an interface. Best practice would be a loopback or dummy interface. RADIUS advanced options ======================= .. cfgcmd:: set vpn l2tp remote-access authentication radius server port Configure RADIUS `` and its required port for authentication requests. .. cfgcmd:: set vpn l2tp remote-access authentication radius server fail-time