System StatusPortal Login

Configure Remote Access VPN Service on a Vyatta Appliance

Suggest Edits

You can configure a Vyatta Appliance to act as a remote access VPN
gateway so that clients can securely connect to their infrastructure in
the Rackspace cloud.

Introduction

This article shows how to configure the Vyatta Appliance for
Remote Access VPN using L2TP/IPsec with Pre-Shared Keys for
authentication.

For a comprehensive guide to VPN configuration on the Vyatta,
click
here.

For guidance on configuring the relevant firewall rules to allow remote-access VPN on the Vyatta please refer to the following article:

Configuring interface based firewall on the Vyatta network appliance

The VPN access using L2TP/IPsec with pre-shared key works as follows:

  1. The remote client first establishes an IPsec tunnel with the VPN
    server (Vyatta).
  2. The L2TP client and server then establish an L2TP tunnel on top of
    the IPsec tunnel.
  3. Finally, a PPP session is established on top of the L2TP tunnel,
    i.e., the PPP packets are encapsulated and sent/received inside the
    L2TP tunnel.

In the following illustration, traffic from remote access clients
enters on the Public interface on the Vyatta appliance.
192.168.100.0/24, is the subnet assigned to the clients when the VPN
session is established. The outside-address X.X.X.X address is the
Vyatta's Public IP address.

{{}}

Configure the L2TP/IPsec VPN on the Vyatta Appliance

Step 1. Set Up Vyatta as an L2TP/IPsec VPN Server

In the following example eth0 is the Public interface enabled for IPsec.
The pre-shared secret is "SUPERSECRET".

  1. Log onto the Vyatta Appliance using ssh:

    ssh [email protected]

    Where X.X.X.X is the IP address of the vyatta's Public interface.
    You'll see a Welcome to Vyatta message and a prompt to enter your
    Vyatta password.

    Once you're logged into the appliance, you can enter a "?" or press
    the Tab key for help.

  2. Enter configuration mode:

    vyatta@vyatta: configure
[edit]
vyatta@vyatta#

    The # symbol indicates you're in configuration mode.

  3. Define the interface used for IPsec; in this case eth0 is the public
    interface enabled for IPsec :

    set vpn ipsec ipsec-interfaces interface eth0

  4. Enable NAT traversal allowing IPSec packets to travel through NAT
    points in the network:

    set vpn ipsec nat-traversal enable

  5. Set the remote client IP subnet from which connection is initiated.
    To allow clients to connect from anywhere specify 0.0.0.0/0 as the
    allowed-network

    set vpn ipsec nat-networks allowed-network 0.0.0.0/0

  6. Commit the change:

    vyatta@vyatta# commit

  7. Save the change:

    vyatta@vyatta# save

Saving configuration to /config/config.boot

  8. Show the IPsec configuration:

    vyatta@vyatta# show vpn ipsec
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable

Step 2. Configure L2TP remote access address and the client pool

  1. Bind the L2TP server to the external address:

    set vpn l2tp remote-access outside-address X.X.X.X

    Where X.X.X.X represents the Vyatta eth0 interface IP address.

  2. Set up the pool of IP addresses that remote VPN clients will
    assume.

    set vpn l2tp remote-access client-ip-pool start 192.168.100.1

    Where 192.168.100.10 represents the start IP address for the
    client pool.

    set vpn l2tp remote-access client-ip-pool stop 192.168.100.100

    Where 192.168.100.100 represents the end IP address for the
    client pool.

Step 3. Configure the IPsec pre-shared secret and user authentication

  1. Set the IPsec authentication mode to the pre-shared secret:

    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

  2. Set the pre-shared secret:

    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SUPERSECRET

  3. Set the L2TP remote access authentication mode to local:

    set vpn l2tp remote-access authentication mode local

    This indicates that user authentication occurs locally on the
    Vyatta Appliance.

  4. Set theL2TP remote access username and password:

    set vpn l2tp remote-access authentication local-users username test password test

    test and test represent the client username and password.

  5. Commit the change:

    vyatta@vyatta# commit

  6. Save the change:

    vyatta@vyatta# save
Saving configuration to /config/config.boot

  7. View the LT2P configuration:

    vyatta@vyatta# show vpn l2tp remote-access
authentication {
local-users {
username test {
password test
}
}
mode local
}
client-ip-pool {
start 192.168.100.1
stop 192.168.100.100
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret SUPERSECRET
}
}
outside-address X.X.X.X

This completes the L2TP configuration on the Vyatta Appliance. If you
later want to edit the L2TP remote access configuration, enter
remote-access while in the edit mode on the Vyatta Appliance.

vyatta@vyatta# edit vpn l2tp remote-access
[edit vpn l2tp remote-access]
vyatta@vyatta#

The following section describes how to configure client VPN settings on
the Mac and Windows clients.

Mac Client Configuration

For Mac clients you'll need to configure the following options:

  • Network Preferences
  • Connection Details
  • Authentication Settings

Mac Client Network Preferences

Select System Preferences from the Apple menu, then click Network.

Select the Vyatta VPN (LT2P) network and update the following options:

{{}}

Mac Client Connection Details

{{}}

Mac Client Authentication Settings

{{}}

Configure Split Tunnel on the Mac Native IPsec Client

If you want the VPN connection to be used only to access your cloud
servers, and all other traffic (internet traffic) will not use the IPsec
tunnel , ensure that Send all traffic over VPN connection is unchecked
under Options.

{{}}

After enabling split tunnel on a MAC client, you may need to add a
static route to force all traffic destined to the VPN network over the
PPP interface. For example:

sudo /sbin/route add -net 192.168.x.0/24 -interface ppp0

Where 192.168.x.0/24 is the CIDR of your Cloud Network.

The following screenshot shows a successful connection:

{{}}

Windows Client Configuration

To configure Windows clients, update the following network options.

Set up a virtual private network (VPN) connection

{{}}

Type the Internet Address to Connect To

{{}}

Enter Login Credentials

{{}}

Connect to the VPN

{{}}

Configure Vyatta VPN Properities

{{}}

Configure VPN Properities General Configuration Tab

{{}}

Configure VPN Security Settings Tab

{{}}

Configure Advanced Properties

{{}}

Configure Split Tunnel on the Windows Native IPsec Client

On a Windows client, by default, after the VPN configuration is created,
the client is configured for Full Tunneling (all traffic flows across
the VPN.) If you want to configure the client for Split Tunneling (where
internet traffic does not flow across the VPN), you can modify the
client VPN configuration as follows:

  1. Select, Start, Control Panel, Network Connections.
  2. Right-click the icon for the VPN connection (Vyatta-L2TP), then
    click Properties.
  3. Click Advanced. Uncheck the "Use default gateway on remove
    network" checkbox.
  4. Click OK three times.

{{}}

View Client Connection

Do the following to check the client's connection:

View the Network and Sharing Center to see client logged into Vyatta
VPN.

Run ipconfig in a Command Prompt window to see the client's IP
address.

Show the configuration on the Vyatta Appliance:

vyatta@vyatta:~$ show vpn remote-access
Active remote access VPN sessions:
User            Proto Iface     Tunnel IP       TX byte RX byte  Time
----            ----- -----     ---------       ------- -------  ----
test            L2TP  l2tp0     192.168.100.1      1.0K    6.1K  00h01m26s

Updated 4 months ago