Carbonwind.net
Forefront TMG
ISA Server
Vyatta OFR
VPN
Virtualization
Firewalls
Cisco
Miscellaneous
Wireless

 28.04.2011
Configure Vyatta(Core 6.2) as an L2TP/IPsec server with certificate authentication for IKE Main Mode using for the PKI part XCA


 - 1. Intro
 - 2. Configure Vyatta
 - 3. Tested L2TP/IPsec VPN clients

 1. Intro
In this paper we will configure Vyatta(Core 6.2) as an L2TP/IPsec server with certificate authentication for IKE Main Mode using for the PKI part XCA.
We will do so per my previous article Using XCA to configure the PKI part needed for L2TP/IPsec VPN connections using certificates for IKE main mode authentification.
So first make sure you follow the steps from there in order to create a CA and issue certificates for the L2TP/IPsec VPN server and clients.

Per the mentioned paper, I have prepared within a folder on a Windows 7 machine the following files: CA certificate, client certificate(this will be used on the L2TP/IPsec VPN client machine), server certificate and private key and CRL file, see Figure 1:


Figure1: XCA Exported Files

Make sure the server's private key is in SSLeay compatible format, otherwise you may not be able to commit the configuration on Vyatta.

 2. Configure Vyatta
The network diagram is presented in Figure2:


Figure2: Network Diagram

First simple configuration on the Vyatta machine(installed on hdd) to achieve basic connectivity.
This was entered on the Vyatta machine:

set interfaces ethernet eth0 address 192.168.22.234/24
set interfaces ethernet eth1 address 192.168.10.1/24
commit

set service ssh protocol-version v2
commit
save

set protocols static route 0.0.0.0/0 next-hop 192.168.22.1
commit

edit service nat rule 20
set type masquerade
set source address 192.168.10.0/24
set outbound-interface eth0
top
commit

save

We need to copy on Vyatta the CA certificate, the server certificate, and optionally the CRL file.
I will put these files within a /test directory.

There are a couple of ways to do this; I will use WinSCP.
Note that, for example, the default administrator named vyatta is allowed to do sudo without being prompted with password.
So if we configure WinSCP, per its documentation, like in Figure3(use SCP and select the Advanced options) and Figure4(custom shell sudo su - on the SCP/Shell/ tab), we will be able to obtain write access to create /test directory and copy the needed files to it.


Figure3: WinSCP use SCP


Figure4: WinSCP custom shell

For example, I've copied the above mentioned files like so on the Vyatta machine, see Figure5:


Figure5: WinSCP Files copied on the Vyatta machine over SCP

After we've copied these files on Vyatta, we can proceed and configure the L2TP/IPsec VPN server on it.

We will enter a basic L2TP/IPsec configuration on Vyatta, we will assign IP addresses to the L2TP/IPsec VPN clients from the 192.168.10.220-192.168.10.230 range, local authentication will be used for the PPP authentication, a user adrian was added to this configuration, no CRL file is specified on Vyatta for the moment.

set vpn l2tp remote-access client-ip-pool start 192.168.10.220
set vpn l2tp remote-access client-ip-pool stop 192.168.10.230
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username adrian password 1qaz
set vpn l2tp remote-access dns-servers server-1 192.168.10.2
set vpn l2tp remote-access outside-address 192.168.22.234
set vpn l2tp remote-access outside-nexthop 192.168.22.1
set vpn l2tp remote-access ipsec-settings authentication mode x509
set vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file /test/Vyatta_L2TP_CA.crt
set vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file /test/vpn.carbonwind.net.crt
set vpn l2tp remote-access ipsec-settings authentication x509 server-key-file /test/vpn.carbonwind.net.pem
set vpn l2tp remote-access ipsec-settings authentication x509 server-key-password 1qaz
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 192.168.0.0/16 exclude 192.168.10.0/24
commit

save

 3. Tested L2TP/IPsec VPN clients
The following L2TP/IPsec VPN clients were tested with this configuration: Windows XP SP3/Vista SP2/7 SP1 and Mac OS X 10.6.7.